Episode 45 — Capture identity logs that reveal misuse, privilege changes, and suspicious sign-ins
This episode focuses on identity logs as a primary signal for cloud compromise, because many attacks begin and expand through account misuse rather than classic network intrusion. You’ll learn what identity logs should capture, including authentication events, MFA outcomes, token and session activity, role assumptions, and changes to group membership or privilege assignments. We’ll connect these signals to exam scenarios where you must detect suspicious sign-ins, explain privilege escalation pathways, or validate whether an administrative action was authorized. You’ll also cover troubleshooting considerations such as incomplete coverage across tenants or accounts, inconsistent time synchronization that breaks timelines, and insufficient enrichment that prevents analysts from tying activity to real users and devices. The outcome is a clear understanding of what to collect, how to centralize it, and how to use it to prove or disprove identity-driven attack hypotheses. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
