# Responder brief — S4 (identical across both arms)

**Your role:** Cloud security / identity SOC lead for the organization's **Microsoft 365 / Azure AD (Entra ID)
tenant**. You own detection and response for the cloud identity and SaaS control plane.

**Your simulated tooling / telemetry (this is everything you have):**
- **Azure AD / Entra sign-in logs** — interactive and non-interactive sign-ins, service-principal sign-ins,
  the app/client used, IP, and conditional-access results.
- **Unified audit log** — directory changes including **OAuth application consent grants**, app registrations,
  and admin-consent events.
- **Cloud app security / CASB alerts** (Microsoft Defender for Cloud Apps-style) — anomalous cloud-app activity.
- **Microsoft Graph activity / mailbox audit** where enabled.
- An on-prem **EDR** and network egress monitor exist for the corporate endpoints (available to query).

**Response latitude:** revoke OAuth tokens / refresh tokens, disable or remove an app registration / service
principal, revoke user sessions, disable an account, tune conditional-access, and escalate to IR and the
ontology/modeling team.

**Turn cap:** 5.
