├── Analytics ├── 14-Analytics Rules-1.png ├── 14-Analytics Rules-2.png ├── Azure_Sentinel_analytic_rule (1).json ├── Azure_Sentinel_analytic_rule (10).json ├── Azure_Sentinel_analytic_rule (11).json ├── Azure_Sentinel_analytic_rule (12).json ├── Azure_Sentinel_analytic_rule (13).json ├── Azure_Sentinel_analytic_rule (14).json ├── Azure_Sentinel_analytic_rule (2).json ├── Azure_Sentinel_analytic_rule (3).json ├── Azure_Sentinel_analytic_rule (4).json ├── Azure_Sentinel_analytic_rule (5).json ├── Azure_Sentinel_analytic_rule (6).json ├── Azure_Sentinel_analytic_rule (7).json ├── Azure_Sentinel_analytic_rule (8).json └── Azure_Sentinel_analytic_rule (9).json ├── Connectors ├── Azure AD Connector.png ├── Defender Connector-E5.png └── Office 365 Connector.png ├── Logic-Apps ├── DATC_Check-HaveIBeenPwned.json ├── Defender_Check-HaveIBeenPwned.json ├── HaveIBeenPwned-1.png ├── HaveIBeenPwned-2.png ├── Incident-to-Teams.png ├── Incidents-to-Teams.json └── README.md ├── README.md ├── Reports ├── 2019_Ransomware Playbook_v3.3.pdf ├── 2022_Attack Simulation Playbook - Human Operated Ransomware.pdf ├── 2022_M365 Forensics Playbook_v2.pdf └── Use Cases for Microsoft 365 for Incident Response on BEC_20220819.pdf ├── Workbooks ├── [DATC] - Azure AD.workbook ├── [DATC] - Exchange Online.workbook └── pdf │ ├── [DATC] - Azure AD - Identify Configuration.pdf │ ├── [DATC] - Azure AD - MFA Status.pdf │ ├── [DATC] - Azure AD - Overview.pdf │ └── [DATC] - Azure AD - User Identify Assessment.pdf └── images ├── 2021-Crime Types by Count.png ├── 2021-Crime Types by Loss.png ├── AAD - Identity Configuration.png ├── AAD - MFT Status.png ├── AAD - Overview.png ├── AAD - User Identify Assessment.png ├── Data connector.png ├── Deploy.svg ├── EXO - Mailbox Activities.png ├── EXO - Overview.png ├── EXO - Suspicious Activities.png ├── IC3 Recovery Asset Team.png ├── UEBA-architecture.png ├── rules-Anomalies.png ├── rules-BEC.png └── rules-template.png /Analytics/14-Analytics Rules-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/14-Analytics Rules-1.png -------------------------------------------------------------------------------- /Analytics/14-Analytics Rules-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/14-Analytics Rules-2.png -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (1).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (1).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (10).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (10).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (11).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (11).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (12).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (12).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (13).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (13).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (14).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (14).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (2).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (2).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (3).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (3).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (4).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (4).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (5).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (5).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (6).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (6).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (7).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (7).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (8).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (8).json -------------------------------------------------------------------------------- /Analytics/Azure_Sentinel_analytic_rule (9).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Analytics/Azure_Sentinel_analytic_rule (9).json -------------------------------------------------------------------------------- /Connectors/Azure AD Connector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Connectors/Azure AD Connector.png -------------------------------------------------------------------------------- /Connectors/Defender Connector-E5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Connectors/Defender Connector-E5.png -------------------------------------------------------------------------------- /Connectors/Office 365 Connector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Connectors/Office 365 Connector.png -------------------------------------------------------------------------------- /Logic-Apps/DATC_Check-HaveIBeenPwned.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Logic-Apps/DATC_Check-HaveIBeenPwned.json -------------------------------------------------------------------------------- /Logic-Apps/Defender_Check-HaveIBeenPwned.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Logic-Apps/Defender_Check-HaveIBeenPwned.json -------------------------------------------------------------------------------- /Logic-Apps/HaveIBeenPwned-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Logic-Apps/HaveIBeenPwned-1.png -------------------------------------------------------------------------------- /Logic-Apps/HaveIBeenPwned-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Logic-Apps/HaveIBeenPwned-2.png -------------------------------------------------------------------------------- /Logic-Apps/Incident-to-Teams.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Logic-Apps/Incident-to-Teams.png -------------------------------------------------------------------------------- /Logic-Apps/Incidents-to-Teams.