Microsoft 365 Incident Response training
Buy now
Learn more
Course Resources
KQL CheatSheet.pdf
Introduction
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Microsoft 365 IR introduction
Course introduction
Microsoft 365 - Forensic artefacts
Entra ID
Entra ID, Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Hybrid Setup (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing (New)
Unified Audit Log: Structure (New)
Unified Audit Log: Access & Acquisition (New)
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of email deletions in the audit log
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Valid accounts, Password Attacks & Malicious apps
Initial Access: Phishing
Initial Access: MiTM & AiTM attacks
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Access Token abuse (New)
Access Token abuse & Family Of Client IDs (FOCI)
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft-Extractor-Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
Products
Course
Section
Best practices for remediation and recovery in Microsoft 365
Best practices for remediation and recovery in Microsoft 365
Microsoft 365 Incident Response training
Buy now
Learn more
Course Resources
KQL CheatSheet.pdf
Introduction
Welcome
Lab 0 - Setup
Lab 0 - Don't skip!
Demo: Change your CTF name
Microsoft 365 IR introduction
Course introduction
Microsoft 365 - Forensic artefacts
Entra ID
Entra ID, Users, Service Principals & Managed Identities (New)
Entra ID - Tokens 101 (New)
Entra ID - Roles (New)
Entra ID - Hybrid Setup (New)
Entra ID - Security (Conditional Access & Identity Protection) (New)
KQL for Incident Response
KQL Introduction
Demo: KQL querying
Need to know KQL commands
Advanced KQL
Links and Resources
Unified Audit Log (UAL)
Unified Audit Log: Introduction & Advanced Auditing (New)
Unified Audit Log: Structure (New)
Unified Audit Log: Access & Acquisition (New)
Demo: Setting up an account for UAL access & acquisition
Demo: Searching the UAL in Purview
Links and Resources
MailItemsAccessed
Everything you need to know about the MailItemsAccessed Operation
Demo: Investigate emails accessed using PowerShell and the Microsoft Graph
Lab 2.1 - Exploration of the UAL
Lab 2.1 - Instructions
Lab 2.1 - Walkthrough (with solutions)
Microsoft 365 Email Forwarding Rules
Forwarding rules: Introduction and Overview
Forensic analysis of inbox rules
Forensic analysis of transport rules
Forensic analysis of active forwarding rules
Mailbox Audit Log
Forensic analysis of the Mailbox audit log
Demo: Forensic analysis of email deletions in the audit log
Demo: Recovering deleted emails
Message Trace Log
Forensic analysis of the Message Trace Log (MTL)
Microsoft 365 Attack Techniques - Part I
Microsoft 365 Attacks Overview
Initial Access: Valid accounts, Password Attacks & Malicious apps
Initial Access: Phishing
Initial Access: MiTM & AiTM attacks
Initial access: Device Code phishing
Initial access: Microsoft Teams phishing
Links and Resources
Microsoft 365 Attack Techniques - Part II
Execution: API calls & PowerShell
Persistence & Privilege Escalation: Account manipulation
Persistence & Privilege Escalation: Account Creation & MFA registration
Microsoft 365 Attack Techniques - Part III
Collection & Exfiltration: eDiscovery & Content search
Collection & Exfiltration: Power Automate abuse
Microsoft 365 Attack tools
Microsoft 365 Attack tools - GraphRunner
Links and Resources
Lab 2.2 - Compromise of an email account
Lab 2.2 - Instructions
Lab 2.2 - Walkthrough (with solutions)
Microsoft 365 Anti-Forensics
Microsoft 365 Anti-Forensic techniques
Microsoft 365 Incident Response walkthrough
Incident Response - Walkthrough
Access Token abuse (New)
Access Token abuse & Family Of Client IDs (FOCI)
Lab 2.5 - Extracting & Manipulating tokens (Live Lab)
Lab 2.5 - Instructions
Lab 2.5 - Walkthrough (with solutions)
Microsoft 365 IR Tools & Techniques
Microsoft 365 IR tools - Overview
Microsoft-Extractor-Suite
Hawk
Untitled Goose Tool
Microsoft Defender for Cloud Apps
Demo: Installing and using the Microsoft Extractor Suite
Links and Resources
Lab 2.3 - The Extractor Suite
Lab 2.3 - Instructions
Lab 2.3 - Walkthrough (with solutions)
Lab 2.4 - Investigating OAuth apps
Lab 2.4 - Instructions
Lab 2.4 - Walkthrough (with solutions)
Best practices for remediation and recovery in Microsoft 365
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources
Microsoft 365 CTF
CTF Instruction
Closing
Closing words
Request certificate
Resources
Setup user for Azure & M365 IR.pdf
3 Lessons
Remediation & Recovery - Overview
Remediation & Recovery - Walkthrough
Links and Resources