Threat-Intelligence — CraftedSignal Threat Feed

AI-Powered Honeypots: Deceptive Environments for Automated Threat Actors

hello@craftedsignal.io — Wed, 29 Apr 2026 10:00:42 +0000

The rise of AI brings advantages to both defenders and threat actors. This brief explores how generative AI can be leveraged to create adaptive honeypot systems. These systems can instantly create diverse honeypots, such as Linux shells or IoT devices, using simple text prompts. This approach offers a scalable method for deploying complex, convincing deceptive environments. Because AI-driven attacks often prioritize speed over stealth, they are highly susceptible to being tricked by these simulated systems. Defenders can actively manipulate and mislead threat actors, observing their methodologies in real-time within a controlled environment. By exploiting the inherent lack of awareness in AI agents, defenders can turn the attacker’s automation into a liability.

Attack Chain

The attacker’s AI-driven tool scans a range of IP addresses, identifying open TCP ports.
The attacking tool connects to a honeypot listener on a designated port.
The honeypot presents a simulated login prompt.
The attacking tool attempts to authenticate using common credentials or exploits known vulnerabilities.
If the attacker attempts the correct username (“admin”) and password (“password123”), or exploits a simulated vulnerability like Shellshock (CVE-2014-6271), the honeypot grants access to a simulated environment.
The attacker issues commands, believing they are interacting with a real system.
The honeypot, powered by a generative AI model, responds in a manner consistent with the simulated environment, logging all attacker actions.
The attacker attempts to move laterally, install malware, or exfiltrate data, all within the confines of the honeypot.

Impact

Successful deployment of AI-powered honeypots allows organizations to gain valuable insights into the tactics, techniques, and procedures (TTPs) of automated threat actors. This information can be used to improve existing security measures, develop more effective detection strategies, and proactively defend against future attacks. By observing attacker behavior in a controlled environment, organizations can minimize the risk of real systems being compromised. The number of diverted attacks will vary depending on honeypot deployment scale and attacker activity.

Recommendation

Deploy honeypots simulating common services or devices within your network to attract automated attacks and observe attacker behavior.
Monitor network connections to honeypot IP addresses (using a firewall or network intrusion detection system) and trigger alerts on any inbound connection attempts.
Implement the Sigma rule “Detect Successful Honeypot Authentication” to identify when an attacker successfully authenticates to the honeypot.
Enable process creation logging on systems running honeypots and deploy the Sigma rule “Detect Suspicious Commands in Honeypot Environment” to identify malicious commands executed within the simulated environment.
Review network traffic generated by honeypots for exploitation attempts targeting vulnerabilities like CVE-2014-6271.

CrowdStrike Falcon Cloud Security Advances CNAPP with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Mon, 30 Mar 2026 06:43:41 +0000

CrowdStrike has enhanced its Falcon Cloud Security with new CNAPP (Cloud-Native Application Protection Platform) capabilities designed to provide more proactive and context-aware cloud security. These advancements address limitations in current CNAPP solutions, which often lack visibility into business applications, ignore adversary behavior, and result in endless triage due to a lack of causality information. The new features, including Application Explorer and adversary-informed risk prioritization, aim to provide security teams with the necessary context to understand cloud risks, prioritize remediation efforts, and quickly respond to potential breaches by threat actors, with a specific focus on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER who are known to target cloud environments. According to the CrowdStrike 2026 Global Threat Report, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year in 2025, highlighting the need for improved cloud security measures.

Attack Chain

Initial Access: Adversaries gain initial access to the cloud environment through various means, such as exploiting misconfigurations or vulnerabilities in cloud services.
Discovery: Threat actors perform reconnaissance to discover cloud resources, services, and applications.
Lateral Movement: Attackers move laterally within the cloud environment, leveraging compromised credentials or exploiting vulnerabilities to access additional resources.
Privilege Escalation: Adversaries escalate privileges to gain higher-level access to critical cloud resources and data.
Data Access: Attackers access sensitive data stored in cloud storage resources, databases, or applications.
Exfiltration: The stolen data is exfiltrated from the cloud environment to an external location controlled by the attacker.
Impact: The exfiltration of sensitive data can lead to financial loss, reputational damage, and regulatory penalties for the victim organization.