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Logic-Apps/Incidents-to-Teams.json -------------------------------------------------------------------------------- /Logic-Apps/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Logic-Apps/README.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/README.md -------------------------------------------------------------------------------- /Reports/2019_Ransomware Playbook_v3.3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Reports/2019_Ransomware Playbook_v3.3.pdf -------------------------------------------------------------------------------- /Reports/2022_Attack Simulation Playbook - Human Operated Ransomware.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Reports/2022_Attack Simulation Playbook - Human Operated Ransomware.pdf -------------------------------------------------------------------------------- /Reports/2022_M365 Forensics Playbook_v2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Reports/2022_M365 Forensics Playbook_v2.pdf -------------------------------------------------------------------------------- /Reports/Use Cases for Microsoft 365 for Incident Response on BEC_20220819.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Reports/Use Cases for Microsoft 365 for Incident Response on BEC_20220819.pdf -------------------------------------------------------------------------------- /Workbooks/[DATC] - Azure AD.workbook: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Workbooks/[DATC] - Azure AD.workbook -------------------------------------------------------------------------------- /Workbooks/[DATC] - Exchange Online.workbook: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Workbooks/[DATC] - Exchange Online.workbook -------------------------------------------------------------------------------- /Workbooks/pdf/[DATC] - Azure AD - Identify Configuration.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Workbooks/pdf/[DATC] - Azure AD - Identify Configuration.pdf -------------------------------------------------------------------------------- /Workbooks/pdf/[DATC] - Azure AD - MFA Status.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Workbooks/pdf/[DATC] - Azure AD - MFA Status.pdf -------------------------------------------------------------------------------- /Workbooks/pdf/[DATC] - Azure AD - Overview.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Workbooks/pdf/[DATC] - Azure AD - Overview.pdf -------------------------------------------------------------------------------- /Workbooks/pdf/[DATC] - Azure AD - User Identify Assessment.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/Workbooks/pdf/[DATC] - Azure AD - User Identify Assessment.pdf -------------------------------------------------------------------------------- /images/2021-Crime Types by Count.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/2021-Crime Types by Count.png -------------------------------------------------------------------------------- /images/2021-Crime Types by Loss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/2021-Crime Types by Loss.png -------------------------------------------------------------------------------- /images/AAD - Identity Configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/AAD - Identity Configuration.png -------------------------------------------------------------------------------- /images/AAD - MFT Status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/AAD - MFT Status.png -------------------------------------------------------------------------------- /images/AAD - Overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/AAD - Overview.png -------------------------------------------------------------------------------- /images/AAD - User Identify Assessment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/AAD - User Identify Assessment.png -------------------------------------------------------------------------------- /images/Data connector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/Data connector.png -------------------------------------------------------------------------------- /images/Deploy.svg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/Deploy.svg -------------------------------------------------------------------------------- /images/EXO - Mailbox Activities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/EXO - Mailbox Activities.png -------------------------------------------------------------------------------- /images/EXO - Overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/EXO - Overview.png -------------------------------------------------------------------------------- /images/EXO - Suspicious Activities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/EXO - Suspicious Activities.png -------------------------------------------------------------------------------- /images/IC3 Recovery Asset Team.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/IC3 Recovery Asset Team.png -------------------------------------------------------------------------------- /images/UEBA-architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/UEBA-architecture.png -------------------------------------------------------------------------------- /images/rules-Anomalies.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/rules-Anomalies.png -------------------------------------------------------------------------------- /images/rules-BEC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/rules-BEC.png -------------------------------------------------------------------------------- /images/rules-template.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DATCResearch/Sentinel-UseCase-BEC365-IR/HEAD/images/rules-template.png --------------------------------------------------------------------------------