Incident Response in the Microsoft Cloud training
Buy now
Learn more
Course Resources
Course References
KQL CheatSheet
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction - Azure Section
Course introduction
Azure IR introduction
Azure Terminology & Hierarchy
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Entra ID
Azure AD, Users, Groups & Security Principals
Azure (AD) Roles
Azure AD Hybrid setup
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Azure Audit & Logging
Azure Audit & Logging
Microsoft Graph Activity Logs
Links and Resources
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Azure Attack Techniques - Part I
Azure Attack Overview
Reconnaissance: Internal and External
Initial Access: Valid accounts, Password Attacks & Malicious apps
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution Introduction & Azure RunCommand
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app & Cloud Shell
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Azure AD applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure Debrief
Azure IR debrief
Azure CTF
CTF Instruction
Introduction - Microsoft 365 Section
Welcome
Microsoft 365 IR introduction
Microsoft 365 - Forensic artefacts
Microsoft 365 - Course introduction
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing
Unified Audit Log: Structure
Unified Audit Log: Access & Acquisition
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of deleted emails
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Phishing
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft Extractor Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
Products
Course
Section
KQL for Incident Response
KQL for Incident Response
Incident Response in the Microsoft Cloud training
Buy now
Learn more
Course Resources
Course References
KQL CheatSheet
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction - Azure Section
Course introduction
Azure IR introduction
Azure Terminology & Hierarchy
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Entra ID
Azure AD, Users, Groups & Security Principals
Azure (AD) Roles
Azure AD Hybrid setup
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Azure Audit & Logging
Azure Audit & Logging
Microsoft Graph Activity Logs
Links and Resources
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Azure Attack Techniques - Part I
Azure Attack Overview
Reconnaissance: Internal and External
Initial Access: Valid accounts, Password Attacks & Malicious apps
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution Introduction & Azure RunCommand
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app & Cloud Shell
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Azure AD applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure Debrief
Azure IR debrief
Azure CTF
CTF Instruction
Introduction - Microsoft 365 Section
Welcome
Microsoft 365 IR introduction
Microsoft 365 - Forensic artefacts
Microsoft 365 - Course introduction
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing
Unified Audit Log: Structure
Unified Audit Log: Access & Acquisition
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of deleted emails
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Phishing
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft Extractor Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
5 Lessons
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources