Hello, welcome to the Friday, October 2, 2020 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Of course, we are all aware that companies are moving servers into the cloud at a record rate. And with that security relevant services,

like for example, Active Directory often end up in the cloud as well. Of course, Microsoft is

ready for that with Azure AD. And today we have a quick diary from Daniel about how to actually deal with AAD logs.

Now yes, you can haul them back into your on-premise secure infrastructure, but well,

that probably moved into the cloud as well. And Microsoft, again,

has a solution for you here to directly import your Asia AD or AAD logs into a log analytics

space within Asia. Daniel is explaining how to find some interesting events in this case and what to look for

here, because after all, well, no active directory is exposed to the internet and with that

of course monitoring it becomes even more important.

And now of course if you for example come up with a suspicious IT address or such by reviewing

these logs, you better act on it fast and also review these logs regularly.

And that's really what a second diary by Daniel is about.

And that's the lifetime of indicators

of compromise, which, as he points out, often then become indicators of outdated intelligence.

Quite often organizations love to purchase and apply in the case of compromise, like IP addresses and malware has a very

short lifetime. And while it's easy to apply and search for these in a case of compromise,

the value of that search may be somewhat limited. And yes, it may be worth the time to actually look

for some of the more complex techniques, tactics, and procedures that are not as quickly

and simply matched to log files. And Apple pulled the latest Mojave Security Update 2025 and also removed Safari 14 from its

download site.

...