Microsoft Azure Incident Response training
Buy now
Learn more
Course Resources
KQL CheatSheet.pdf
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction
Course introduction
Azure IR introduction
Azure Terminology (New)
Azure Hierarchy (New)
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Entra ID
Entra ID, Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
Entra ID - Hybrid Setup (New)
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Azure Audit & Logging
Azure Audit & Logging
Links and Resources
KQL for Incident Response
KQL Introduction (New)
Demo: KQL querying
Need to know KQL commands (New)
KQL for Incident Response & Resources (New)
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Microsoft Graph Activity Logs (New)
Microsoft Graph Activity Logs (New)
Azure Attack Techniques - Part I
Azure Attack Overview (New)
Reconnaissance: Internal and External (New)
Initial Access: Valid accounts, Password Attacks & Malicious apps
Initial Access: Phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution: Introduction & Azure RunCommand
Execution: Serial Console (New)
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app (New)
Execution: Intune & Cloud Shell (New)
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Azure AD applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Impact: Resource Deletion & Cryptomining (New)
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
Products
Course
Section
Lesson
Course introduction
Course introduction
Microsoft Azure Incident Response training
Buy now
Learn more
Course Resources
KQL CheatSheet.pdf
Welcome
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Introduction
Course introduction
Azure IR introduction
Azure Terminology (New)
Azure Hierarchy (New)
Azure Compute, Network and Storage components for IR
Azure Security components for IR
Demo: Exploring the Azure portal
Entra ID
Entra ID, Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
Entra ID - Hybrid Setup (New)
Lab 1.1 - Exploring Azure
Lab 1.1 - Instructions
Lab 1.1 - Walkthrough (with solutions)
Azure Audit & Logging
Azure Audit & Logging
Links and Resources
KQL for Incident Response
KQL Introduction (New)
Demo: KQL querying
Need to know KQL commands (New)
KQL for Incident Response & Resources (New)
Advanced KQL
Links and Resources
Lab 1.2 - KQL Querying
Lab 1.2 - Instructions
Lab 1.2 - Walkthrough (with solutions)
Graph API for Incident Response
Introduction & Graph Explorer
Graph Application setup with a certificate
Graph API calls for IR
Demo: Configuring and Connecting a Graph app
Links and Resources
Microsoft Graph Activity Logs (New)
Microsoft Graph Activity Logs (New)
Azure Attack Techniques - Part I
Azure Attack Overview (New)
Reconnaissance: Internal and External (New)
Initial Access: Valid accounts, Password Attacks & Malicious apps
Initial Access: Phishing
Initial Access: MiTM & AiTM attacks
Links and Resources
Lab 1.3 - Recon & Initial Access
Lab 1.3 - Instructions
Lab 1.3 - Walkthrough (with solutions)
Azure Attack Techniques - Part II
Execution: Introduction & Azure RunCommand
Execution: Serial Console (New)
Execution: Virtual Machine Scripting & Automation accounts
Execution: Function app (New)
Execution: Intune & Cloud Shell (New)
Demo: Automation account & Azure Function investigation
Privilege Escalation: PIM & Elevated Access Toggle
Privilege Escalation: Azure AD applications
Persistence: Account Creation & Network Security Group Modification
Persistence: Azure Lighthouse & Delegated Administrators
Persistence: Cross-Tenant Synchronization & Subscription Transfers
Persistence: Federated options
Links and Resources
Lab 1.4 - Execution, Persistence & Privilege Escalation
Lab 1.4 - Instructions
Lab 1.4 - Walkthrough (with solutions)
Azure Attack Techniques - Part III
Credential Access: Tokens & Application secrets
Credential Access: KeyVault dumping
Demo: Keyvault Dumping Investigation
Exfiltration
Impact: Resource Deletion & Cryptomining (New)
Azure Attack tools
Links and Resources
Lab 1.5 - Credential Access, Exfiltration
Lab 1.5 - Instructions
Lab 1.5 - Walkthrough (with solutions)
Responding to Azure attacks
Introduction & NIST model
Cloud Incident Response: Preparation
Cloud Incident Response: Investigate & Contain
Cloud Incident Response: Remediate & Recover
Token & Session Revocation
Azure Incident Response tools
Links and Resources
Azure CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf