SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsMost security teams assume their M365 telemetry is flowing because the Unified Audit Log is on. In practice, five separate configuration surfaces each have their own portal, RBAC, and failure mode, and none of them know about the others. Teams, Power Platform, and Copilot audit activity disappear silently when Audit.General goes unsubscribed. Entra ID sign-in logs never reach the SIEM when diagnostic settings are never configured. OfficeActivity covers roughly 40% of UAL activity by default, but nothing in the data signals that the rest is missing. Cloud threat detection depends on knowing what is actually flowing into your tooling and where the gaps are. This cheat sheet is a practical companion for security analysts and detection engineers working in Microsoft environments, and pairs directly with the skills and detection methodology taught in SEC541: Cloud Security Threat Detection.
Security analysts, detection engineers, and threat hunters who work in Microsoft environments and need to verify that their SIEM is collecting what they think it is. Particularly useful for teams building or auditing detections against M365 data sources, or anyone preparing for or responding to an incident where log completeness is in question.


Lydia Graslie is a Senior Threat Research Engineer at Sysdig, where she focuses on cloud threat detection across Azure and SaaS environments.
Read more about Lydia Graslie