Impact

A successful cloud breach can result in significant damage, including data theft, financial losses, and reputational harm. The enhanced CNAPP capabilities in CrowdStrike Falcon Cloud Security aim to mitigate these risks by providing organizations with better visibility into cloud assets, risk prioritization based on adversary behavior, and faster remediation capabilities. Specifically, organizations operating in sectors targeted by groups like LABYRINTH CHOLLIMA or SCATTERED SPIDER are at increased risk. In 2025, cloud intrusions increased dramatically, underscoring the urgent need for more effective cloud security measures.

Recommendation

Deploy the Application Explorer to gain visibility into how business applications run across cloud and on-premises environments and identify application-layer risks.
Utilize the adversary intelligence feature in Falcon Cloud Security to prioritize cloud risks based on the tactics, techniques, and procedures (TTPs) of known threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Monitor for overly permissive access to storage resources that connect to applications processing customer personally identifiable information (PII) using a rule like the one below to detect potential data breaches.
Implement the Sigma rule below to identify processes accessing cloud resources with unusual user agents, which can indicate unauthorized access attempts or exploitation activity.

CrowdStrike Falcon Next-Gen SIEM Supports Third-Party EDR Tools

hello@craftedsignal.io — Sun, 29 Mar 2026 14:22:47 +0000

CrowdStrike Falcon Next-Gen SIEM is expanding its capabilities to integrate with third-party EDR solutions, beginning with Microsoft Defender. This allows organizations to modernize their Security Operations Center (SOC) without the need to replace existing endpoint agents. The integration addresses the challenge of adversaries exploiting cross-domain gaps across endpoint, identity, network, and cloud environments. Security teams can now investigate across previously fragmented systems. Falcon Onum, natively embedded within the Falcon platform, delivers a unified experience for real-time data pipelines, enabling ingestion, filtering, enrichment, and routing of data in motion. This enhancement aims to reduce noise and improve data fidelity before it reaches downstream systems, leading to faster detection and more efficient investigations.

Attack Chain

Adversary exploits cross-domain gaps across endpoint, identity, network, and cloud environments.
Attack spans across different tools and environments, creating fragmented investigation scenarios for security teams.
Legacy SIEMs impose a “data tax” for full ingestion, resulting in slower detection.
Siloed tools create blind spots and disconnected workflows, hindering effective response.
Falcon Onum ingests data, filters noise, enriches telemetry, and routes data in real-time to reduce storage costs.
High-signal data is prioritized and routed to Falcon Next-Gen SIEM for active investigations.
Remaining data is efficiently archived to cost-effective external data stores like Amazon S3 via Athena.
Security teams can then investigate across the disparate data sources through federated search, operationalizing threat intelligence at scale.

Impact

The lack of integrated security tools leads to slower detection and delayed incident response, making it harder for SOC teams to keep pace with modern threats. Organizations face increased operational costs due to duplicated data and the need for extensive data ingestion. By integrating third-party EDR solutions, CrowdStrike aims to provide faster detection, more efficient investigations, and a stronger foundation for AI-driven security operations.

Recommendation

Deploy Falcon Next-Gen SIEM and configure it to ingest Microsoft Defender telemetry to unify detection, investigation, and response without changing endpoint deployments.
Leverage Falcon Onum to filter and enrich data in real-time, reducing noise and storage costs, as mentioned in the Overview.
Utilize federated search capabilities to investigate across live, network, and archived data sources (Falcon LogScale, ExtraHop, Amazon S3 via Athena) as described in the Attack Chain.
Explore the Third-Party Indicator Management feature to ingest, enrich, and manage external indicators of compromise.

CrowdStrike CNAPP Enhancements Prioritize Risk Based on Adversary Behavior

hello@craftedsignal.io — Sun, 29 Mar 2026 07:19:13 +0000

CrowdStrike has enhanced its Cloud Native Application Protection Platform (CNAPP) to prioritize cloud risks based on real-world adversary behavior, addressing limitations in traditional CNAPP solutions. These improvements correlate application-layer visibility with cloud infrastructure context, enabling security teams to understand how applications interact with services, access data, use credentials, and integrate AI components. Falcon Cloud Security maps cloud risks to known adversary profiles and observed techniques, allowing security teams to focus on conditions attackers target in documented intrusions. With threat intelligence from over 280 adversary groups, including LABYRINTH CHOLLIMA and SCATTERED SPIDER, organizations can better prepare their defenses against evolving cloud threats. This advancement aims to reduce alert fatigue and enable more effective remediation by aligning security efforts with actual adversary tactics. The enhancements were announced on March 24, 2026, and are designed to address the increasing number of cloud-conscious intrusions, which surged 266% year-over-year in 2025, as highlighted in the CrowdStrike 2026 Global Threat Report.

Attack Chain

Initial Compromise: Adversaries exploit misconfigurations or vulnerabilities in cloud infrastructure or applications to gain initial access.
Discovery: Using tools and techniques, the adversary performs reconnaissance to map out cloud assets, services, and dependencies, identifying potential targets.
Privilege Escalation: The attacker leverages compromised credentials or exploits vulnerabilities to elevate privileges within the cloud environment.
Lateral Movement: With elevated privileges, the adversary moves laterally across different cloud services and applications to access sensitive data.
Data Access: The threat actor accesses business-critical applications, customer PII, or AI components to exfiltrate data or cause disruption.
Exfiltration: Sensitive data is exfiltrated from the cloud environment to an external location controlled by the adversary.
Persistence: Adversaries establish persistence mechanisms to maintain access to the compromised cloud environment for future operations.
Impact: The ultimate objective is achieved, whether it be data theft, disruption of services, or financial gain.

Impact

Successful exploitation can lead to significant data breaches, disruption of critical business applications, and financial losses. With the increasing reliance on cloud infrastructure, the impact can extend across various sectors, affecting organizations of all sizes. The 266% surge in cloud intrusions in 2025 demonstrates the growing threat, potentially impacting millions of users and costing organizations significant resources to remediate and recover.

Recommendation

Deploy the “Detect Cloud Infrastructure Misconfiguration Leading to Potential Data Access” Sigma rule to identify overly permissive access to storage resources (rules).
Implement the “Detect Shadow AI Activity via LLM Usage” Sigma rule to detect unauthorized use of external large language models (LLMs) (rules).
Leverage CrowdStrike Falcon Cloud Security to correlate application-layer visibility with cloud infrastructure context for comprehensive risk analysis (overview).
Prioritize cloud risks based on adversary intelligence provided by CrowdStrike to focus on conditions targeted by threat actors like LABYRINTH CHOLLIMA and SCATTERED SPIDER (overview).

CrowdStrike Falcon Next-Gen SIEM Integrates with Microsoft Defender EDR

hello@craftedsignal.io — Sun, 29 Mar 2026 06:23:07 +0000

CrowdStrike’s Falcon Next-Gen SIEM is expanding its capabilities to support third-party EDR solutions, beginning with Microsoft Defender. Announced on March 23, 2026, this enhancement allows organizations to integrate Microsoft Defender telemetry into Falcon Next-Gen SIEM, streamlining detection, investigation, and response without requiring changes to existing endpoint deployments. This integration addresses the increasing challenge of adversaries exploiting gaps across endpoint, identity, network, and cloud environments. Falcon Next-Gen SIEM aims to unify disparate security tools and workflows, improve data fidelity, and accelerate security outcomes by eliminating the traditional “data tax” associated with legacy SIEMs. The updates also include Falcon Onum for real-time data control, federated search capabilities, and third-party indicator management to improve threat intelligence operationalization.

Attack Chain

Adversary gains initial access to a target environment through various means, potentially bypassing existing endpoint security measures.
Microsoft Defender detects suspicious activity on an endpoint and generates telemetry data.
Falcon Next-Gen SIEM ingests the Microsoft Defender telemetry data.
Falcon Onum filters, enriches, and routes the telemetry data, reducing noise and improving data fidelity.
Falcon Next-Gen SIEM analyzes the processed data, correlating it with other security event data.
AI-powered threat detection identifies potentially malicious activity based on the combined data.
Security analysts investigate the detected activity within the Falcon Next-Gen SIEM console, leveraging federated search capabilities to access additional data sources if needed.
Based on the investigation, analysts initiate response actions through Falcon Fusion SOAR.

Impact

The integration of third-party EDR solutions like Microsoft Defender into CrowdStrike Falcon Next-Gen SIEM aims to reduce the time to detect and respond to threats. By unifying security data and workflows, organizations can eliminate blind spots, improve data fidelity, and accelerate investigations. Successful attacks can lead to data breaches, system compromise, and financial losses. The number of affected organizations and the specific financial impact will depend on the effectiveness of the integrated security measures.

Recommendation

Deploy the Sigma rules provided in this brief to your SIEM and tune them according to your environment to detect suspicious activity correlated across multiple data sources.
Enable and configure Microsoft Defender to generate detailed telemetry data, which can then be ingested into Falcon Next-Gen SIEM for enhanced analysis.
Utilize Falcon Onum to filter, enrich, and route telemetry data to improve data fidelity and reduce storage costs, as mentioned in the overview.
Leverage the federated search capabilities of Falcon Next-Gen SIEM to investigate threats across live, network, and archived data sources without costly re-ingestion, as described in the overview.
Implement third-party indicator management to operationalize threat intelligence at scale by ingesting, enriching, scoring, and managing external indicators of compromise.

CrowdStrike CNAPP Enhanced with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sat, 28 Mar 2026 14:46:06 +0000

CrowdStrike has advanced its Cloud-Native Application Protection Platform (CNAPP) to address limitations in current cloud security approaches. The enhancements include Application Explorer, which provides application-layer visibility alongside cloud infrastructure context, and adversary intelligence for cloud risks. These updates aim to help organizations understand how applications interact with infrastructure and prioritize risks based on threat actor behavior. Specifically, the CNAPP maps cloud risks to over 280 adversary groups tracked by CrowdStrike, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER. This allows security teams to focus on exploitation chains known to be used against specific industries and organizational profiles, moving beyond theoretical risk assessments.

Attack Chain

Initial Compromise: An attacker gains initial access to a cloud environment through compromised credentials or exploitation of a vulnerability in a cloud service. (TA0001)
Privilege Escalation: The attacker attempts to elevate privileges within the cloud environment to gain access to more sensitive resources and data.
Lateral Movement: Using the compromised credentials or elevated privileges, the attacker moves laterally within the cloud environment to identify and access target applications and data stores.
Application Discovery: The attacker uses Application Explorer (if available) to map application dependencies, identify business-critical applications, and locate AI components (MCPs, LLMs) within the environment.
Data Exfiltration: The attacker identifies storage resources or data stores containing sensitive information (e.g., PII) and attempts to exfiltrate the data to an external location.
Shadow AI Exploitation: The attacker exploits shadow AI activity by identifying unapproved model usage and exposing sensitive data to external AI services.
Persistence: The attacker establishes persistence within the environment to maintain access and continue their activities even if initial access methods are remediated. (TA0003)

Impact

The impact of a successful attack can range from data breaches and financial losses to reputational damage and disruption of critical business operations. Specific consequences include the compromise of business-critical applications (e.g., payment processing, hospital ERP), exposure of sensitive data (e.g., PII), and the exploitation of AI-driven applications through shadow AI activity. In 2025, cloud-conscious intrusions by state-nexus threat actors surged 266% year-over-year, highlighting the increasing risk and potential impact of cloud-based attacks.

Recommendation

Leverage Falcon Cloud Security’s Application Explorer to gain visibility into application dependencies, identify business-critical applications, and map infrastructure risks affecting production applications.
Utilize the adversary intelligence feature within Falcon Cloud Security to prioritize cloud risks based on known adversary profiles and observed techniques, focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Deploy the Sigma rules below to detect suspicious activity related to common cloud attack patterns in your environment.
Review and harden overly permissive access controls on storage resources identified by CrowdStrike.

CrowdStrike Falcon Cloud Security CNAPP with Adversary-Informed Risk Prioritization

hello@craftedsignal.io — Sat, 28 Mar 2026 08:17:27 +0000

CrowdStrike has enhanced its Falcon Cloud Security with new Cloud-Native Application Protection Platform (CNAPP) capabilities designed to prioritize cloud risks based on adversary behavior. This update addresses critical gaps in current CNAPP solutions, including limited visibility into business applications, a lack of integration of adversary intelligence, and difficulties in tracing the root cause of exposures. The new features provide application-layer visibility, correlate risks with threat actor profiles and techniques, and help identify the configuration changes that introduced vulnerabilities. This enables security teams to focus on the attack paths most likely to be exploited by threat actors, such as LABYRINTH CHOLLIMA and SCATTERED SPIDER, and to more effectively prioritize remediation efforts within their cloud environments.

Attack Chain

Initial Compromise (Theoretical): An attacker gains initial access to the cloud environment, potentially exploiting a misconfiguration or vulnerability in a cloud service or application.
Reconnaissance: The attacker uses internal reconnaissance techniques to discover cloud resources, application dependencies, and potential attack paths within the cloud environment. This phase can be accelerated by exploiting overly permissive access controls on storage resources.
Privilege Escalation: The attacker attempts to elevate privileges within the cloud environment by exploiting weak IAM configurations, vulnerable services, or exposed credentials.
Lateral Movement: Using compromised credentials or exploiting service vulnerabilities, the attacker moves laterally to other cloud resources and applications within the environment. The attacker may target business-critical applications that process sensitive data.
Data Access: The attacker accesses sensitive data stored in cloud storage, databases, or other resources, potentially including customer PII.
Exfiltration (Theoretical): The attacker exfiltrates the stolen data from the cloud environment to an external location.
Impact (Theoretical): The successful attack results in data breaches, financial loss, reputational damage, and disruption of business operations.

Impact

The observed trend of increasing cloud breaches, including a 266% year-over-year surge in cloud-conscious intrusions by state-nexus threat actors in 2025, highlights the critical need for enhanced cloud security measures. Successful attacks can lead to data breaches, financial losses, reputational damage, and disruption of critical business operations, particularly targeting financial services. The Falcon Cloud Security CNAPP aims to reduce the risk of such incidents by providing better visibility, risk prioritization, and faster response times.

Recommendation

Deploy Falcon Cloud Security to gain visibility into application-layer risks and dependencies as described in the overview section.
Utilize the adversary intelligence features of Falcon Cloud Security to prioritize cloud risks based on known threat actor profiles and observed techniques, mapping risks to groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER.
Investigate alerts generated by Falcon Cloud Security that indicate potential attack paths used by known threat actors, focusing on the industries they actively target, as mentioned in the threat brief.
Enable and review logs from your cloud infrastructure and application services to correlate with the Falcon Cloud Security findings and identify the configuration changes that introduced the exposures.

Maltrail IOCs Report: Tracking Multiple Threat Actors

hello@craftedsignal.io — Fri, 27 Feb 2026 23:00:14 +0000

This threat brief is based on an IOC feed from Maltrail, dated February 27, 2026, which aggregates indicators related to various threat actors and malware campaigns. The tracked actors include APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp. The IOCs primarily consist of domains and IP addresses associated with these groups’ network infrastructure and malware distribution. These campaigns are likely targeting a wide range of victims across multiple sectors, employing diverse techniques to achieve their objectives, including initial access, command and control, and potentially data exfiltration or deployment of malicious payloads. The data suggests ongoing malicious activity necessitating proactive monitoring and detection efforts.

Attack Chain

Initial Compromise: An unsuspecting user visits a compromised website or interacts with a malicious advertisement, potentially leading to the download of a malware loader such as those associated with SmokeLoader or FakeApp.
Malware Installation: The initial loader executes on the victim’s system, establishing persistence and preparing the environment for further malicious activities. This may involve creating scheduled tasks or modifying registry keys for auto-start.
Command and Control (C2) Communication: The malware establishes communication with a command-and-control server, using domains such as dax.estate (SmokeLoader) or resistantmusic.shop (PowerShell Injector) to receive instructions and transmit data.
PowerShell Injection: The PowerShell Injector, utilizes multiple techniques to inject malicious code into running processes, allowing it to evade detection and maintain persistence within the system. Domains such as apostile.zapto.org and googletranslate.zapto.org may resolve to infrastructure involved in command and control of compromised hosts.
Lateral Movement: The attackers leverage compromised systems to move laterally within the network, potentially using stolen credentials or exploiting vulnerabilities to gain access to additional systems.
Data Exfiltration: Sensitive data is collected from compromised systems and exfiltrated to attacker-controlled servers, potentially using domains such as ashersoftlib.com (APT_Bitter) for staging or exfiltration.
Android Exploitation: In the case of Android_Joker, malicious applications distributed through unofficial channels or app stores communicate with petitle.cloud for command and control, potentially leading to data theft or installation of further malware.
Final Objective: The final objective of the attack may vary depending on the actor and the target, ranging from data theft and espionage (APT_UNC2465, Lazarus Group, APT_Bitter) to financial gain (Android_Joker) or widespread malware distribution (SmokeLoader, FakeApp, PowerShell Injector).

