fatcousin
// case comparison

cloud ATO vs key leak

security sees OAuth grants, audit-log spikes, and cloud API abuse. case A is cloud-account-compromise: tenant-scoped M365/Workspace intrusion, transport rules, and multi-account consent abuse. case B is api-key-leak: AKIA/ghp token in git history driving IAM escalation and cost spike. wrong call sends you to office365-audit-log-analyzer when you need git-repository-forensics — or revokes the wrong principal while the repo key still works.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

cloud account compromise (M365 / Workspace)

tenant-level intrusion — OAuth grants, app consent abuse, mailbox rule planting, exchange transport rule tampering.

  1. 01office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  2. 02microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  3. 03o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  4. 04azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
  5. 05saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  6. 06microsoft defender cloud apps alert forensic analyzerdrop defender cloud apps alert export · parse app + user + risk · runs locally
  7. 07fatcousin saas audit export correlatordrop saas audit log csv exports · actor + resource cross-service timeline · runs locally
  8. 08microsoft account activity export forensic analyzerdrop microsoft account activity export · parse sign-in events · flag failed login mfa changes · csv/json export · runs locally
case b

API key leak / repo compromise

leaked credential in git history → cloud abuse window → cost-spike + lateral movement. correlate VCS + CSP audit logs.

  1. 01git repository forensic analyzerdrop a .git directory or git bundle file · extract full commit history · recover deleted commits via reflog · stash contents · author metadata · file change history · detect secret leaks in history · runs locally
  2. 02github audit log parserjson or jsonl audit export · action actor org repo · repo org hook oauth protected branch secret scanning · suspicious flags · export csv · runs locally
  3. 03github audit log analyzerdrop github enterprise audit log json or csv export · parse repository and organization events · surface suspicious access patterns force pushes secret scanning alerts and member changes · reconstruct git activity timeline · runs locally
  4. 04aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally
  5. 05aws cloudtrail log forensic analyzerdrop aws cloudtrail json log files or csv export · parse api call records across all aws services · surface credential abuse privilege escalation data exfiltration and infrastructure manipulation · reconstruct attacker activity timeline · runs locally
  6. 06aws iam policy analyzerpaste iam policy json · effective permissions · wildcard expansion · risks · escalation hints · plain english · runs locally
  7. 07iam escalation graphiam policy json · wildcard expansion · 15 escalation patterns · attack chains · severity · csv + json export · runs locally
  8. 08kubernetes secrets decoderpaste secret yaml or json · decode base64 · credential hints · redact toggle · runs locally · keys stay in browser

editorial overlap

4 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
azure activity log analyzerfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatoraws iam policy analyzer

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward cloud ATO if you see…

  • tenant-wide third-party app consent or exchange transport rule change spanning multiple mailboxes
  • azure activity or M365 audit anomalies across accounts without matching git push/clone event
  • mailbox rule planting at tenant scope — not isolated secret in a single repository commit

lean toward key leak if you see…

  • AKIA, ghp_, or similar token pattern in git history, reflog, or secret-scanning alert
  • GitHub audit log clone/push correlated with CloudTrail IAM escalation or k8s secrets decode
  • abuse window anchored to repository exposure — no tenant-wide OAuth consent grant in IdP export
ready