1. Explain the post-compromise “collection” workflow in M365 and why mailbox and SharePoint search are high-signal tripwire points. 2. Design credible canary lures for Outlook and SharePoint/OneDrive that are discoverable to attackers but low-noise for normal users. 3. Identify the native audit telemetry and event semantics needed to detect canary access, including common sources of service-generated noise. 4. Build a repeatable Alert → Pivot → Scope workflow that ties a canary hit back to identity context for fast triage and scoping. Apply practical tuning and baselining strategies to operate canaries in noisy production environments without creating alert fatigue.