2025-04-12 –, Track 2
Security teams often face the challenge of navigating complex cloud environments with limited visibility into potential threats. Hawk bridges this gap by automating the collection of essential logs from Microsoft 365. This talk will demonstrate how Hawk, reduces investigation time, flags high-risk behaviors, and enables defenders to hunt for threats across the Microsoft cloud ecosystem.
Cloud environments have become a prime target for attackers, yet many security teams struggle to piece together critical user activity logs from Microsoft 365 during incident response. With audit logs spread across various services and often buried behind cumbersome interfaces, the process is time-consuming and prone to human error. Hawk simplifies this process by automating the collection and analysis of M365 audit logs, providing defenders with actionable insights to better understand user behaviors and detect malicious activity.
In this talk, we will introduce Hawk, a PowerShell-based investigative module that centralizes key audit logs from Microsoft 365, including mailbox access, role changes, consent grants, and more. We will walk through real-world use cases where Hawk has been used to uncover suspicious activity and highlight high-risk behaviors. This includes identifying applications with extremely dangerous / high risk permission grants, identifying suspicious inbox rules, and investigating unauthorized application permissions.
Attendees will learn how Hawk not only reduces investigation time but also enhances visibility into Microsoft cloud environments, making it easier to detect anomalies and hunt for threats. Whether you're a security analyst, incident responder, or cloud administrator, this session will provide you with practical tools and techniques to improve your cloud incident response workflow.
By the end of this session, attendees will have a clear understanding of:
- The challenges of investigating Microsoft 365 environments.
- How Hawk automates log collection and reduces manual efforts.
- Key audit log types that provide critical investigative context.
- How to effectively use Hawk to detect high-risk behaviors and improve cloud security operations.
With cloud breaches on the rise, Hawk equips defenders with the means to cut through the noise and focus on what matters identifying and mitigating threats in the Microsoft cloud.
Jonathan is an active-duty U.S. Marine Corps officer with over 20 years of combined experience in cybersecurity and software development. He has an extensive background in leading and conducting threat hunting, incident response, and vulnerability assessments. Additionally, Jonathan has experience designing and developing secure software solutions and working with cloud security technologies to address modern cybersecurity challenges.
Paul Navarro, a Marine Corps veteran and Cybersecurity Chief Architect at Microsoft, is one of Hawk’s core maintainers. He brings firsthand experience in Microsoft Cloud forensics and operationalizing security in cloud environments for customers. He has played a key role in shaping Hawk’s development with a focus on detecting high-risk activities across Microsoft cloud services for cloud customers who need a place to start from. Paul’s passionate about helping anyone who has an interest in security get into the workforce.
Lorenzo brings over 27 years of extensive experience in Information Technology, with more than 12 years dedicated specifically to Information Security. His career has been marked by impactful roles, including serving as a Marine stationed at Fort Meade, where he specialized in Defensive Cyberspace Operations (DCO). During his tenure there, spanning over eight years, Lorenzo operated at all key levels—tactical, operational, and strategic—securing Department of Defense (DoD) infrastructure against malicious cyber threat actors.
Currently, Lorenzo serves as a Senior Cloud Solutions Architect specializing in Security at Microsoft. In this role, he collaborates closely with customers as a trusted advisor, providing guidance to help secure their hybrid digital estate. His deep understanding of cloud architectures and cybersecurity principles allows him to craft tailored solutions that address complex security challenges effectively. Lorenzo is particularly passionate about empowering organizations to safely navigate the evolving digital landscape, emphasizing proactive threat mitigation, robust security frameworks (e.g. Zero Trust), and comprehensive risk management strategies.