How to Forensic Investigate Security Incidents in Microsoft Azure

Name: How to Forensic Investigate Security Incidents in Microsoft Azure | Open Video
Uploaded: 2025-08-06T12:04:08+00:00
Duration: 1 h 22 min 15 s

0:00
[Music]
0:22
show
0:24
show
0:24
show [Music]
0:30
[Music]
0:30
[Music] hello to everyone and welcome to another
0:32
hello to everyone and welcome to another
0:33
hello to everyone and welcome to another episode here of Ash juy group Sweden so
0:37
episode here of Ash juy group Sweden so
0:37
episode here of Ash juy group Sweden so my name is Swan SEL and that will be the
0:39
my name is Swan SEL and that will be the
0:39
my name is Swan SEL and that will be the host here for today so we are waiting
0:42
host here for today so we are waiting
0:42
host here for today so we are waiting also on Jonah so hopefully she would be
0:45
also on Jonah so hopefully she would be
0:45
also on Jonah so hopefully she would be able to connect to the stream in during
0:48
able to connect to the stream in during
0:48
able to connect to the stream in during our stream here so the topic here for
0:50
our stream here so the topic here for
0:51
our stream here so the topic here for today so October is the security
0:53
today so October is the security
0:53
today so October is the security awareness month so um so therefore we
0:57
awareness month so um so therefore we
0:57
awareness month so um so therefore we have chosen some security related
0:59
have chosen some security related
0:59
have chosen some security related session here for you in this month so
1:02
session here for you in this month so
1:02
session here for you in this month so today we're going to have a session
1:04
today we're going to have a session
1:04
today we're going to have a session called how to forensic investigate
1:06
called how to forensic investigate
1:06
called how to forensic investigate security incident in Microsoft Asher but
1:09
security incident in Microsoft Asher but
1:09
security incident in Microsoft Asher but before we start with that I will just
1:11
before we start with that I will just
1:11
before we start with that I will just give some uh background information here
1:14
give some uh background information here
1:14
give some uh background information here about our um about our user group
1:20
about our um about our user group
1:20
about our um about our user group so we have a code of conduct here and so
1:23
so we have a code of conduct here and so
1:23
so we have a code of conduct here and so it's important here that we it needs to
1:26
it's important here that we it needs to
1:26
it's important here that we it needs to be nice and friendly we should listen
1:28
be nice and friendly we should listen
1:28
be nice and friendly we should listen with purpose and be thoughtful
1:30
with purpose and be thoughtful
1:30
with purpose and be thoughtful we should be respectful to others and
1:32
we should be respectful to others and
1:32
we should be respectful to others and seek to understand not criticize and we
1:35
seek to understand not criticize and we
1:35
seek to understand not criticize and we should also be curious and open to share
1:38
should also be curious and open to share
1:38
should also be curious and open to share IDs and we should be inclusive in our
1:41
IDs and we should be inclusive in our
1:41
IDs and we should be inclusive in our comments and questions and you can see
1:44
comments and questions and you can see
1:44
comments and questions and you can see our code of conduct here on the GitHub
1:47
our code of conduct here on the GitHub
1:47
our code of conduct here on the GitHub link on this slide
1:49
link on this slide
1:49
link on this slide here and if you want to keep in touch
1:53
here and if you want to keep in touch
1:53
here and if you want to keep in touch and uh keep updated on our events you
1:57
and uh keep updated on our events you
1:57
and uh keep updated on our events you should join our Meetup community so you
1:59
should join our Meetup community so you
1:59
should join our Meetup community so you can just scan this QR code and just join
2:03
can just scan this QR code and just join
2:03
can just scan this QR code and just join the Meetup and you will be notified on
2:05
the Meetup and you will be notified on
2:05
the Meetup and you will be notified on our next
2:08
our next
2:08
our next sessions we also have we our cfp so
2:12
sessions we also have we our cfp so
2:12
sessions we also have we our cfp so we're always looking out for new
2:14
we're always looking out for new
2:14
we're always looking out for new speakers and it doesn't matter if you're
2:17
speakers and it doesn't matter if you're
2:17
speakers and it doesn't matter if you're an already established speaker or maybe
2:19
an already established speaker or maybe
2:19
an already established speaker or maybe you have never spoken before if you're a
2:21
you have never spoken before if you're a
2:21
you have never spoken before if you're a new speaker we will be able to Mentor
2:24
new speaker we will be able to Mentor
2:24
new speaker we will be able to Mentor you and help you both with content and
2:26
you and help you both with content and
2:26
you and help you both with content and the Practical details of having a
2:28
the Practical details of having a
2:28
the Practical details of having a session
2:32
and we will also after this session we
2:35
and we will also after this session we
2:35
and we will also after this session we will invite you for a f session which is
2:38
will invite you for a f session which is
2:38
will invite you for a f session which is a zoom call so we'll post the link to
2:42
a zoom call so we'll post the link to
2:42
a zoom call so we'll post the link to that Zoom call during uh during the
2:44
that Zoom call during uh during the
2:44
that Zoom call during uh during the session at the end of our session
2:48
session at the end of our session
2:48
session at the end of our session here so now we can see here um think we
2:54
here so now we can see here um think we
2:54
here so now we can see here um think we can welcome
2:55
can welcome
2:55
can welcome Jonah yes hi hokan good morning everyone
2:59
Jonah yes hi hokan good morning everyone
2:59
Jonah yes hi hokan good morning everyone one or good good noon I'm sorry I'm late
3:02
one or good good noon I'm sorry I'm late
3:02
one or good good noon I'm sorry I'm late I had technical difficulties at
3:04
I had technical difficulties at
3:04
I had technical difficulties at Backstage virtual backstage so I'm glad
3:07
Backstage virtual backstage so I'm glad
3:07
Backstage virtual backstage so I'm glad I got my cam and mic
3:09
I got my cam and mic
3:09
I got my cam and mic working welcome everyone and happy
3:11
working welcome everyone and happy
3:11
working welcome everyone and happy weekend um I saw that you just did the
3:14
weekend um I saw that you just did the
3:14
weekend um I saw that you just did the code of conduct hoken um how are you
3:16
code of conduct hoken um how are you
3:17
code of conduct hoken um how are you doing today yeah I'm doing fine I have a
3:19
doing today yeah I'm doing fine I have a
3:19
doing today yeah I'm doing fine I have a bit of a throat infection but I'm good
3:23
bit of a throat infection but I'm good
3:23
bit of a throat infection but I'm good yes I I can relate I've had a cuff dry
3:26
yes I I can relate I've had a cuff dry
3:26
yes I I can relate I've had a cuff dry cuff for like almost a month now and I
3:29
cuff for like almost a month now and I
3:29
cuff for like almost a month now and I know how it feels to just like do your
3:31
know how it feels to just like do your
3:31
know how it feels to just like do your best to share to the community and we do
3:33
best to share to the community and we do
3:33
best to share to the community and we do it for for uh for our community and Tech
3:36
it for for uh for our community and Tech
3:36
it for for uh for our community and Tech friends that are following us in
3:38
friends that are following us in
3:38
friends that are following us in community so that's great yes yeah um so
3:42
community so that's great yes yeah um so
3:42
community so that's great yes yeah um so uh is there anything else we need to
3:43
uh is there anything else we need to
3:43
uh is there anything else we need to bring before we bring in our um our
3:47
bring before we bring in our um our
3:47
bring before we bring in our um our guest today no I think we can just bring
3:50
guest today no I think we can just bring
3:50
guest today no I think we can just bring in our guest here and then as I said we
3:53
in our guest here and then as I said we
3:53
in our guest here and then as I said we will oh yeah we can do an introduction
3:56
will oh yeah we can do an introduction
3:56
will oh yeah we can do an introduction here proper introduction yes let's do
4:01
here proper introduction yes let's do
4:01
here proper introduction yes let's do that yes so I'm very happy to introduce
4:05
that yes so I'm very happy to introduce
4:05
that yes so I'm very happy to introduce Jonah Jonah Anderson she's the founder
4:07
Jonah Jonah Anderson she's the founder
4:07
Jonah Jonah Anderson she's the founder here of our user group and she is an
4:10
here of our user group and she is an
4:10
here of our user group and she is an Asher MVP and also a Microsoft certified
4:13
Asher MVP and also a Microsoft certified
4:13
Asher MVP and also a Microsoft certified trainer and she is an international uh
4:16
trainer and she is an international uh
4:16
trainer and she is an international uh speaker and a podcast podcast host and
4:21
speaker and a podcast podcast host and
4:21
speaker and a podcast podcast host and um she's also
4:24
um she's also
4:24
um she's also uh proponent for
4:27
uh proponent for
4:27
uh proponent for inclusivity in the world of Tech and
4:30
inclusivity in the world of Tech and
4:30
inclusivity in the world of Tech and she's also written a book learning
4:32
she's also written a book learning
4:32
she's also written a book learning Microsoft Asher for O'Reilly thank you
4:36
Microsoft Asher for O'Reilly thank you
4:36
Microsoft Asher for O'Reilly thank you Hulan yes we uh we usually introduce
4:39
Hulan yes we uh we usually introduce
4:39
Hulan yes we uh we usually introduce ourselves uh especially to those that
4:41
ourselves uh especially to those that
4:41
ourselves uh especially to those that are like just joining us first time in
4:43
are like just joining us first time in
4:43
are like just joining us first time in our community so I thank you for ok for
4:46
our community so I thank you for ok for
4:46
our community so I thank you for ok for the introduction so I'm Jonah Anderson
4:49
the introduction so I'm Jonah Anderson
4:49
the introduction so I'm Jonah Anderson I'm from Sweden uh founder of Asher
4:52
I'm from Sweden uh founder of Asher
4:52
I'm from Sweden uh founder of Asher Sweden I am uh very active in the
4:55
Sweden I am uh very active in the
4:55
Sweden I am uh very active in the community inspiring about what I do I I
4:58
community inspiring about what I do I I
4:58
community inspiring about what I do I I work as a senior Asher consult
4:59
work as a senior Asher consult
4:59
work as a senior Asher consult consultant at
5:00
consultant at
5:00
consultant at solidify uh and uh my co-leader here
5:04
solidify uh and uh my co-leader here
5:04
solidify uh and uh my co-leader here hokan is uh um also an AI architect
5:08
hokan is uh um also an AI architect
5:08
hokan is uh um also an AI architect specialist working at steria I hope I
5:10
specialist working at steria I hope I
5:10
specialist working at steria I hope I got the the correct name of your employ
5:12
got the the correct name of your employ
5:12
got the the correct name of your employ new employer hokan and he is also very
5:15
new employer hokan and he is also very
5:15
new employer hokan and he is also very active like me in the community as the
5:18
active like me in the community as the
5:18
active like me in the community as the co-leader of Asher User Group Sweden he
5:21
co-leader of Asher User Group Sweden he
5:21
co-leader of Asher User Group Sweden he is a a public speaker uh M Microsoft MVP
5:25
is a a public speaker uh M Microsoft MVP
5:25
is a a public speaker uh M Microsoft MVP for AI uh MCT and uh leaders of
5:31
for AI uh MCT and uh leaders of
5:31
for AI uh MCT and uh leaders of communities in Norway such as AI 42 and
5:34
communities in Norway such as AI 42 and
5:34
communities in Norway such as AI 42 and the uh the net community in Norway as
5:37
the uh the net community in Norway as
5:37
the uh the net community in Norway as well so it's a very uh great Tandem and
5:40
well so it's a very uh great Tandem and
5:40
well so it's a very uh great Tandem and syn uh sync we have in this community
5:43
syn uh sync we have in this community
5:43
syn uh sync we have in this community but that's great uh I can't wait to
5:46
but that's great uh I can't wait to
5:46
but that's great uh I can't wait to introduce our speaker who is very
5:49
introduce our speaker who is very
5:49
introduce our speaker who is very special in a way that he's also part of
5:51
special in a way that he's also part of
5:51
special in a way that he's also part of the community uh he's also an MVP MCT a
5:54
the community uh he's also an MVP MCT a
5:54
the community uh he's also an MVP MCT a speaker and he been wanting to speak in
5:57
speaker and he been wanting to speak in
5:57
speaker and he been wanting to speak in our user group and finally we gave him
6:01
our user group and finally we gave him
6:01
our user group and finally we gave him the spot on this stage and thank you so
6:03
the spot on this stage and thank you so
6:03
the spot on this stage and thank you so much for him for uh for such patience
6:06
much for him for uh for such patience
6:06
much for him for uh for such patience because we do have a lot of C obsessions
6:09
because we do have a lot of C obsessions
6:09
because we do have a lot of C obsessions in our community but H do you want to
6:11
in our community but H do you want to
6:11
in our community but H do you want to have the honor to introduce him on stage
6:15
have the honor to introduce him on stage
6:15
have the honor to introduce him on stage today yes let's add here Urus pich
6:20
today yes let's add here Urus pich
6:21
today yes let's add here Urus pich morning good morning hello Jon hello H
6:25
morning good morning hello Jon hello H
6:25
morning good morning hello Jon hello H and I'm very proud to be part of this
6:28
and I'm very proud to be part of this
6:28
and I'm very proud to be part of this session and proud to be part actually as
6:31
session and proud to be part actually as
6:31
session and proud to be part actually as your Sweden user group
6:35
your Sweden user group
6:35
your Sweden user group and I'm looking forward to to new
6:39
and I'm looking forward to to new
6:39
and I'm looking forward to to new challenge on this group and actually to
6:42
challenge on this group and actually to
6:42
challenge on this group and actually to start today with very very U great I
6:47
start today with very very U great I
6:47
start today with very very U great I think topics that is Cloud forening in
6:50
think topics that is Cloud forening in
6:50
