Korstiaan Stam - Incident Response in the Microsoft Cloud $2,250 (Early $2,050)
Name of training:
Incident Response in the Microsoft Cloud
Training Description:
In this two-day hands-on training, you’ll learn everything you need to know about forensics and incident response in the Microsoft cloud. This training covers both Microsoft 365 and Microsoft Azure, you’ll get hands-on experience with investigating attacks, acquisition of forensic artefacts from the cloud and digging through the relevant artefacts. Everything you learn is related to real life threats observed against the Microsoft cloud. The trainer has real life experience with incident response and forensic investigations in the cloud, knowledge will be shared that's not available on any public resource. Once you’ve completed this training you will feel comfortable investigating any threat in the Microsoft cloud.
Important, you only have to bring your laptop with a browser and we will provide you with access to the cloud tenants and investigation data.
Trainer information:
Korstiaan Stam is the Founder and CEO of Invictus Incident Response & SANS Trainer - FOR509: Cloud Forensics and Incident Response
Trainer bio:
Korstiaan is a passionate incident responder, preferably in the cloud. He developed and contributed to many open-source tools related to cloud incident response. Korstiaan has gained a lot of knowledge and skills over the years which he is keen to share.
Way before the cloud became a hot topic, Korstiaan was already researching it from a forensics perspective. “Because I took this approach I have an advantage, because I simple spent more time in the cloud than others. More so, because I have my own IR consultancy company, I spent a lot of time in the cloud investigating malicious behavior, so I don’t just know one cloud platform, but I have knowledge about all of them.” That equips him to help students with the challenge of every cloud working slightly or completely different. “If you understand the main concepts, you can then see that there’s also a similarity among all the clouds. That is why
I start with the big picture in my classes and then zoom in on the details. Korstiaan also uses real-life examples from his work to discuss challenges he’s faced with students to relate with their day-to-day work. “To me, teaching not only means sharing my knowledge on a topic, but also applying real-life implications of that knowledge. I always try to combine the theory with the everyday practice so students can see why it’s important to understand certain concepts and how the newly founded knowledge can be applied.”
Trainer social media links:
Twitter: https://twitter.com/InvictusIR & https://twitter.com/korstiaans
LinkedIn: https://linkedin.com/in/korstiaanstam
Blog: https://invictus-ir.medium.com/
Repository with tools & research: https://github.com/invictus-ir
Past content:
Preview video 1: https://academy.invictus-ir.com/view/courses/advanced-incident-response-in-the-microsoft-cloud/2184629-introduction-azure-section/6905461-course-introduction
Preview video 2: https://academy.invictus-ir.com/view/courses/advanced-incident-response-in-the-microsoft-cloud/2184679-unified-audit-log-ual/6904714-demo-setting-up-an-account-for-ual-access-acquisition
Overview – Day 1 Microsoft Azure
On day 1 an overview of services in the Azure cloud relevant to IR is provided. Followed by a deep dive into how Azure clouds are often configured in client environments. We will then look at all the different log sources available in Azure that can be used for IR and how we can export out these logs. You will learn how to find real life attacks in the various Microsoft Azure log sources.
- Exploring the training environment
- Acquisition and analysis of Azure logs
- KQL querying
- Building your own Graph app for IR
- Investigate a cloud compromise in Azure
- Azure CTF
- Acquisition & Exploration of the UAL
- Investigating an espionage campaign in Microsoft 365
- Automated analysis of a Microsoft 365 environment
- Microsoft 365 CTF
- Azure IR introduction
- Azure terminology
- Exercise: Exploring the training environment
- Azure compute components for IR
- Azure network components for IR
- Azure storage components for IR
- Azure security components for IR
- Azure Active Directory
- Azure Audit & Logging
- Exercise: Acquisition and analysis of Azure logs
- Setup in-cloud IR environment
- KQL for Incident Response
- Exercise: KQL querying
- Graph API for Incident Response
- Exercise: Building your own Graph app for IR
- Azure Attack techniques
- Overview of Azure Attacks
- ATT&CK phases
- Azure attack tools
- Exercise: Investigate a cloud compromise in Azure
- Azure IR tools and Techniques
- Exercise: Azure CTF
- Microsoft 365 IR introduction
- Unified Audit Log (UAL)
- Overview of forensic artefacts
- Forwarding Rules
- Mailbox audit log
- Message trace log
- Exercise: Acquisition & Exploration of the UAL
- Microsoft 365 Attack techniques
- Initial access
- Execution
- Persistence
- Microsoft 365 Attack scenarios
- Exercise: Investigating an espionage campaign in Microsoft 365
- Microsoft 365 IR Tools and Techniques
- Exercise: Automated analysis of a Microsoft 365 environment
- Best practices for remediation and recovery in Microsoft 365
- Exercise: Microsoft 365 CTF
- Wrap-up & Price ceremony
Technical difficulty of the class:
Beginner/Intermediate.
Experience in the Microsoft cloud will prove very useful to be able to keep up. Experience with PowerShell and/or KQL is not required but will help you to gain even more from the training. You must also not be afraid of the command-line interface as this will be a hands-on training and not everything will be in the GUI.
DATE: August 12th-13th 2024
TIME: 8am to 5pm PDT
VENUE: Sahara, Las Vegas, NV
TRAINER: Korstiaan Stam
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2024.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.