Impact

Compromised systems can be used for a variety of malicious purposes, including data theft, financial fraud, and further propagation of malware. Victims may experience data breaches, financial losses, and reputational damage. The wide range of threat actors involved suggests that various sectors and organizations are at risk. If successful, these attacks can lead to significant financial losses and disruption of business operations.

Recommendation

Block the identified malicious domains and IP addresses at the network perimeter to prevent communication with command-and-control servers (IOC table).
Implement a web proxy filter to block access to URLs associated with malware downloads and phishing campaigns (IOC table).
Monitor network traffic for connections to known malicious domains and IP addresses associated with APT_Bitter, PowerShell Injector, SmokeLoader, and FakeApp (IOC table).
Deploy the Sigma rule to detect network connections to domains associated with PowerShell Injector infrastructure. Tune the rule for your environment (Sigma Rule).
Deploy the Sigma rule to detect network connections to infrastructure associated with FakeApp campaigns, adjusting the rule as needed for your environment (Sigma Rule).
Investigate and remediate any systems that exhibit suspicious network activity or have been identified as compromised based on the IOCs provided (IOC table).

Azure AD Threat Intelligence Detection

hello@craftedsignal.io — Wed, 24 Jan 2024 12:00:00 +0000

Azure AD Threat Intelligence identifies suspicious user activities that deviate from established patterns or align with known attack tactics. These alerts, surfaced within the Azure AD Identity Protection framework, are crucial for detecting stealthy maneuvers, persistence attempts, unauthorized privilege escalations, and initial access attempts. The alerts are triggered by unusual sign-ins, potentially originating from unfamiliar locations or devices. Defenders should prioritize investigation into these alerts as they can be indicative of compromised accounts or malicious actors attempting to gain unauthorized access to resources within the Azure environment. Successfully identifying and mitigating these threats prevents further lateral movement, data exfiltration, and potential damage to the organization.

Attack Chain

An attacker compromises user credentials through phishing, credential stuffing, or other means (Initial Access).
The attacker attempts to sign in to Azure AD using the compromised credentials, potentially from an unusual location or device.
Azure AD Threat Intelligence detects the unusual sign-in activity based on risk indicators and flags it as ‘investigationsThreatIntelligence’.
The attacker, if successful in the initial sign-in, attempts to access sensitive resources or applications within the Azure environment.
The attacker may attempt to establish persistence by modifying user profiles or application settings.
The attacker may attempt to escalate privileges by exploiting vulnerabilities or misconfigurations within the Azure environment.
The attacker moves laterally to other resources and accounts.
The attacker achieves their objective, such as data exfiltration or disruption of services.

Impact

A successful attack targeting Azure AD can compromise user accounts and lead to unauthorized access to sensitive data and resources. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations. Organizations relying heavily on Azure AD for identity and access management are particularly vulnerable. The number of affected users and the extent of the damage will depend on the attacker’s objectives and the organization’s security posture.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect ‘investigationsThreatIntelligence’ events within Azure AD risk detection logs (logsource: azure, service: riskdetection).
Investigate sessions flagged by the detection, correlating with other sign-in events from the same user to identify potential false positives or confirm malicious activity.
Implement multi-factor authentication (MFA) to mitigate the risk of compromised credentials and unauthorized sign-ins.
Review and enforce conditional access policies to restrict access based on location, device, and other risk factors.