think topics that is Cloud forening in micros station and uh yes thank you for
6:53
micros station and uh yes thank you for
6:53
micros station and uh yes thank you for for your uh introduction I I I will
6:56
for your uh introduction I I I will
6:57
for your uh introduction I I I will short introduce myself um I am also
7:00
short introduce myself um I am also
7:00
short introduce myself um I am also Microsoft security MVP and Microsoft
7:03
Microsoft security MVP and Microsoft
7:03
Microsoft security MVP and Microsoft certify trainer very experienced and I
7:07
certify trainer very experienced and I
7:07
certify trainer very experienced and I am also blogger and public a lot of
7:10
am also blogger and public a lot of
7:10
am also blogger and public a lot of poost in in LinkedIn and we are actually
7:14
poost in in LinkedIn and we are actually
7:14
poost in in LinkedIn and we are actually in
7:15
in
7:15
in day-to-day conversation communication
7:17
day-to-day conversation communication
7:17
day-to-day conversation communication regarding uh how to share the best
7:21
regarding uh how to share the best
7:21
regarding uh how to share the best practice and knowledge and and
7:23
practice and knowledge and and
7:23
practice and knowledge and and everything and I think this session is
7:26
everything and I think this session is
7:26
everything and I think this session is actually great place to to explain
7:29
actually great place to to explain
7:29
actually great place to to explain everything
7:30
everything
7:30
everything about Cloud forensic investigation in
7:33
about Cloud forensic investigation in
7:33
about Cloud forensic investigation in Microsoft aure because apply princip
7:36
Microsoft aure because apply princip
7:36
Microsoft aure because apply princip methodology of digital
7:38
methodology of digital
7:38
methodology of digital forensic uh with the cloud environment
7:41
forensic uh with the cloud environment
7:41
forensic uh with the cloud environment and how we investigate uh security
7:45
and how we investigate uh security
7:45
and how we investigate uh security incident we have a lot of sophisticated
7:48
incident we have a lot of sophisticated
7:48
incident we have a lot of sophisticated attack in very Z day operation and we
7:52
attack in very Z day operation and we
7:52
attack in very Z day operation and we must aware uh on this on this topic uh
7:56
must aware uh on this on this topic uh
7:56
must aware uh on this on this topic uh with the point of view incident response
7:59
with the point of view incident response
7:59
with the point of view incident response vulnerability management and uh and Etc
8:03
vulnerability management and uh and Etc
8:03
vulnerability management and uh and Etc yeah interesting yeah I myself is very
8:06
yeah interesting yeah I myself is very
8:06
yeah interesting yeah I myself is very interested in this session especially
8:08
interested in this session especially
8:08
interested in this session especially that uh even in any day-to-day IT
8:11
that uh even in any day-to-day IT
8:11
that uh even in any day-to-day IT project we have security plays a vital
8:14
project we have security plays a vital
8:14
project we have security plays a vital role in everything we do in all of the
8:17
role in everything we do in all of the
8:17
role in everything we do in all of the application development process uh so
8:19
application development process uh so
8:19
application development process uh so I'm excited for this but uh or want like
8:22
I'm excited for this but uh or want like
8:22
I'm excited for this but uh or want like we did introduce yourself that's uh skip
8:26
we did introduce yourself that's uh skip
8:26
we did introduce yourself that's uh skip the introduction properly that we used
8:28
the introduction properly that we used
8:28
the introduction properly that we used to do but uh do you want to share to our
8:30
to do but uh do you want to share to our
8:30
to do but uh do you want to share to our audience where are you joining us from
8:33
audience where are you joining us from
8:33
audience where are you joining us from uh which country are you representing
8:36
uh which country are you representing
8:36
uh which country are you representing right yes yes my country is Serbia I
8:39
right yes yes my country is Serbia I
8:39
right yes yes my country is Serbia I come from Belgrade I am situated here
8:42
come from Belgrade I am situated here
8:42
come from Belgrade I am situated here but I'm I'm a part of great crayon
8:46
but I'm I'm a part of great crayon
8:46
but I'm I'm a part of great crayon Serbia team I'm actually solution
8:49
Serbia team I'm actually solution
8:49
Serbia team I'm actually solution architect security team lead and I'm am
8:53
architect security team lead and I'm am
8:53
architect security team lead and I'm am involved also in
8:56
involved also in
8:56
involved also in many project as as security guy with my
9:00
many project as as security guy with my
9:00
many project as as security guy with my team on domestic and international level
9:03
team on domestic and international level
9:03
team on domestic and international level it is very very interesting and uh my my
9:07
it is very very interesting and uh my my
9:07
it is very very interesting and uh my my part is actually Security
9:09
part is actually Security
9:09
part is actually Security operation with the xdr Sentinel security
9:13
operation with the xdr Sentinel security
9:13
operation with the xdr Sentinel security co-pilot and during this session I will
9:15
co-pilot and during this session I will
9:15
co-pilot and during this session I will demonstrate part of this because uh uh
9:19
demonstrate part of this because uh uh
9:19
demonstrate part of this because uh uh the central uh part of our discussion is
9:24
the central uh part of our discussion is
9:24
the central uh part of our discussion is how artificial intelligence help us in
9:27
how artificial intelligence help us in
9:27
how artificial intelligence help us in security day-to-day operation
9:30
security day-to-day operation
9:30
security day-to-day operation and manually work is
9:35
and manually work is
9:35
and manually work is actually
9:37
actually
9:37
actually automatic disruption of security
9:40
automatic disruption of security
9:40
automatic disruption of security incident and everything that is
9:42
incident and everything that is
9:42
incident and everything that is advantage of then Mani work with sock
9:46
advantage of then Mani work with sock
9:46
advantage of then Mani work with sock team and unify Security operation is
9:50
team and unify Security operation is
9:50
team and unify Security operation is actually Advantage because uh uh that is
9:53
actually Advantage because uh uh that is
9:53
actually Advantage because uh uh that is save your time and work faster with sock
9:57
save your time and work faster with sock
9:57
save your time and work faster with sock team especially security analyst and
10:00
team especially security analyst and
10:00
team especially security analyst and incident responder in day-to-day opition
10:03
incident responder in day-to-day opition
10:03
incident responder in day-to-day opition and that is crucial when we uh deal with
10:06
and that is crucial when we uh deal with
10:06
and that is crucial when we uh deal with the incident investigation Trend hunting
10:09
the incident investigation Trend hunting
10:09
the incident investigation Trend hunting operation and everything with the field
10:11
operation and everything with the field
10:11
operation and everything with the field of cyber security all right interesting
10:14
of cyber security all right interesting
10:14
of cyber security all right interesting already you seems like you already gave
10:17
already you seems like you already gave
10:17
already you seems like you already gave us the the Thriller of this CL uh the
10:20
us the the Thriller of this CL uh the
10:20
us the the Thriller of this CL uh the things that you're going to discuss
10:21
things that you're going to discuss
10:21
things that you're going to discuss that's awesome but um uh to our audience
10:24
that's awesome but um uh to our audience
10:24
that's awesome but um uh to our audience feel free to live uh chat uh our
10:27
feel free to live uh chat uh our
10:27
feel free to live uh chat uh our questions or comments and then our us
10:29
questions or comments and then our us
10:29
questions or comments and then our us will be uh answering the questions do
10:32
will be uh answering the questions do
10:32
will be uh answering the questions do you prefer to have your questions asked
10:33
you prefer to have your questions asked
10:33
you prefer to have your questions asked on the go or do you prefer to like we
10:36
on the go or do you prefer to like we
10:36
on the go or do you prefer to like we save it for the end of the session I
10:38
save it for the end of the session I
10:38
save it for the end of the session I think that is better to be at the end of
10:41
think that is better to be at the end of
10:41
think that is better to be at the end of session if you have some interesting
10:44
session if you have some interesting
10:44
session if you have some interesting question we you can during this session
10:46
question we you can during this session
10:46
question we you can during this session interact me and discuss about some
10:50
interact me and discuss about some
10:50
interact me and discuss about some speciic great so yeah ask your questions
10:53
speciic great so yeah ask your questions
10:54
speciic great so yeah ask your questions everybody and yeah Ros it's uh it's your
10:56
everybody and yeah Ros it's uh it's your
10:56
everybody and yeah Ros it's uh it's your stage now thank you very much and we can
10:59
stage now thank you very much and we can
10:59
stage now thank you very much and we can start with a very very great
11:03
start with a very very great
11:03
start with a very very great topic uh how we to be proactive in in
11:07
topic uh how we to be proactive in in
11:07
topic uh how we to be proactive in in how forensic investigation in microsure
11:10
how forensic investigation in microsure
11:10
how forensic investigation in microsure and I will show you agenda for for for
11:15
and I will show you agenda for for for
11:15
and I will show you agenda for for for this session today the first is how we
11:18
this session today the first is how we
11:18
this session today the first is how we describe introduction of and actually
11:21
describe introduction of and actually
11:21
describe introduction of and actually Define Cloud forensic what is cloud
11:24
Define Cloud forensic what is cloud
11:24
Define Cloud forensic what is cloud forensic challenge I will explain cyber
11:27
forensic challenge I will explain cyber
11:27
forensic challenge I will explain cyber kill change I will start with some
11:30
kill change I will start with some
11:30
kill change I will start with some indicator of compromise with the point
11:32
indicator of compromise with the point
11:32
indicator of compromise with the point of view know BS and we will discuss
11:35
of view know BS and we will discuss
11:35
of view know BS and we will discuss about visibility and hunting across
11:39
about visibility and hunting across
11:39
about visibility and hunting across chain because you we have a lot of
11:42
chain because you we have a lot of
11:42
chain because you we have a lot of advanced Pur and Trend tooling how we
11:45
advanced Pur and Trend tooling how we
11:45
advanced Pur and Trend tooling how we protect from from this part in
11:48
protect from from this part in
11:48
protect from from this part in day-to-day operation with the point of
11:49
day-to-day operation with the point of
11:49
day-to-day operation with the point of view incident investigation and
11:51
view incident investigation and
11:51
view incident investigation and everything and uh uh and my plan is uh
11:55
everything and uh uh and my plan is uh
11:56
everything and uh uh and my plan is uh to describe the process of some
11:58
to describe the process of some
11:58
to describe the process of some investigation
12:00
investigation
12:00
investigation like I have some machine in Microsoft
12:03
like I have some machine in Microsoft
12:03
like I have some machine in Microsoft aure and I my I have suspicious activity
12:09
aure and I my I have suspicious activity
12:09
aure and I my I have suspicious activity and maybe is my arrestors in the cloud
12:12
and maybe is my arrestors in the cloud
12:12
and maybe is my arrestors in the cloud compromise and what is actually the
12:15
compromise and what is actually the
12:15
compromise and what is actually the steps I will explain during the uh air
12:19
steps I will explain during the uh air
12:19
steps I will explain during the uh air portal and I will explain also how we uh
12:23
portal and I will explain also how we uh
12:23
portal and I will explain also how we uh deal that with uh using Azure common
12:27
deal that with uh using Azure common
12:27
deal that with uh using Azure common line interface yes and uh of course we
12:31
line interface yes and uh of course we
12:31
line interface yes and uh of course we we are using in day-to-day operation a
12:33
we are using in day-to-day operation a
12:33
we are using in day-to-day operation a lot of other asure offic why incident
12:37
lot of other asure offic why incident
12:37
lot of other asure offic why incident response and forensic tool for forensic
12:40
response and forensic tool for forensic
12:41
response and forensic tool for forensic for forensic
12:42
for forensic
12:42
for forensic propose I have some experience with
12:46
propose I have some experience with
12:46
propose I have some experience with because in day-to-day operation I'm work
12:50
because in day-to-day operation I'm work
12:50
because in day-to-day operation I'm work with the client with some with some and
12:52
with the client with some with some and
12:52
with the client with some with some and and try to help uh if we have some
12:56
and try to help uh if we have some
12:56
and try to help uh if we have some similar situation life security incident
12:59
similar situation life security incident
12:59
similar situation life security incident but our idea idea to be more proactive
13:03
but our idea idea to be more proactive
13:03
but our idea idea to be more proactive with the point of view using modern uh
13:07
with the point of view using modern uh
13:07
with the point of view using modern uh Microsoft Technology like Defender xdr
13:11
Microsoft Technology like Defender xdr
13:11
Microsoft Technology like Defender xdr like Microsoft Sentinel in combination
13:14
like Microsoft Sentinel in combination
13:14
like Microsoft Sentinel in combination with security co-pilot and that is
13:16
with security co-pilot and that is
13:16
with security co-pilot and that is actually UniFi Security operation and uh
13:21
actually UniFi Security operation and uh
13:21
actually UniFi Security operation and uh this this approach s uh time and work
13:25
this this approach s uh time and work
13:25
this this approach s uh time and work faster you don't have a uh opportunity
13:29
faster you don't have a uh opportunity
13:29
faster you don't have a uh opportunity to switch between many tools and many
13:33
