Microsoft 365 Incident Response training
Buy now
Learn more
Course Resources
KQL CheatSheet.pdf
Introduction
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Microsoft 365 IR introduction
Course introduction
Microsoft 365 - Forensic artefacts
Entra ID
Entra ID, Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Hybrid Setup (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing (New)
Unified Audit Log: Structure (New)
Unified Audit Log: Access & Acquisition (New)
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of email deletions in the audit log
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Valid accounts, Password Attacks & Malicious apps
Initial Access: Phishing
Initial Access: MiTM & AiTM attacks
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Access Token abuse (New)
Access Token abuse & Family Of Client IDs (FOCI)
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft-Extractor-Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
Products
Course
Section
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR Tools & Techniques
Microsoft 365 Incident Response training
Buy now
Learn more
Course Resources
KQL CheatSheet.pdf
Introduction
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Microsoft 365 IR introduction
Course introduction
Microsoft 365 - Forensic artefacts
Entra ID
Entra ID, Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Hybrid Setup (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing (New)
Unified Audit Log: Structure (New)
Unified Audit Log: Access & Acquisition (New)
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of email deletions in the audit log
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Valid accounts, Password Attacks & Malicious apps
Initial Access: Phishing
Initial Access: MiTM & AiTM attacks
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Access Token abuse (New)
Access Token abuse & Family Of Client IDs (FOCI)
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft-Extractor-Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
7 Lessons
Microsoft 365 IR tools - Overview
Microsoft-Extractor-Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources