TandemThe first alert arrived at 02:47 UTC on a Sunday. A single low-priority signal, anomalous service-principal token use against a SharePoint endpoint at a financial-services customer. By 09:00 Monday, the SOC lead read the autonomous handoff log over coffee. Here's what happened in between.
02:47 UTC The first signal
Anomaly score on a service-principal token in Microsoft Graph telemetry. Severity: low. The token was being used to read a SharePoint Online site the principal had read access to. Nothing obviously wrong on its face.
The customer's primary triage stack saw it, classified it as in-pattern, and closed. In their environment that's the right call 95% of the time; the SOC sees dozens of similar OAuth grants every week.
02:49 UTC First pivot
TandemTrace's autonomous layer didn't close. It pivoted.
First question: has this service principal been authorized to access this site previously, within its identity baseline? The directory baseline said no. The principal had been granted SharePoint read scope four weeks earlier through a conditional-access exemption. The grant itself had been a normal request at the time; the exemption around it had been forgotten.
02:51 UTC Second pivot
Next question: where is this token being used from?
The token had been used from an IP in northeast Europe. The customer's user population sits almost entirely in São Paulo and Mexico City. The service principal had no business reason to authenticate from that geography. Combined with the first pivot, the picture had changed.
02:53 UTC Third pivot
Third question: what was read in the session?
One SharePoint folder. The folder's classification said: customer-pii ·
schema-bound.
03:14 UTC The close
The autonomous layer closed the loop:
- Token blocked (Graph API revoke).
- Conditional-access exemption rescinded automatically.
- Containment record written to the case file.
- On-call paged with the full evidence chain attached.
03:31 UTC First human eyes
The on-call opened the case 17 minutes after the page. The evidence was already structured: alert, pivot 1, pivot 2, pivot 3, containment. No reconstruction required. The first human action was a sanity check, then a decision to extend the lockdown to two adjacent principals carrying similar four-week-old exemptions. Done by 03:47.
09:00 UTC Daylight review
The SOC lead read the handoff log over coffee. Verified the containment, validated the autonomous decisions, marked the case closed. Then sent a note to the IAM team to audit the rest of the exemptions cut in the same four-week window.
That on-call's phone didn't buzz once for noise the whole weekend. It buzzed at 03:14 for this.
What this story is, and isn't
This wasn't a sophisticated attack. The actor was using a known pattern, credential abuse through a stale and over-permissioned principal, and the customer's primary tier-1 had been trained to suppress its initial trigger because the signal looked like everyday service noise. Without an autonomous layer to break that bias and keep pivoting, the attacker would have had 30+ hours of weekend dwell before any human eye saw anything.
TandemTrace didn't do anything magical here. It kept asking questions the primary stack had been tuned to skip. Either reading is reasonable in isolation; only one of them stays reasonable once the case reaches the analyst with hindsight on Monday.
The thing we hear about most from SOC leads, though, isn't the catch. It's that the on-call slept the rest of the weekend. They were paged once, for the one thing that warranted it.
If you want to compare notes on what your tier-1 has been trained to suppress, get in touch.