Comment by cyberjerkXX

I can explain why I doubt him.

The evidence supporting his claim is a screenshot of an Excel spreadsheet with several columns excluded. It appears to have been exported from the DeviceProcessEvents table within the advanced threat hunting schema. However, he failed to provide the threat hunting dashboard view, which would include critical context such as the process tree, MD5 hash, account SID, account domain, and process creation time. Given that he clearly has access to Microsoft Defender XDR or Defender for Endpoint, he has the capability to conduct a thorough investigation. Yet, he did not do so, nor did he include that information in his legal submission. As a result, I find his claims unconvincing.

As for the forked repo deletion - I have no clue. It seems like the repo was already well known. I'm not a dev so I'd defer to a dev's opinion here. The system owner could be function testing, fuzzing, performance testing, ect. Why didn’t he show the process tree, the system name, and netflow to prove that system running code was interacting with prod? – He clearly has access to Azure tools that would allow him to do that.