Token Protection and DBSC closed some doors in 2026 but left the SOC with a messier detection surface than the vendor decks suggest. Here is what the incident actually looks like in the SIEM, where the first round of tuning has to land, and what most teams get wrong on revocation.
A defender-oriented walkthrough of investigating adversary-in-the-middle token theft against Entra ID now that token protection, CAE, and device-bound sessions are widely on — what the logs actually contain, what the first detection misses, and where the artifacts live outside Entra.
RMF Control AU-12: Audit Record Generation requires organizations to generate audit records for auditable events. Audit records are records of events that occur on information systems. They can be used to track user activity, detect suspicious activity, and investigate security incidents. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a …
RMF Control AU-7: Audit Record Reduction and Report Generation requires organizations to implement an audit record reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements, and after-the-fact investigations of security incidents. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing cybersecurity risk …
RMF Control AU-2: Event Logging requires organizations to implement a comprehensive event logging program to collect, analyze, and retain audit logs. Audit logs are records of events that occur on information systems. Event logging can help organizations to detect and respond to security incidents, investigate suspicious activity, and comply with regulations. Supplemental Guidance The Risk …
RMF Control AU-1: Policy and Procedures requires organizations to establish and maintain a comprehensive set of policies and procedures to address the security and privacy of information systems and the information processed, stored, and transmitted by those systems. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing …
