To enhance the convenience of software services, vendors are increasingly offering products via SaaS. However, as enterprises heavily adopt SaaS, their straightforward usage evolves into a cloud migration opportunity, inadvertently entering a realm of cloud complexity, which also eases hacker intrusion. Users often remain unaware of the extent of their cloud service usage until an attack occurs. This session diverges from the usual pre-incident cloud log configurations and post-incident threat hunting using logs. Instead, it focuses on real-time monitoring, particularly on Azure Entra ID and related cloud service logs, identifying key monitoring points during incidents. This provides a direction for attendees to apply in daily operations. Additionally, it includes case studies on cloud intrusions, demonstrating how well-designed monitoring rules can facilitate early detection and immediate response to enterprise breaches.