2:17 PM · Wednesday · Toronto
The alert comes in from the Cloudflare Zero Trust gateway: a user account at one of our financial services clients attempted to access a SharePoint site from an IP address registered to a data centre in Romania.
The user’s device — a Windows 11 laptop enrolled in Intune — is currently showing as online and healthy in Canada. Two authentications, two countries, eighteen minutes apart. That’s not possible.
This is a credential compromise. The account has been phished.
What happens next is the point of having a SOC.
The first five minutes
The on-call analyst, based in Toronto, opens the Defender XDR incident console. The alert has already been correlated with two other signals: the same account attempted to access an Exchange mailbox from the same Romanian IP forty minutes ago (blocked by conditional access), and there’s an Entra ID risk event flagged as “unfamiliar sign-in properties.”
The analyst confirms this is not a false positive — not a VPN or business travel scenario. The user is verified as being in their downtown Toronto office via a Teams presence check.
Step one: disable the account in Entra. This revokes all active sessions immediately, including the Romanian session. Step two: open a P1 incident ticket and call the client’s IT lead on the emergency line. Step three: begin the investigation.
The next twenty minutes
With the account disabled, the analyst pulls the full authentication log for the past 72 hours. The Romanian IP first appeared 14 days ago — it’s been probing the environment, trying different applications, getting blocked by conditional access. Today was the first successful phishing scenario.
The analyst checks whether the attacker had time to do anything in Exchange. The mailbox access was blocked, but they did access the user’s Outlook web client briefly before the account was disabled. The analyst exports the email activity log from Purview and identifies three emails the attacker may have read.
The client’s IT lead is briefed within twenty minutes of the initial alert. They know: what was accessed, what was blocked, what the attacker’s timeline looks like, and what the next steps are.
What makes this possible
The response time here — account disabled in under five minutes, client briefed in under twenty — depends on a few things that don’t happen by accident.
Connected telemetry. Cloudflare, Entra ID, Intune, ESET, and Exchange Online all feed into our SIEM. An analyst can see the full picture in one console. In a siloed environment, correlating an authentication log, a network log, and an endpoint log from three different systems takes hours.
Runbook automation. When a “credential compromise - active session” alert fires, n8n automatically fetches the matching runbook and posts it to the analyst’s Teams channel. The analyst doesn’t search for it. It’s there in 30 seconds.
24/7 Canadian coverage. This alert fired at 2:17 PM on a Wednesday. Our analysts are in Canada, on Canadian time zones, watching Canadian clients. The credential compromise didn’t sit in a queue until a tier-1 analyst in a different time zone finished their shift.
The insurance question
When a client is filling out a cyber insurance questionnaire and gets to the question “describe your security monitoring and incident response capability,” this scenario is the answer.
“We have a 24/7 Canadian SOC, connected to endpoint, identity, and network telemetry across all our clients, with a mean time to detect of under 15 minutes and a mean time to contain of under one hour.”
That answer, backed by the incident log and SLA reports in our ISMS platform, is what moves a renewal from “under review” to “approved.”
Laura Bélanger is the Head of the Canadian SOC at TruPoint Technology.