to switch between many tools and many
13:33
to switch between many tools and many integration one board for your playbook
13:37
integration one board for your playbook
13:37
integration one board for your playbook for your workbook for your uh Trend
13:41
for your workbook for your uh Trend
13:41
for your workbook for your uh Trend hunting operation and everything that is
13:44
hunting operation and everything that is
13:45
hunting operation and everything that is that is how we work uh and with of
13:48
that is how we work uh and with of
13:48
that is how we work uh and with of course with a point of view security
13:50
course with a point of view security
13:50
course with a point of view security investigation the second part is is
13:53
investigation the second part is is
13:53
investigation the second part is is actually how uh security co-pilot help
13:56
actually how uh security co-pilot help
13:56
actually how uh security co-pilot help us in in uh day to operation with the
14:00
us in in uh day to operation with the
14:00
us in in uh day to operation with the point of view forensic investigation
14:02
point of view forensic investigation
14:02
point of view forensic investigation what is a crucial crucial is artificial
14:06
what is a crucial crucial is artificial
14:06
what is a crucial crucial is artificial intelligence user Behavior analytic and
14:08
intelligence user Behavior analytic and
14:08
intelligence user Behavior analytic and automatic dis discrption in containment
14:12
automatic dis discrption in containment
14:12
automatic dis discrption in containment phase I have option to uh with the with
14:17
phase I have option to uh with the with
14:17
phase I have option to uh with the with the point of view uh definitely using of
14:21
the point of view uh definitely using of
14:21
the point of view uh definitely using of this uh I I like to say Trio Fantastico
14:26
this uh I I like to say Trio Fantastico
14:26
this uh I I like to say Trio Fantastico uh this tool to to all incident in
14:30
uh this tool to to all incident in
14:30
uh this tool to to all incident in automatic way but okay you have option
14:33
automatic way but okay you have option
14:33
automatic way but okay you have option to when you click of incident to to
14:37
to when you click of incident to to
14:37
to when you click of incident to to manually resolve incident maybe is some
14:40
manually resolve incident maybe is some
14:40
manually resolve incident maybe is some false positive maybe is malicious
14:44
false positive maybe is malicious
14:44
false positive maybe is malicious activity or maybe some security testing
14:47
activity or maybe some security testing
14:47
activity or maybe some security testing because I conducted many many attack
14:49
because I conducted many many attack
14:49
because I conducted many many attack simulation to help me to be more
14:52
simulation to help me to be more
14:52
simulation to help me to be more proactive to be res in in in in in my
14:55
proactive to be res in in in in in my
14:55
proactive to be res in in in in in my work and I will show you this this top
14:59
work and I will show you this this top
14:59
work and I will show you this this top topic it is very interesting uh uh
15:01
topic it is very interesting uh uh
15:01
topic it is very interesting uh uh because uh the first part is a standard
15:04
because uh the first part is a standard
15:04
because uh the first part is a standard toping how we uh conduct some forensic
15:08
toping how we uh conduct some forensic
15:08
toping how we uh conduct some forensic investigation in Asia with the virtual
15:10
investigation in Asia with the virtual
15:10
investigation in Asia with the virtual machine acquisition in Microsoft Asia
15:13
machine acquisition in Microsoft Asia
15:13
machine acquisition in Microsoft Asia the second part is actually how we work
15:16
the second part is actually how we work
15:16
the second part is actually how we work in Defender xdr and in Sentinel in
15:19
in Defender xdr and in Sentinel in
15:19
in Defender xdr and in Sentinel in security copilot and in the last of my
15:23
security copilot and in the last of my
15:23
security copilot and in the last of my session today I give you I give you and
15:26
session today I give you I give you and
15:26
session today I give you I give you and share with you knowledge about security
15:28
share with you knowledge about security
15:28
share with you knowledge about security recommend ation how we we will be more
15:31
recommend ation how we we will be more
15:31
recommend ation how we we will be more and more proactive in in Microsoft Asia
15:34
and more proactive in in Microsoft Asia
15:34
and more proactive in in Microsoft Asia with a point of view device how to
15:36
with a point of view device how to
15:36
with a point of view device how to protected our device how to protect it
15:39
protected our device how to protect it
15:39
protected our device how to protect it our identity narciss management with ENT
15:44
our identity narciss management with ENT
15:44
our identity narciss management with ENT identity protection with
15:46
identity protection with
15:47
identity protection with the using conditional access policy uh
15:51
the using conditional access policy uh
15:51
the using conditional access policy uh for
15:52
for
15:52
for example using multiactor authentication
15:56
example using multiactor authentication
15:56
example using multiactor authentication and everything passwordless technology
15:59
and everything passwordless technology
15:59
and everything passwordless technology uh because that is the reason in some
16:03
uh because that is the reason in some
16:03
uh because that is the reason in some situation when hacker using some some
16:06
situation when hacker using some some
16:06
situation when hacker using some some tools and conducting Pastor spray attack
16:09
tools and conducting Pastor spray attack
16:09
tools and conducting Pastor spray attack or Brute Force attack we pastor this big
16:12
or Brute Force attack we pastor this big
16:12
or Brute Force attack we pastor this big problem and how we protect from pastword
16:15
problem and how we protect from pastword
16:15
problem and how we protect from pastword league and lot of lot of Legacy protocol
16:19
league and lot of lot of Legacy protocol
16:19
league and lot of lot of Legacy protocol we have conducting in many day-to-day
16:22
we have conducting in many day-to-day
16:22
we have conducting in many day-to-day operation when conducting some C uh
16:26
operation when conducting some C uh
16:26
operation when conducting some C uh security uh assessment
16:29
security uh assessment
16:29
security uh assessment many many and reveal many Legacy
16:32
many many and reveal many Legacy
16:32
many many and reveal many Legacy protocol like SB like ntlm like
16:36
protocol like SB like ntlm like
16:36
protocol like SB like ntlm like tls1 uh one dot2 and uh that is
16:41
tls1 uh one dot2 and uh that is
16:41
tls1 uh one dot2 and uh that is interesting because we uh actually uh in
16:44
interesting because we uh actually uh in
16:44
interesting because we uh actually uh in the market we have a lot of Legacy
16:47
the market we have a lot of Legacy
16:48
the market we have a lot of Legacy application with the all the framework
16:51
application with the all the framework
16:51
application with the all the framework and how we protect from this part it is
16:54
and how we protect from this part it is
16:54
and how we protect from this part it is a crucial because that is a very very
16:57
a crucial because that is a very very
16:57
a crucial because that is a very very good place when you have some
17:00
good place when you have some
17:00
good place when you have some vulnerability or open port to to give to
17:05
vulnerability or open port to to give to
17:05
vulnerability or open port to to give to give a chance for attacker to to
17:08
give a chance for attacker to to
17:08
give a chance for attacker to to actually you have impact in in that way
17:12
actually you have impact in in that way
17:12
actually you have impact in in that way okay uh that is the standard
17:14
okay uh that is the standard
17:14
okay uh that is the standard introduction of cloud forensic uh that
17:17
introduction of cloud forensic uh that
17:17
introduction of cloud forensic uh that is actually a division also of netork
17:21
is actually a division also of netork
17:21
is actually a division also of netork forensic but involves of course
17:23
forensic but involves of course
17:23
forensic but involves of course management of public and private
17:26
management of public and private
17:26
management of public and private networks uh we are using lot of software
17:29
networks uh we are using lot of software
17:29
networks uh we are using lot of software of service and platforms of service
17:31
of service and platforms of service
17:31
of service and platforms of service application service model provide with
17:35
application service model provide with
17:35
application service model provide with the rest control over process of some
17:38
the rest control over process of some
17:38
the rest control over process of some network
17:39
network
17:39
network monitoring and data collection procedure
17:42
monitoring and data collection procedure
17:43
monitoring and data collection procedure in this part when we talking about
17:46
in this part when we talking about
17:46
in this part when we talking about software as a service application is
17:49
software as a service application is
17:49
software as a service application is actually
17:50
actually
17:50
actually re reliant on on the power service
17:53
re reliant on on the power service
17:53
re reliant on on the power service provider but but we have a lot of a lot
17:56
provider but but we have a lot of a lot
17:57
provider but but we have a lot of a lot of uh different machine instance can be
18:00
of uh different machine instance can be
18:00
of uh different machine instance can be acquired from the customer for evidence
18:03
acquired from the customer for evidence
18:03
acquired from the customer for evidence analysis and the last part is of course
18:06
analysis and the last part is of course
18:06
analysis and the last part is of course physical access of of the data because
18:09
physical access of of the data because
18:09
physical access of of the data because uh we have actually a lot of lot of dark
18:14
uh we have actually a lot of lot of dark
18:14
uh we have actually a lot of lot of dark data in the CL and uh uh if
18:18
data in the CL and uh uh if
18:18
data in the CL and uh uh if you decide with your compliance team
18:21
you decide with your compliance team
18:21
you decide with your compliance team what is the critical you must protect it
18:24
what is the critical you must protect it
18:24
what is the critical you must protect it this this this part and the Microsoft
18:26
this this this part and the Microsoft
18:26
this this this part and the Microsoft review solution actually help you
18:29
review solution actually help you
18:29
review solution actually help you in that way I am using different policy
18:32
in that way I am using different policy
18:32
in that way I am using different policy I'm using Insider policy communication
18:35
I'm using Insider policy communication
18:35
I'm using Insider policy communication policy I I am using compliance manager
18:38
policy I I am using compliance manager
18:38
policy I I am using compliance manager to resolve the risk of using many
18:42
to resolve the risk of using many
18:42
to resolve the risk of using many different standard with the point of
18:44
different standard with the point of
18:44
different standard with the point of view we discussed about as a part of
18:48
view we discussed about as a part of
18:48
view we discussed about as a part of forensic stting with the point of view
18:50
forensic stting with the point of view
18:50
forensic stting with the point of view 27,000 family
18:52
27,000 family
18:53
27,000 family of is standard but
18:56
of is standard but
18:56
of is standard but actually when we when we uh discussed
18:59
actually when we when we uh discussed
18:59
actually when we when we uh discussed about about uh uh Cloud forens challenge
19:04
about about uh uh Cloud forens challenge
19:04
about about uh uh Cloud forens challenge the first is actually investigation
19:07
the first is actually investigation
19:07
the first is actually investigation investigation in the point of view how
19:09
investigation in the point of view how
19:09
investigation in the point of view how we resolve uh
19:12
we resolve uh
19:12
we resolve uh incident maybe that is a part of cyber
19:16
incident maybe that is a part of cyber
19:16
incident maybe that is a part of cyber crime and policy relation with the
19:19
crime and policy relation with the
19:19
crime and policy relation with the public environment and we have some
19:22
public environment and we have some
19:22
public environment and we have some suspicious activity in the cloud
19:24
suspicious activity in the cloud
19:24
suspicious activity in the cloud environment and we have we Define some
19:27
environment and we have we Define some
19:27
environment and we have we Define some investigation process with the point of
19:29
investigation process with the point of
19:29
investigation process with the point of view incident respond
19:31
view incident respond
19:31
view incident respond investigation preparation fa phase
19:33
investigation preparation fa phase
19:34
investigation preparation fa phase dation detection phase and incident
19:37
dation detection phase and incident
19:37
dation detection phase and incident response with the point of view
19:38
response with the point of view
19:38
response with the point of view containment incident rication and
19:41
containment incident rication and
19:41
containment incident rication and postmortem activity but uh that is
19:45
postmortem activity but uh that is
19:45
postmortem activity but uh that is including some manually forensic work in
19:48
including some manually forensic work in
19:48
including some manually forensic work in preparation phase we we we are using a
19:51
preparation phase we we we are using a
19:51
preparation phase we we we are using a lot of forensic to to kitting in that
19:54
lot of forensic to to kitting in that
19:54
lot of forensic to to kitting in that way and uh we must uh uh learn a lot of
19:59
way and uh we must uh uh learn a lot of
19:59
way and uh we must uh uh learn a lot of this operation with and deal with for
20:02
this operation with and deal with for
20:02
this operation with and deal with for example CT team or or sock team in order
20:07
example CT team or or sock team in order
20:07
example CT team or or sock team in order to better Analyze This result of what is
20:10
to better Analyze This result of what is
20:10
to better Analyze This result of what is what is actually reveil in trouble
20:13
what is actually reveil in trouble
20:13
what is actually reveil in trouble shooting way Cloud forensic techniques
20:17
shooting way Cloud forensic techniques
20:17
shooting way Cloud forensic techniques assist lot of user and me and my team in
20:22
assist lot of user and me and my team in
20:22
assist lot of user and me and my team in travel shooting by determin what what is
20:25
travel shooting by determin what what is
20:25
travel shooting by determin what what is actually data and host that is
20:27
actually data and host that is
20:27
actually data and host that is physically or virtually present in in
20:30
physically or virtually present in in
20:30
physically or virtually present in in Cloud environment and I find some
20:33
Cloud environment and I find some
20:34
Cloud environment and I find some resolve any errors of security issues
20:37
resolve any errors of security issues
20:37
resolve any errors of security issues for example in the cloud and help me the
20:40
for example in the cloud and help me the
20:40
for example in the cloud and help me the better understanding uh to trend on the
20:43
better understanding uh to trend on the
20:43
better understanding uh to trend on the past security attack and how to handle
20:45
past security attack and how to handle
20:45
past security attack and how to handle incident in the future that is very
20:48
incident in the future that is very
20:48
incident in the future that is very important lessons learn from from the
20:51
important lessons learn from from the
20:51
important lessons learn from from the incident and uh and Etc log monitoring
20:56
incident and uh and Etc log monitoring
20:56
incident and uh and Etc log monitoring we are using actually in day-to-day
20:58
we are using actually in day-to-day
20:58
we are using actually in day-to-day operation a lot of security and
21:00
operation a lot of security and
21:00
operation a lot of security and management tool a sentinel E cloud base
21:05
management tool a sentinel E cloud base
21:05
management tool a sentinel E cloud base tool for incident investigation in real
21:08
tool for incident investigation in real
21:08
tool for incident investigation in real time and that is actually determinate
21:13
time and that is actually determinate
21:13
time and that is actually determinate some uh LS for investigation physically
21:16
some uh LS for investigation physically
21:16
some uh LS for investigation physically virtually present in the cloud
21:18
virtually present in the cloud
21:18
virtually present in the cloud environment they they
21:20
environment they they
21:20
environment they they allows uh um cyber security analyst for
21:25
allows uh um cyber security analyst for
21:25
allows uh um cyber security analyst for example to find and uh uh uh to to
21:28
example to find and uh uh uh to to
21:28
example to find and uh uh uh to to provide some audit analyze and calculate
21:33
provide some audit analyze and calculate
21:33
provide some audit analyze and calculate various aspect in the cloud environment
21:35
various aspect in the cloud environment
21:35
various aspect in the cloud environment and help you uh checking what is
21:38
and help you uh checking what is
21:38
and help you uh checking what is compliance or not compliance with with
21:42
compliance or not compliance with with
21:42
compliance or not compliance with with regulatory standard and that is actually
21:45
regulatory standard and that is actually
21:45
regulatory standard and that is actually part of of uh of log monitoring and we
21:49
part of of uh of log monitoring and we
21:49
part of of uh of log monitoring and we have uh actually uh different uh I I
21:53
have uh actually uh different uh I I
21:53
have uh actually uh different uh I I mention data and system recovery but uh
21:56
mention data and system recovery but uh
21:56
mention data and system recovery but uh uh Cloud security actually Cloud
21:59
uh Cloud security actually Cloud
21:59
uh Cloud security actually Cloud forensic deal with security aspect of
22:02
forensic deal with security aspect of
22:02
forensic deal with security aspect of organization how to secure critical data
22:05
organization how to secure critical data
22:05
organization how to secure critical data how to maintain necessary records for
22:08
how to maintain necessary records for
22:08
how to maintain necessary records for outing propos and uh how to you can
22:12
outing propos and uh how to you can
22:12
outing propos and uh how to you can notify notify concerned team for
22:16
notify notify concerned team for
22:16
notify notify concerned team for suspicious activity that is a central uh
22:19
suspicious activity that is a central uh
22:19
suspicious activity that is a central uh with the point of view reporting if you
22:21
with the point of view reporting if you
22:21
with the point of view reporting if you have some private data have been misused
22:24
have some private data have been misused
22:24
have some private data have been misused on exposed and actually help us to find
22:29
on exposed and actually help us to find
22:29
on exposed and actually help us to find the better way uh in section that me
22:33
the better way uh in section that me
22:33
the better way uh in section that me some Regulatory Compliance and how to
22:35
some Regulatory Compliance and how to
22:35
some Regulatory Compliance and how to fix that and finally we have du due uh
22:40
fix that and finally we have du due uh
22:40
fix that and finally we have du due uh diligence and Regulatory Compliance part
22:44
diligence and Regulatory Compliance part
22:44
diligence and Regulatory Compliance part that is actually also security aspect of
22:47
that is actually also security aspect of
22:47
that is actually also security aspect of many
22:48
many
22:48
many organization how we secure critical data
22:51
organization how we secure critical data
22:51
organization how we secure critical data uh and everything in that point of view
22:55
uh and everything in that point of view
22:55
uh and everything in that point of view uh system recovery I mention before I am
22:59
uh system recovery I mention before I am
22:59
uh system recovery I mention before I am forensic expert I can use copy of
23:02
forensic expert I can use copy of
23:02
forensic expert I can use copy of evidence in the court of law I can
23:06
evidence in the court of law I can
23:06
evidence in the court of law I can create some forensic copy of data can be
23:09
create some forensic copy of data can be
23:09
create some forensic copy of data can be used by by uh service
23:12
used by by uh service
23:12
used by by uh service provider as a backup and everything that
23:16
provider as a backup and everything that
23:16
provider as a backup and everything that is actually uh uh um we have five uh
23:21
is actually uh uh um we have five uh
23:21
is actually uh uh um we have five uh pillar of cloud forensic Challenge and
23:23
pillar of cloud forensic Challenge and
23:23
pillar of cloud forensic Challenge and after that we we must found found a way
23:29
after that we we must found found a way
23:29
after that we we must found found a way to to deeply understand uh phase of
23:33
to to deeply understand uh phase of
23:33
to to deeply understand uh phase of cyber kill chains because you have
23:36
cyber kill chains because you have
23:36
cyber kill chains because you have stereos of steps that Trace stages of
23:39
stereos of steps that Trace stages of
23:39
stereos of steps that Trace stages of different Cyber attack and in I'm using
23:43
different Cyber attack and in I'm using
23:43
different Cyber attack and in I'm using for example in Recon Rec Space a lot of
23:47
for example in Recon Rec Space a lot of
23:47
for example in Recon Rec Space a lot of Recon tool and but try to access F
23:52
Recon tool and but try to access F
23:52
Recon tool and but try to access F Network and service in order to detect
23:54
Network and service in order to detect
23:54
Network and service in order to detect some possible Target and technique to
23:56
some possible Target and technique to
23:56
some possible Target and technique to gain entry maybe your public IP
23:59
gain entry maybe your public IP
23:59
gain entry maybe your public IP address maybe you are not uh not
24:04
address maybe you are not uh not
24:04
address maybe you are not uh not actually protect with network security
24:08
actually protect with network security
24:08
actually protect with network security groups and what is main idea to using
24:11
groups and what is main idea to using
24:11
groups and what is main idea to using some technique in Defender from cloud
24:15
some technique in Defender from cloud
24:15
some technique in Defender from cloud with the point of view just in time
24:17
with the point of view just in time
24:17
with the point of view just in time access I can use for example my
24:21
access I can use for example my
24:21
access I can use for example my work and connect via Port RDP or SSH but
24:27
work and connect via Port RDP or SSH but
24:27
work and connect via Port RDP or SSH but I'm using in stct time for example
24:30
I'm using in stct time for example
24:30
I'm using in stct time for example tomorrow I am security admin and I am
24:33
tomorrow I am security admin and I am
24:33
tomorrow I am security admin and I am using my my account to access via
24:38
using my my account to access via
24:38
using my my account to access via Port Windows uh RDP via 338 and n and
24:44
Port Windows uh RDP via 338 and n and
24:44
Port Windows uh RDP via 338 and n and I'm using for that only for three hours
24:47
I'm using for that only for three hours
24:47
I'm using for that only for three hours that is very good that is an example of
24:50
that is very good that is an example of
24:50
that is very good that is an example of this this restriction we were talking
24:53
this this restriction we were talking
24:53
this this restriction we were talking about of of this of this uh actually
24:57
about of of this of this uh actually
24:57
about of of this of this uh actually session about that but in instrusion
24:59
session about that but in instrusion
24:59
session about that but in instrusion Phase ATT using knowledge gain in Recon
25:04
Phase ATT using knowledge gain in Recon
25:04
Phase ATT using knowledge gain in Recon that is very important to get access a
25:07
that is very important to get access a
25:07
that is very important to get access a part of your network that is often
25:11
part of your network that is often
25:11
part of your network that is often involves some exploring the flow and
25:13
involves some exploring the flow and
25:13
involves some exploring the flow and security hall and everything but uh in
25:16
security hall and everything but uh in
25:16
security hall and everything but uh in exploitation phase you have uh you have
25:20
exploitation phase you have uh you have
25:20
exploitation phase you have uh you have chance to exploit exporting some
25:22
chance to exploit exporting some
25:22
chance to exploit exporting some vulnerability if you're using some
25:25
vulnerability if you're using some
25:25
vulnerability if you're using some Legacy Port like SMB that is old oh my
25:29
Legacy Port like SMB that is old oh my
25:29
Legacy Port like SMB that is old oh my God about 13 years and lot of Legacy
25:32
God about 13 years and lot of Legacy
25:32
God about 13 years and lot of Legacy protocol that is part we we have uh
25:37
protocol that is part we we have uh
25:37
protocol that is part we we have uh actually
25:38
actually
25:38
actually uh in
25:41
uh in
25:41
uh in 2018 BW vulnerability but you are using
25:48
2018 BW vulnerability but you are using
25:48
2018 BW vulnerability but you are using and vulnerability and exploit for that
25:53
and vulnerability and exploit for that
25:53
and vulnerability and exploit for that and after that you give you have
25:56
and after that you give you have
25:56
and after that you give you have privilege on on that and everything but
26:00
privilege on on that and everything but
26:00
privilege on on that and everything but Legacy protocol is very dangerous and we
26:03
Legacy protocol is very dangerous and we
26:03
Legacy protocol is very dangerous and we must found a way for example I'm using
26:07
must found a way for example I'm using
26:07
must found a way for example I'm using Group Policy object and I I create some
26:09
Group Policy object and I I create some
26:09
Group Policy object and I I create some registry uh GPO then propose and Link
26:13
registry uh GPO then propose and Link
26:13
registry uh GPO then propose and Link for or my computer OB object uh in order
26:17
for or my computer OB object uh in order
26:18
for or my computer OB object uh in order in order to protect of of this part of
26:21
in order to protect of of this part of
26:21
in order to protect of of this part of of attack uh the next steps is actually
26:25
of attack uh the next steps is actually
26:25
of attack uh the next steps is actually a privilege escalation privilege
26:27
a privilege escalation privilege
26:27
a privilege escalation privilege escalation is very very often to gain
26:31
escalation is very very often to gain
26:31
escalation is very very often to gain some administrative access to compromise
26:35
some administrative access to compromise
26:35
some administrative access to compromise systems and of course to G access for
26:39
systems and of course to G access for
26:39
systems and of course to G access for more critical data and move into the
26:41
more critical data and move into the
26:41
more critical data and move into the connected system the next is lateral
26:44
connected system the next is lateral
26:44
connected system the next is lateral movement when I have privileg account I
26:48
movement when I have privileg account I
26:48
movement when I have privileg account I have conducted lateral movement for
26:50
have conducted lateral movement for
26:50
have conducted lateral movement for example I can jump from Exchange Server
26:53
example I can jump from Exchange Server
26:53
example I can jump from Exchange Server to to to to give uh uh more more
26:58
to to to to give uh uh more more
26:58
to to to to give uh uh more more information but I can go with a
27:01
information but I can go with a
27:01
information but I can go with a persistence from active directory that
27:04
persistence from active directory that
27:04
persistence from active directory that is that is very important and we must be
27:08
is that is very important and we must be
27:08
is that is very important and we must be aware how is the settings our tier zero
27:12
aware how is the settings our tier zero
27:12
aware how is the settings our tier zero uh in that way the next phase is uh data
27:17
uh in that way the next phase is uh data
27:17
uh in that way the next phase is uh data filtration with combination of some rare
27:19
filtration with combination of some rare
27:19
filtration with combination of some rare activity of course that is a standard
27:21
activity of course that is a standard
27:21
activity of course that is a standard process but in anti forensic that is
27:25
process but in anti forensic that is
27:25
process but in anti forensic that is that is very very interesting to
27:28
that is very very interesting to
27:28
that is very very interesting to successfully pull off of Cyber attack
27:32
successfully pull off of Cyber attack
27:32
successfully pull off of Cyber attack attacker need to cover their entry and
27:35
attacker need to cover their entry and
27:35
attacker need to cover their entry and they will often compromise data and
27:38
they will often compromise data and
27:38
they will often compromise data and clear audit logs or try to prevent
27:42
clear audit logs or try to prevent
27:43
clear audit logs or try to prevent detection by the security team that is
27:45
detection by the security team that is
27:45
detection by the security team that is the crucial how we protect of of this
27:49
the crucial how we protect of of this
27:49
the crucial how we protect of of this activity uh we must know with the point
27:52
activity uh we must know with the point
27:52
activity uh we must know with the point of view digital forensic OB station
27:55
of view digital forensic OB station
27:55
of view digital forensic OB station techniques and
27:57
techniques and
27:57
techniques and anti-forensic technique to to found the
28:00
anti-forensic technique to to found the
28:00
anti-forensic technique to to found the best way how to protect of that and with
28:03
best way how to protect of that and with
28:03
best way how to protect of that and with a lot of Daniel of service phase uh
28:07
a lot of Daniel of service phase uh
28:07
a lot of Daniel of service phase uh involves some disruption of uh on normal
28:12
involves some disruption of uh on normal
28:12
involves some disruption of uh on normal access for the users and the do attack
28:16
access for the users and the do attack
28:16
access for the users and the do attack is very often how to be monitoring how
28:19
is very often how to be monitoring how
28:19
is very often how to be monitoring how to be tracked how to be block and
28:21
to be tracked how to be block and
28:21
to be tracked how to be block and everything and finally we have we have
28:25
everything and finally we have we have
28:25
everything and finally we have we have exfiltration that is finally instuction
28:28
exfiltration that is finally instuction
28:28
exfiltration that is finally instuction stage uh in order to getting some
28:30
stage uh in order to getting some
28:31
stage uh in order to getting some avilable data out of the compromise
28:34
avilable data out of the compromise
28:34
avilable data out of the compromise system and the security Center is
28:36
system and the security Center is
28:36
system and the security Center is designed around killchain uh and
28:39
designed around killchain uh and
28:39
designed around killchain uh and connected with the m attack framework
28:42
connected with the m attack framework
28:42
connected with the m attack framework that is very important when talking
28:44
that is very important when talking
28:44
that is very important when talking about a forensic investigation
28:48
about a forensic investigation
28:48
about a forensic investigation actually uh to to know this this this
28:52
actually uh to to know this this this
28:52
actually uh to to know this this this part and finally we have a lot of
28:57
part and finally we have a lot of
28:57
part and finally we have a lot of lot hunting cycle that because that is
29:02
lot hunting cycle that because that is
29:02
lot hunting cycle that because that is starting with the hunting for indicator
29:04
starting with the hunting for indicator
29:04
starting with the hunting for indicator of compromise or no beds ranging from
29:09
of compromise or no beds ranging from
29:09
of compromise or no beds ranging from for example smallest unit of indicator
29:13
for example smallest unit of indicator
29:13
for example smallest unit of indicator to behavior indicator that may be
29:15
to behavior indicator that may be
29:16
to behavior indicator that may be defined some after and in incident
29:18
defined some after and in incident
29:18
defined some after and in incident response investigation that is very
29:19
response investigation that is very
29:19
response investigation that is very important to to to to to explain that is
29:23
important to to to to to explain that is
29:23
important to to to to to explain that is very manageable when you start with off
29:26
very manageable when you start with off
29:26
very manageable when you start with off with some initial indicator of
29:28
with some initial indicator of
29:28
with some initial indicator of components trigger and you can take some
29:32
components trigger and you can take some
29:32
components trigger and you can take some additional uh
29:34
additional uh
29:34
additional uh finding and be aware with Trend hunting
29:37
finding and be aware with Trend hunting
29:37
finding and be aware with Trend hunting tool and and methodology but one example
29:40
tool and and methodology but one example
29:40
tool and and methodology but one example is data staking environment until we can
29:44
is data staking environment until we can
29:44
is data staking environment until we can determinated several machine across in
29:46
determinated several machine across in
29:47
determinated several machine across in the same uh for example environment here
29:51
the same uh for example environment here
29:51
the same uh for example environment here we confirm that is some indicator of
29:53
we confirm that is some indicator of
29:53
we confirm that is some indicator of compromise trigger and that is a crucial
29:56
compromise trigger and that is a crucial
29:56
compromise trigger and that is a crucial and with a point of view compromise
29:58
and with a point of view compromise
29:58
and with a point of view compromise identity we have two two part that is a
30:02
identity we have two two part that is a
30:02
identity we have two two part that is a part of compromise system with some
30:05
part of compromise system with some
30:05
part of compromise system with some suspicious activity with some suspicious
30:07
suspicious activity with some suspicious
30:07
suspicious activity with some suspicious event and we have suspicious file in
30:11
event and we have suspicious file in
30:11
event and we have suspicious file in forensic way to found how to analyze
30:14
forensic way to found how to analyze
30:14
forensic way to found how to analyze this file uh in in the second part we
30:17
this file uh in in the second part we
30:17
this file uh in in the second part we have a lot of uh in Daily operation
30:20
have a lot of uh in Daily operation
30:20
have a lot of uh in Daily operation compromise application we must found the
30:24
compromise application we must found the
30:24
compromise application we must found the way uh in forensic way how to to
30:28
way uh in forensic way how to to
30:28
way uh in forensic way how to to investigate some suspicious activity and
30:31
investigate some suspicious activity and
30:31
investigate some suspicious activity and of course of course suspicious artifact
30:35
of course of course suspicious artifact
30:35
of course of course suspicious artifact in in in in that way and finally we have
30:39
in in in in that way and finally we have
30:39
in in in in that way and finally we have we have hunting through ATT chain and
30:43
we have hunting through ATT chain and
30:43
we have hunting through ATT chain and that is actually of part
30:46
that is actually of part
30:46
that is actually of part Microsoft security uh recommendation and
30:50
Microsoft security uh recommendation and
30:50
Microsoft security uh recommendation and everything and uh lot of Defender family
30:55
everything and uh lot of Defender family
30:55
everything and uh lot of Defender family of Defender tool help us in that way
30:58
of Defender tool help us in that way
30:58
of Defender tool help us in that way uh Standard Process I'm a user maybe I
31:03
uh Standard Process I'm a user maybe I
31:03
uh Standard Process I'm a user maybe I I'm fck of
31:05
I'm fck of
31:05
I'm fck of fishing mail without lot of awareness of
31:09
fishing mail without lot of awareness of
31:10
fishing mail without lot of awareness of training in that way or click off of my
31:13
training in that way or click off of my
31:13
training in that way or click off of my of some Ur and open attachment uh that
31:17
of some Ur and open attachment uh that
31:17
of some Ur and open attachment uh that is actually start with uh installation
31:20
is actually start with uh installation
31:20
is actually start with uh installation or exploitation
31:22
or exploitation
31:22
or exploitation and ATT try to to commun to communicate
31:27
and ATT try to to commun to communicate
31:28
and ATT try to to commun to communicate domain controller in order to
31:30
domain controller in order to
31:30
domain controller in order to impressionate use impr
31:32
impressionate use impr
31:32
impressionate use impr personation with a lateral movement and
31:36
personation with a lateral movement and
31:36
personation with a lateral movement and actually redirecting some common in
31:38
actually redirecting some common in
31:38
actually redirecting some common in control server user account is
31:40
control server user account is
31:40
control server user account is compromised but we have some Brute Force
31:44
compromised but we have some Brute Force
31:44
compromised but we have some Brute Force account or us stolen account
31:47
account or us stolen account
31:47
account or us stolen account crad attemp some L movement I I
31:50
crad attemp some L movement I I
31:50
crad attemp some L movement I I explained before but when we have
31:53
explained before but when we have
31:53
explained before but when we have privileg account compromise at maybe
31:56
privileg account compromise at maybe
31:56
privileg account compromise at maybe access some sens data in in data
32:00
access some sens data in in data
32:00
access some sens data in in data exfiltration and potential R activity
32:02
exfiltration and potential R activity
32:02
exfiltration and potential R activity and you can see on this diagram it is
32:05
and you can see on this diagram it is
32:06
and you can see on this diagram it is very clearly explain what is the part of
32:09
very clearly explain what is the part of
32:09
very clearly explain what is the part of Defender for officei Defender for
32:11
Defender for officei Defender for
32:11
Defender for officei Defender for officei is the parties in building the
32:16
officei is the parties in building the
32:16
officei is the parties in building the that extended detection and response and
32:19
that extended detection and response and
32:19
that extended detection and response and he Alles tracking and hunting through
32:21
he Alles tracking and hunting through
32:21
he Alles tracking and hunting through mail to different attachment different
32:24
mail to different attachment different
32:24
mail to different attachment different Ural and we have actually defend for end
32:28
Ural and we have actually defend for end
32:28
Ural and we have actually defend for end point how to correlate attak activity to
32:31
point how to correlate attak activity to
32:31
point how to correlate attak activity to end point activity the point of view how
32:34
end point activity the point of view how
32:34
end point activity the point of view how analyzes the process how to analy the
32:36
analyzes the process how to analy the
32:36
analyzes the process how to analy the registry or file event you can use
32:40
registry or file event you can use
32:40
registry or file event you can use cismon you can use uh different file
32:43
cismon you can use uh different file
32:43
cismon you can use uh different file Integrity monitoring is very very part
32:46
Integrity monitoring is very very part
32:46
Integrity monitoring is very very part that is also now part for Microsoft
32:48
that is also now part for Microsoft
32:48
that is also now part for Microsoft Defender forign point that is previously
32:51
Defender forign point that is previously
32:51
Defender forign point that is previously uh part and now is also independer for
32:54
uh part and now is also independer for
32:54
uh part and now is also independer for cloud but with the point of view
32:56
cloud but with the point of view
32:57
cloud but with the point of view identity we have some multiple sensor to
33:00
identity we have some multiple sensor to
33:00
identity we have some multiple sensor to connect with our domain infrastructure
33:03
connect with our domain infrastructure
33:03
connect with our domain infrastructure our server infrastructure and the
33:06
our server infrastructure and the
33:06
our server infrastructure and the central question how to detect attack
33:09
central question how to detect attack
33:09
central question how to detect attack against for own premise infrastructure
33:12
against for own premise infrastructure
33:12
against for own premise infrastructure and we are using for that proposed
33:14
and we are using for that proposed
33:14
and we are using for that proposed Defender for for identity uh to analyze
33:18
Defender for for identity uh to analyze
33:18
Defender for for identity uh to analyze this and finally finally uh how to
33:21
this and finally finally uh how to
33:21
this and finally finally uh how to protect a lot of application in the
33:23
protect a lot of application in the
33:23
protect a lot of application in the cloud software as a service in the cloud
33:25
cloud software as a service in the cloud
33:25
cloud software as a service in the cloud for
33:26
for
33:26
for example I using SSS factor in the cloud
33:30
example I using SSS factor in the cloud
33:30
example I using SSS factor in the cloud but I have a lot of HR data on premise
33:34
but I have a lot of HR data on premise
33:34
but I have a lot of HR data on premise and how to connect my sensitive data
33:37
and how to connect my sensitive data
33:37
and how to connect my sensitive data Maybe the idea before connect from R
33:40
Maybe the idea before connect from R
33:41
Maybe the idea before connect from R premise INF infrastructure how to Pro
33:43
premise INF infrastructure how to Pro
33:43
premise INF infrastructure how to Pro protect the data and how to encrypt this
33:47
protect the data and how to encrypt this
33:47
protect the data and how to encrypt this data and user Behavior analytics and
33:50
data and user Behavior analytics and
33:50
data and user Behavior analytics and Cloud Discovery data enhance the hunting
33:53
Cloud Discovery data enhance the hunting
33:53
Cloud Discovery data enhance the hunting activity and everything in order to
33:55
activity and everything in order to
33:56
activity and everything in order to found the best way cloud app Security in
33:59
found the best way cloud app Security in
33:59
found the best way cloud app Security in Defender that is also part Cloud a
34:02
Defender that is also part Cloud a
34:02
Defender that is also part Cloud a security broker to help us in that way
34:07
security broker to help us in that way
34:07
security broker to help us in that way the second is how to find how to strike
34:10
the second is how to find how to strike
34:10
the second is how to find how to strike a right balance
34:12
a right balance
34:12
a right balance between between crowd forening challenge
34:16
between between crowd forening challenge
34:16
between between crowd forening challenge in order to to found maximum
34:19
in order to to found maximum
34:19
in order to to found maximum visibility uh we are using a lot of
34:22
visibility uh we are using a lot of
34:22
visibility uh we are using a lot of thread hunting tool and Method
34:25
thread hunting tool and Method
34:25
thread hunting tool and Method methodology in order uh to invest
34:28
methodology in order uh to invest
34:28
methodology in order uh to invest investigate proper incident response
34:30
investigate proper incident response
34:30
investigate proper incident response tooling for Windows and Linux for inst
34:33
tooling for Windows and Linux for inst
34:33
tooling for Windows and Linux for inst Tri tool for device of many many
34:36
Tri tool for device of many many
34:36
Tri tool for device of many many interest microsof ative directory or
34:40
interest microsof ative directory or
34:40
interest microsof ative directory or actually ENT security configuration
34:43
actually ENT security configuration
34:43
actually ENT security configuration assessment you can using Sentinel for
34:45
assessment you can using Sentinel for
34:45
assessment you can using Sentinel for example for Central source of demon
34:48
example for Central source of demon
34:48
example for Central source of demon lodging using machine learning and
34:50
lodging using machine learning and
34:50
lodging using machine learning and artificial intelligence with Playbook
34:53
artificial intelligence with Playbook
34:53
artificial intelligence with Playbook workbook uh a lot of analytic rules and
34:57
workbook uh a lot of analytic rules and
34:57
workbook uh a lot of analytic rules and that is connect from different data
35:00
that is connect from different data
35:00
that is connect from different data sources uh and actually Microsoft
35:03
sources uh and actually Microsoft
35:03
sources uh and actually Microsoft Defender for end point I I mentioned
35:05
Defender for end point I I mentioned
35:05
Defender for end point I I mentioned before that is actually uses machine
35:08
before that is actually uses machine
35:08
before that is actually uses machine learning and artificial intelligence to
35:11
learning and artificial intelligence to
35:11
learning and artificial intelligence to quickly respond to Trends while working
35:13
quickly respond to Trends while working
35:13
quickly respond to Trends while working side by side or third party some
35:15
side by side or third party some
35:15
side by side or third party some antivirus uh part but uh you can see a
35:20
antivirus uh part but uh you can see a
35:20
antivirus uh part but uh you can see a lot of different different uh forensic
35:23
lot of different different uh forensic
35:24
lot of different different uh forensic technique for deep scan for targeting
35:26
technique for deep scan for targeting
35:26
technique for deep scan for targeting exploitation you can use asset of Life
35:29
exploitation you can use asset of Life
35:29
exploitation you can use asset of Life scanner for property and end point
35:31
scanner for property and end point
35:31
scanner for property and end point scanner then propos but you're using
35:34
scanner then propos but you're using
35:34
scanner then propos but you're using also for the global Telemetry of data
35:37
also for the global Telemetry of data
35:37
also for the global Telemetry of data man intelligence security graph sensor
35:40
man intelligence security graph sensor
35:40
man intelligence security graph sensor Network in in in that is very very
35:44
Network in in in that is very very
35:44
Network in in in that is very very important part and you can see on this
35:47
important part and you can see on this
35:47
important part and you can see on this slide with what we are using for
35:50
slide with what we are using for
35:50
slide with what we are using for continuous monitoring in micros
35:52
continuous monitoring in micros
35:52
continuous monitoring in micros Microsoft Defender for xdr but Office
35:56
Microsoft Defender for xdr but Office
35:56
Microsoft Defender for xdr but Office 365 prot protetion how to protect our
35:59
365 prot protetion how to protect our
35:59
365 prot protetion how to protect our mail with a point of view spoofing it is
36:02
mail with a point of view spoofing it is
36:02
mail with a point of view spoofing it is very very uh important to settings your
36:07
very very uh important to settings your
36:07
very very uh important to settings your actually DeMark theim and SPF parameter
36:12
actually DeMark theim and SPF parameter
36:12
actually DeMark theim and SPF parameter in impation phase and content analysis
36:15
in impation phase and content analysis
36:15
in impation phase and content analysis but we are dealing for example with
36:18
but we are dealing for example with
36:18
but we are dealing for example with micros Defender for identity is very
36:20
micros Defender for identity is very
36:20
micros Defender for identity is very important in Recon FES to stop many
36:24
important in Recon FES to stop many
36:24
important in Recon FES to stop many latal movement and do dominance and
36:28
latal movement and do dominance and
36:28
latal movement and do dominance and actually we are using a lot of
36:30
actually we are using a lot of
36:30
actually we are using a lot of difference tooling for advanced hunting
36:34
difference tooling for advanced hunting
36:34
difference tooling for advanced hunting alerting and correlation across
36:36
alerting and correlation across
36:36
alerting and correlation across different data sources in the cloud the
36:39
different data sources in the cloud the
36:39
different data sources in the cloud the next the next steps is actually uh tool
36:44
next the next steps is actually uh tool
36:44
next the next steps is actually uh tool how we explain I I I can use for example
36:49
how we explain I I I can use for example
36:49
how we explain I I I can use for example AEP tool for initial thread detection
36:52
AEP tool for initial thread detection
36:52
AEP tool for initial thread detection tool I can R rule on targeted device
36:58
tool I can R rule on targeted device
36:58
tool I can R rule on targeted device or server infrastructure I can use
37:00
or server infrastructure I can use
37:00
or server infrastructure I can use micros Defender for end point to much
37:03
micros Defender for end point to much
37:03
micros Defender for end point to much more effec in when working with Defender
37:05
more effec in when working with Defender
37:05
more effec in when working with Defender with remediation with the current
37:08
with remediation with the current
37:08
with remediation with the current configuration uh micros Defender for
37:10
configuration uh micros Defender for
37:10
configuration uh micros Defender for identity I mentioned before but that is
37:13
identity I mentioned before but that is
37:13
identity I mentioned before but that is very important to to protect us for for
37:16
very important to to protect us for for
37:17
very important to to protect us for for some different attack like Pass the Cash
37:20
some different attack like Pass the Cash
37:20
some different attack like Pass the Cash golden silver ticket skeleton key and
37:23
golden silver ticket skeleton key and
37:23
golden silver ticket skeleton key and many many more uh Sentinel using machine
37:28
many many more uh Sentinel using machine
37:28
many many more uh Sentinel using machine learning and artificial intelligence and
37:30
learning and artificial intelligence and
37:30
learning and artificial intelligence and sent sent many alerts in real time
37:34
sent sent many alerts in real time
37:34
sent sent many alerts in real time protection how we limited for modern
37:37
protection how we limited for modern
37:37
protection how we limited for modern operation system for full event
37:39
operation system for full event
37:39
operation system for full event information but I can use for deep dive
37:42
information but I can use for deep dive
37:42
information but I can use for deep dive information of interesting computers
37:44
information of interesting computers
37:44
information of interesting computers some forensic extractor tool Fox is very
37:47
some forensic extractor tool Fox is very
37:47
some forensic extractor tool Fox is very popular active directory forensic
37:50
popular active directory forensic
37:50
popular active directory forensic investigation provides high level of
37:53
investigation provides high level of
37:53
investigation provides high level of active directory configuration
37:55
active directory configuration
37:55
active directory configuration assessment and provide from no long data
37:58
assessment and provide from no long data
37:58
assessment and provide from no long data coloration against ID or office is why
38:02
coloration against ID or office is why
38:02
coloration against ID or office is why for Linux investigation and forensic
38:05
for Linux investigation and forensic
38:05
for Linux investigation and forensic examination we can use different tool in
38:08
examination we can use different tool in
38:08
examination we can use different tool in initial threaded detection of tool of
38:11
initial threaded detection of tool of
38:11
initial threaded detection of tool of Linux system I can run of Target device
38:14
Linux system I can run of Target device
38:14
Linux system I can run of Target device I can run support operation system and
38:18
I can run support operation system and
38:18
I can run support operation system and and everything uh the first part of this
38:21
and everything uh the first part of this
38:21
and everything uh the first part of this uh this session today is how we using uh
38:26
uh this session today is how we using uh
38:26
uh this session today is how we using uh actually
38:27
actually
38:27
actually in day-to-day operation with the point
38:30
in day-to-day operation with the point
38:30
in day-to-day operation with the point of view virtual machine acquisition on
38:32
of view virtual machine acquisition on
38:32
of view virtual machine acquisition on microsof asure cloud platform and we
38:35
microsof asure cloud platform and we
38:35
microsof asure cloud platform and we have standard steps uh uh I I can turn
38:39
have standard steps uh uh I I can turn
38:39
have standard steps uh uh I I can turn off my virtual machine I create a
38:42
off my virtual machine I create a
38:42
off my virtual machine I create a snapshot of operation system dis in susp
38:46
snapshot of operation system dis in susp
38:46
snapshot of operation system dis in susp uh in some potential suspicious activity
38:49
uh in some potential suspicious activity
38:49
uh in some potential suspicious activity or potentially compromis virtual machine
38:52
or potentially compromis virtual machine
38:52
or potentially compromis virtual machine via air portal but I can use also common
38:55
via air portal but I can use also common
38:55
via air portal but I can use also common light interface I will explain later I
38:59
light interface I will explain later I
38:59
light interface I will explain later I can copy snip shop on storage my account
39:02
can copy snip shop on storage my account
39:02
can copy snip shop on storage my account I previously defined some storage
39:04
I previously defined some storage
39:04
I previously defined some storage account I have some Resource Group that
39:07
account I have some Resource Group that
39:07
account I have some Resource Group that can be stored forensic analyis that is
39:10
can be stored forensic analyis that is
39:10
can be stored forensic analyis that is totally different Security Group I am
39:12
totally different Security Group I am
39:12
totally different Security Group I am using for example Security Group uh for
39:16
using for example Security Group uh for
39:16
using for example Security Group uh for that propose I can show you
39:21
that propose I can show you
39:21
that propose I can show you now here and I have some I can zoom my
39:26
now here and I have some I can zoom my
39:26
now here and I have some I can zoom my my screen in order to to better
39:28
my screen in order to to better
39:28
my screen in order to to better visibility yes I have some Ubuntu
39:31
visibility yes I have some Ubuntu
39:31
visibility yes I have some Ubuntu virtual machine with the restor group
39:34
virtual machine with the restor group
39:34
virtual machine with the restor group and when I click on this restor group I
39:37
and when I click on this restor group I
39:37
and when I click on this restor group I have lot of restor I have a snapshot
39:40
have lot of restor I have a snapshot
39:40
have lot of restor I have a snapshot this SSH key because that is a Linux
39:43
this SSH key because that is a Linux
39:43
this SSH key because that is a Linux machine network interface but I have dis
39:48
machine network interface but I have dis
39:48
machine network interface but I have dis here my machine is in off in the and
39:53
here my machine is in off in the and
39:53
here my machine is in off in the and after that I when I click here in in
39:58
after that I when I click here in in
39:58
after that I when I click here in in configuration I can create snap snap
40:01
configuration I can create snap snap
40:01
configuration I can create snap snap snapshot in very very easy way in my
40:05
snapshot in very very easy way in my
40:05
snapshot in very very easy way in my production I defined some some name for
40:09
production I defined some some name for
40:09
production I defined some some name for example for my
40:14
investigation and I I previously defined
40:17
investigation and I I previously defined
40:17
investigation and I I previously defined region snapshop type can be can be what
40:22
region snapshop type can be can be what
40:22
region snapshop type can be can be what the type what is determent from pricing
40:24
the type what is determent from pricing
40:24
the type what is determent from pricing and functionality incremental you can
40:27
and functionality incremental you can
40:27
and functionality incremental you can save the storage CES by making
40:30
save the storage CES by making
40:30
save the storage CES by making some partial copy of this base of
40:33
some partial copy of this base of
40:33
some partial copy of this base of difference between last snapshot or you
40:35
difference between last snapshot or you
40:35
difference between last snapshot or you can use full uh snapshot in order to
40:39
can use full uh snapshot in order to
40:39
can use full uh snapshot in order to make complete reton copy of selecting
40:41
make complete reton copy of selecting
40:41
make complete reton copy of selecting this and I previously Define my source
40:44
this and I previously Define my source
40:44
this and I previously Define my source with the disk my subscription security
40:47
with the disk my subscription security
40:47
with the disk my subscription security type generation of my virtual machine uh
40:50
type generation of my virtual machine uh
40:51
type generation of my virtual machine uh you can see a lot of different data I
40:54
you can see a lot of different data I
40:54
you can see a lot of different data I can use standard uh um dis from my zone
40:58
can use standard uh um dis from my zone
40:58
can use standard uh um dis from my zone redant storage and with the point of
41:01
redant storage and with the point of
41:01
redant storage and with the point of view encryption I can use by default
41:04
view encryption I can use by default
41:04
view encryption I can use by default because I am not create any key Vol in
41:06
because I am not create any key Vol in
41:06
because I am not create any key Vol in as that is by default platform
41:09
as that is by default platform
41:09
as that is by default platform management key of course uh if the point
41:11
management key of course uh if the point
41:11
management key of course uh if the point of view networking okay I can uh disable
41:16
of view networking okay I can uh disable
41:16
of view networking okay I can uh disable public address but I but I'm using
41:19
public address but I but I'm using
41:19
public address but I but I'm using different techniques like uh like
41:22
different techniques like uh like
41:22
different techniques like uh like network security groups uh and
41:25
network security groups uh and
41:25
network security groups uh and everything uh private links or or
41:29
everything uh private links or or
41:29
everything uh private links or or Bastion in order to to or just timer s
41:34
Bastion in order to to or just timer s
41:34
Bastion in order to to or just timer s in order to found a better way how to
41:36
in order to found a better way how to
41:36
in order to found a better way how to protect this this part with point of VI
41:39
protect this this part with point of VI
41:40
protect this this part with point of VI data access authentication mode I can
41:42
data access authentication mode I can
41:42
data access authentication mode I can allow access with the uh Azure active
41:47
allow access with the uh Azure active
41:47
allow access with the uh Azure active directory authentication for snapshot I
41:50
directory authentication for snapshot I
41:50
directory authentication for snapshot I can option for upload on exper I can
41:53
can option for upload on exper I can
41:53
can option for upload on exper I can Define some T tag but I can very very in
41:58
Define some T tag but I can very very in
41:58
Define some T tag but I can very very in very easy way to create snap uh snapshot
42:02
very easy way to create snap uh snapshot
42:02
very easy way to create snap uh snapshot here uh for my for my forensic
42:06
here uh for my for my forensic
42:06
here uh for my for my forensic investigation deployment is uh progress
42:09
investigation deployment is uh progress
42:09
investigation deployment is uh progress but I can come back here what is my idea
42:12
but I can come back here what is my idea
42:12
but I can come back here what is my idea I I create here in my case my uh uh the
42:18
I I create here in my case my uh uh the
42:18
I I create here in my case my uh uh the first group for production environment
42:20
first group for production environment
42:20
first group for production environment and different security group that is
42:22
and different security group that is
42:22
and different security group that is very important to understand uh you must
42:25
very important to understand uh you must
42:25
very important to understand uh you must have different Security Group for your
42:28
have different Security Group for your
42:28
have different Security Group for your digital forensic investigation and under
42:30
digital forensic investigation and under
42:30
digital forensic investigation and under of my the previous uh production group I
42:34
of my the previous uh production group I
42:34
of my the previous uh production group I have some virtual machine that is
42:37
have some virtual machine that is
42:37
have some virtual machine that is expectation to be some suspicious
42:38
expectation to be some suspicious
42:38
expectation to be some suspicious activity to maybe compromise and I'm
42:41
activity to maybe compromise and I'm
42:41
activity to maybe compromise and I'm forensic investigator I can take some
42:44
forensic investigator I can take some
42:44
forensic investigator I can take some snapshot for our operations system disc
42:47
snapshot for our operations system disc
42:47
snapshot for our operations system disc of suspected v machine for mytu for
42:50
of suspected v machine for mytu for
42:50
of suspected v machine for mytu for father investigation and that is
42:52
father investigation and that is
42:52
father investigation and that is actually the first steps is to stop
42:55
actually the first steps is to stop
42:55
actually the first steps is to stop virtual machine the second steps I can
42:57
virtual machine the second steps I can
42:57
virtual machine the second steps I can click of my uh uh my dis and create
43:02
click of my uh uh my dis and create
43:02
click of my uh uh my dis and create snapshot when I create
43:05
snapshot when I create
43:05
snapshot when I create snapshot I I have I I will show you now
43:10
snapshot I I have I I will show you now
43:11
snapshot I I have I I will show you now the second part how we investigate
43:14
the second part how we investigate
43:15
the second part how we investigate through through Power shell that is also
43:17
through through Power shell that is also
43:17
through through Power shell that is also interesting not only using graphical
43:20
interesting not only using graphical
43:20
interesting not only using graphical user interface because virtual machine
43:22
user interface because virtual machine
43:22
user interface because virtual machine acquisition on asure cloud platform
43:25
acquisition on asure cloud platform
43:25
acquisition on asure cloud platform include the steps I create the first
43:27
include the steps I create the first
43:27
include the steps I create the first snapshot and I previously explain in My
43:31
snapshot and I previously explain in My
43:31
snapshot and I previously explain in My Demo uh but I I am using command for
43:34
Demo uh but I I am using command for
43:34
Demo uh but I I am using command for example show my Resource Group
43:36
example show my Resource Group
43:36
example show my Resource Group production group with my name and some
43:40
production group with my name and some
43:40
production group with my name and some query and uh I I Define and I create
43:43
query and uh I I Define and I create
43:43
query and uh I I Define and I create create also in this way snap snapshot in
43:46
create also in this way snap snapshot in
43:46
create also in this way snap snapshot in Comm interface the second part is uh to
43:50
Comm interface the second part is uh to
43:50
Comm interface the second part is uh to copy snapshot to predefined storage
43:53
copy snapshot to predefined storage
43:53
copy snapshot to predefined storage account under different Resource Group I
43:57
account under different Resource Group I
43:57
account under different Resource Group I can generate share access signature I
43:59
can generate share access signature I
43:59
can generate share access signature I can run a snapshot Grant access common
44:03
can run a snapshot Grant access common
44:03
can run a snapshot Grant access common to gain some specific access R to to
44:07
to gain some specific access R to to
44:07
to gain some specific access R to to snapshot
44:08
snapshot
44:08
snapshot snapshot with the common he generated on
44:12
snapshot with the common he generated on
44:12
snapshot with the common he generated on S token with Rel only access R to
44:15
S token with Rel only access R to
44:15
S token with Rel only access R to snapshot for 60 minutes and I can use
44:18
snapshot for 60 minutes and I can use
44:18
snapshot for 60 minutes and I can use window power shell with my
44:20
window power shell with my
44:20
window power shell with my administrative prology uh I can create I
44:23
administrative prology uh I can create I
44:23
administrative prology uh I can create I I create I previously created Resource
44:26
I create I previously created Resource
44:26
I create I previously created Resource Group production environment with my uh
44:29
Group production environment with my uh
44:29
Group production environment with my uh snapshot name but I can Define duration
44:32
snapshot name but I can Define duration
44:32
snapshot name but I can Define duration in seconds that is actually uh
44:37
in seconds that is actually uh
44:37
in seconds that is actually uh 3,600 access level is read and my
44:41
3,600 access level is read and my
44:41
3,600 access level is read and my actually uh uh share access signal token
44:45
actually uh uh share access signal token
44:45
actually uh uh share access signal token with URI is generated the next steps is
44:50
with URI is generated the next steps is
44:50
with URI is generated the next steps is actually what I previously explained in
44:53
actually what I previously explained in
44:53
actually what I previously explained in introduction I copy my snapshot on the
44:56
introduction I copy my snapshot on the
44:56
introduction I copy my snapshot on the St storage account under the different
44:59
St storage account under the different
44:59
St storage account under the different Resource Group and create storage
45:01
Resource Group and create storage
45:01
Resource Group and create storage account that is very easy I I'm using as
45:06
account that is very easy I I'm using as
45:06
account that is very easy I I'm using as aure storage account to create common in
45:10
aure storage account to create common in
45:10
aure storage account to create common in storage account with my necessary um uh
45:15
storage account with my necessary um uh
45:15
storage account with my necessary um uh feature I I defined storage version I
45:19
feature I I defined storage version I
45:19
feature I I defined storage version I defined SQ with a standard local R
45:22
defined SQ with a standard local R
45:22
defined SQ with a standard local R storage for example and after that I can
45:26
storage for example and after that I can
45:26
storage for example and after that I can use the C
45:27
use the C
45:27
use the C my uh snapshot and in order to create
45:30
my uh snapshot and in order to create
45:31
my uh snapshot and in order to create file share with storage account you can
45:33
file share with storage account you can
45:33
file share with storage account you can also create file share uh in graphical
45:37
also create file share uh in graphical
45:37
also create file share uh in graphical using IND what what is suitable for you
45:39
using IND what what is suitable for you
45:39
using IND what what is suitable for you but uh you need to obtain some uh
45:42
but uh you need to obtain some uh
45:42
but uh you need to obtain some uh account key uh that is key feature here
45:47
account key uh that is key feature here
45:47
account key uh that is key feature here phot the storage account to create some
45:49
phot the storage account to create some
45:49
phot the storage account to create some file share in order to execute with this
45:52
file share in order to execute with this
45:52
file share in order to execute with this command and once the keys obtained I can
45:55
command and once the keys obtained I can
45:55
command and once the keys obtained I can create some file share with the Azure
45:57
create some file share with the Azure
45:57
create some file share with the Azure storage share command with require
46:01
storage share command with require
46:01
storage share command with require require parameter and file share is
46:04
require parameter and file share is
46:04
require parameter and file share is created now I have a copy of my
46:08
created now I have a copy of my
46:08
created now I have a copy of my screenshot file share that is finally I
46:12
screenshot file share that is finally I
46:12
screenshot file share that is finally I I can use my copy of snapshot to the
46:14
I can use my copy of snapshot to the
46:14
I can use my copy of snapshot to the file share but but executing some
46:16
file share but but executing some
46:16
file share but but executing some storage file copy start Comm with
46:19
storage file copy start Comm with
46:19
storage file copy start Comm with required parameters such for example I
46:22
required parameters such for example I
46:22
required parameters such for example I can use URI or
46:24
can use URI or
46:24
can use URI or access uh previously
46:27
access uh previously
46:27
access uh previously created share access signature generated
46:30
created share access signature generated
46:30
created share access signature generated from accessing the snapshot I I can
46:33
from accessing the snapshot I I can
46:33
from accessing the snapshot I I can Define destination file pet with the
46:36
Define destination file pet with the
46:36
Define destination file pet with the snapshot name with some DD extension for
46:39
snapshot name with some DD extension for
46:39
snapshot name with some DD extension for my fores proposed and of course I can
46:43
my fores proposed and of course I can
46:43
my fores proposed and of course I can use storage account name and account key
46:46
use storage account name and account key
46:46
use storage account name and account key in that way uh what is the next step I
46:51
in that way uh what is the next step I
46:51
in that way uh what is the next step I can delete Snapshot from the source
46:54
can delete Snapshot from the source
46:54
can delete Snapshot from the source resource Group and create back a copy
46:56
resource Group and create back a copy
46:56
resource Group and create back a copy that is very very important part because
46:59
that is very very important part because
46:59
that is very very important part because you you
47:01
you you
47:01
you you generate uh sa talking from the storage
47:04
generate uh sa talking from the storage
47:05
generate uh sa talking from the storage account with the with some res with
47:08
account with the with some res with
47:08
account with the with some res with required parameter and now you can
47:10
required parameter and now you can
47:10
required parameter and now you can create blob container for that propos by
47:13
create blob container for that propos by
47:13
create blob container for that propos by using a uh a token for enhancing
47:17
using a uh a token for enhancing
47:17
using a uh a token for enhancing security and it is totally recommended
47:20
security and it is totally recommended
47:20
security and it is totally recommended to create back a copy of your operation
47:23
to create back a copy of your operation
47:23
to create back a copy of your operation system snapshot by affecting virtual
47:25
system snapshot by affecting virtual
47:25
system snapshot by affecting virtual machine and remove some Source store
47:29
machine and remove some Source store
47:29
machine and remove some Source store Resource Group from security resource
47:32
Resource Group from security resource
47:32
Resource Group from security resource and that is very easy uh to create back
47:35
and that is very easy uh to create back
47:35
and that is very easy uh to create back a copy from snapshop in the blog
47:37
a copy from snapshop in the blog
47:37
a copy from snapshop in the blog container as a page blob um the next
47:40
container as a page blob um the next
47:40
container as a page blob um the next steps is Mount Your Snapshot from some
47:45
steps is Mount Your Snapshot from some
47:45
steps is Mount Your Snapshot from some forensic workstation I can open my File
47:48
forensic workstation I can open my File
47:48
forensic workstation I can open my File Explorer I can select my PC in computer
47:52
Explorer I can select my PC in computer
47:52
Explorer I can select my PC in computer option and map some drive and after that
47:56
option and map some drive and after that
47:56
option and map some drive and after that I can use storage account name that is
47:59
I can use storage account name that is
47:59
I can use storage account name that is actually username and storage key and
48:02
actually username and storage key and
48:02
actually username and storage key and password I can use i i i define a file
48:05
password I can use i i i define a file
48:06
password I can use i i i define a file share location for my Moun on network
48:09
share location for my Moun on network
48:09
share location for my Moun on network location and in in double King Mount F
48:13
location and in in double King Mount F
48:13
location and in in double King Mount F share to use some DD file and finally I
48:16
share to use some DD file and finally I
48:16
share to use some DD file and finally I have here the
48:18
have here the
48:18
have here the snapshot. DD file here for my forensic
48:22
snapshot. DD file here for my forensic
48:22
snapshot. DD file here for my forensic investigation if you're using now I can
48:25
investigation if you're using now I can
48:25
investigation if you're using now I can use different uh uh forensic tool for
48:30
use different uh uh forensic tool for
48:30
use different uh uh forensic tool for for for that way that is example with
48:32
for for that way that is example with
48:32
for for that way that is example with autopsy but you can use in case you can
48:35
autopsy but you can use in case you can
48:35
autopsy but you can use in case you can use f f imager in that
48:40
use f f imager in that
48:40
use f f imager in that propose on the file share is contained
48:43
propose on the file share is contained
48:43
propose on the file share is contained in this snapshot he's properly mounted
48:47
in this snapshot he's properly mounted
48:47
in this snapshot he's properly mounted on your forensic workstation you can
48:50
on your forensic workstation you can
48:50
on your forensic workstation you can conduct forens examination of the
48:52
conduct forens examination of the
48:52
conduct forens examination of the context on the operation system disk on
48:54
context on the operation system disk on
48:54
context on the operation system disk on affected virtual machine with with the
48:57
affected virtual machine with with the
48:57
affected virtual machine with with the different with the different tools uh
49:01
different with the different tools uh
49:01
different with the different tools uh what is the summary of this part I'm I I
49:05
what is the summary of this part I'm I I
49:05
what is the summary of this part I'm I I create a snapshot for my virtual machine
49:08
create a snapshot for my virtual machine
49:08
create a snapshot for my virtual machine I I can use different option in asure
49:11
I I can use different option in asure
49:11
I I can use different option in asure Portal or common line interface that is
49:15
Portal or common line interface that is
49:15
Portal or common line interface that is your totally decision but in my some
49:19
your totally decision but in my some
49:19
your totally decision but in my some case is fitable for you to to to use
49:23
case is fitable for you to to to use
49:23
case is fitable for you to to to use common line interface created storage
49:26
common line interface created storage
49:26
common line interface created storage account uh uh under under my security
49:30
account uh uh under under my security
49:30
account uh uh under under my security group I created file share uh in my
49:34
group I created file share uh in my
49:34
group I created file share uh in my storage account copy my operation system
49:36
storage account copy my operation system
49:36
storage account copy my operation system this snapshot with the name in file
49:39
this snapshot with the name in file
49:39
this snapshot with the name in file share so I I am prepared for mounting in
49:42
share so I I am prepared for mounting in
49:42
share so I I am prepared for mounting in any forensic work station that is
49:44
any forensic work station that is
49:45
any forensic work station that is important and I once the snapshot has
49:48
important and I once the snapshot has
49:48
important and I once the snapshot has been copy I I am I am prepared to delete
49:51
been copy I I am I am prepared to delete
49:51
been copy I I am I am prepared to delete from the production group from the
49:53
from the production group from the
49:53
from the production group from the better security and uh uh I also created
49:57
better security and uh uh I also created
49:57
better security and uh uh I also created blog container and store in operation
49:59
blog container and store in operation
50:00
blog container and store in operation system this snapshot in the page blob
50:03
system this snapshot in the page blob
50:03
system this snapshot in the page blob with some name uh uh I'm using virtual
50:07
with some name uh uh I'm using virtual
50:07
with some name uh uh I'm using virtual hard disk and I mounted file name from
50:11
hard disk and I mounted file name from
50:11
hard disk and I mounted file name from all premise infrastructure from Windows
50:13
all premise infrastructure from Windows
50:13
all premise infrastructure from Windows workstation and I can finalize the
50:16
workstation and I can finalize the
50:16
workstation and I can finalize the analyes that with some some specific
50:20
analyes that with some some specific
50:20
analyes that with some some specific forensic tool but
50:24
forensic tool but
50:24
forensic tool but company uh must guarantee uh that is uh
50:28
company uh must guarantee uh that is uh
50:28
company uh must guarantee uh that is uh that is very interesting topic uh for
50:31
that is very interesting topic uh for
50:31
that is very interesting topic uh for discussion uh with Point Cloud forensic
50:35
discussion uh with Point Cloud forensic
50:35
discussion uh with Point Cloud forensic challenge because chain of custody is
50:38
challenge because chain of custody is
50:38
challenge because chain of custody is very important through the evidence
50:40
very important through the evidence
50:40
very important through the evidence where we talking about collection and
50:43
where we talking about collection and
50:43
where we talking about collection and acquisition preservation and access
50:46
acquisition preservation and access
50:46
acquisition preservation and access process uh and digital evidence storage
50:50
process uh and digital evidence storage
50:50
process uh and digital evidence storage must demonstrate some Access Control uh
50:54
must demonstrate some Access Control uh
50:54
must demonstrate some Access Control uh Integrity of data that is very important
50:56
Integrity of data that is very important
50:56
Integrity of data that is very important you can use different tool to to save
50:59
you can use different tool to to save
50:59
you can use different tool to to save your integrity of data uh data
51:01
your integrity of data uh data
51:01
your integrity of data uh data protection monitoring and alerting and
51:04
protection monitoring and alerting and
51:04
protection monitoring and alerting and everything but you have a u lot of
51:08
everything but you have a u lot of
51:08
everything but you have a u lot of question I live share with with with
51:11
question I live share with with with
51:11
question I live share with with with many many conference very you're talking
51:13
many many conference very you're talking
51:13
many many conference very you're talking about on this topic do you know where
51:16
about on this topic do you know where
51:16
about on this topic do you know where your data you start with uh that is on
51:20
your data you start with uh that is on
51:20
your data you start with uh that is on premise maybe off premise and actually
51:23
premise maybe off premise and actually
51:23
premise maybe off premise and actually where is your data is located is is
51:27
where is your data is located is is
51:27
where is your data is located is is distributed from multiple data center or
51:31
distributed from multiple data center or
51:31
distributed from multiple data center or you have some data center across
51:35
you have some data center across
51:35
you have some data center across International boundary that is very
51:37
International boundary that is very
51:37
International boundary that is very important those the law is a certain
51:41
important those the law is a certain
51:41
important those the law is a certain country jurisdiction prevent you from
51:43
country jurisdiction prevent you from
51:43
country jurisdiction prevent you from the
51:44
the
51:44
the capturing uh certain type of
51:47
capturing uh certain type of
51:47
capturing uh certain type of data some detail with user activity
51:51
data some detail with user activity
51:51
data some detail with user activity records from instance uh that is that is
51:55
records from instance uh that is that is
51:55
records from instance uh that is that is very important you have working
51:57
very important you have working
51:57
very important you have working relationship with your cloud computing
52:00
relationship with your cloud computing
52:00
relationship with your cloud computing Veron you have service legal agreement
52:03
Veron you have service legal agreement
52:03
Veron you have service legal agreement or other
52:04
or other
52:04
or other contract to eliminate some uh but with
52:09
contract to eliminate some uh but with
52:09
contract to eliminate some uh but with some rights with responsibility for your
52:12
some rights with responsibility for your
52:12
some rights with responsibility for your data collection and maintenance between
52:14
data collection and maintenance between
52:14
data collection and maintenance between customer and provider that is a crucial
52:17
customer and provider that is a crucial
52:17
customer and provider that is a crucial are you outraised to
52:19
are you outraised to
52:19
are you outraised to collect uh another customer data from
52:23
collect uh another customer data from
52:23
collect uh another customer data from multicloud environment what is your uh
52:26
multicloud environment what is your uh
52:26
multicloud environment what is your uh forensic tools suitable for virtual
52:29
forensic tools suitable for virtual
52:29
forensic tools suitable for virtual environment what is your level of
52:33
environment what is your level of
52:33
environment what is your level of cooperation is necessary to be part of
52:37
cooperation is necessary to be part of
52:37
cooperation is necessary to be part of Provider uh that is very very uh very
52:42
Provider uh that is very very uh very
52:42
Provider uh that is very very uh very important question in forensic
52:44
important question in forensic
52:44
important question in forensic investigation in the cloud but answer is
52:47
investigation in the cloud but answer is
52:47
investigation in the cloud but answer is actually VAR of from vender to Endor uh
52:52
actually VAR of from vender to Endor uh
52:52
actually VAR of from vender to Endor uh we you have a in traditional environment
52:56
we you have a in traditional environment
52:56
we you have a in traditional environment for example example to collect forensic
52:58
for example example to collect forensic
52:58
for example example to collect forensic data collection it is performed for some
53:01
data collection it is performed for some
53:01
data collection it is performed for some contained environment with a single
53:04
contained environment with a single
53:04
contained environment with a single owner collection processes in many
53:07
owner collection processes in many
53:07
owner collection processes in many situation challenging in in traditional
53:10
situation challenging in in traditional
53:10
situation challenging in in traditional environment care must be taken to ensure
53:12
environment care must be taken to ensure
53:12
environment care must be taken to ensure data is not be modified
53:16
data is not be modified
53:16
data is not be modified and technique some like forensic image
53:20
and technique some like forensic image
53:20
and technique some like forensic image are used to reduce possibility of
53:22
are used to reduce possibility of
53:22
are used to reduce possibility of capturing data that is not affected
53:25
capturing data that is not affected
53:25
capturing data that is not affected while copies actually are made and
53:29
while copies actually are made and
53:30
while copies actually are made and you're using uh many many tool but uh u
53:35
you're using uh many many tool but uh u
53:35
you're using uh many many tool but uh u in use in traditional environment that
53:37
in use in traditional environment that
53:37
in use in traditional environment that me that not always visible or or some
53:41
me that not always visible or or some
53:41
me that not always visible or or some usful uh uh depending on your cloud
53:44
usful uh uh depending on your cloud
53:45
usful uh uh depending on your cloud service and deal actually with the with
53:47
service and deal actually with the with
53:48
service and deal actually with the with the cloud provider you can use actually
53:52
the cloud provider you can use actually
53:52
the cloud provider you can use actually different forensic requirement because
53:55
different forensic requirement because
53:55
different forensic requirement because is standard is actually developed as a
53:58
is standard is actually developed as a
53:58
is standard is actually developed as a set of global digital
54:01
set of global digital
54:01
set of global digital forensic uh uh standard for example I
54:05
forensic uh uh standard for example I
54:05
forensic uh uh standard for example I don't know uh maybe 27 uh uh but uh
54:11
don't know uh maybe 27 uh uh but uh
54:11
don't know uh maybe 27 uh uh but uh actually uh
54:12
actually uh
54:12
actually uh 137 that is a for collecting identify
54:16
137 that is a for collecting identify
54:16
137 that is a for collecting identify and preserving elect electric evidence
54:19
and preserving elect electric evidence
54:19
and preserving elect electric evidence but you can using uh you can using 41
54:23
but you can using uh you can using 41
54:23
but you can using uh you can using 41 that is gu for incident investigation or
54:26
that is gu for incident investigation or
54:26
that is gu for incident investigation or or 42 for digital evidence analysis you
54:30
or 42 for digital evidence analysis you
54:31
or 42 for digital evidence analysis you can use standard for instant
54:33
can use standard for instant
54:33
can use standard for instant investigation
54:34
investigation
54:34
investigation from for example a discovery or a
54:38
from for example a discovery or a
54:38
from for example a discovery or a principle process for different
54:40
principle process for different
54:40
principle process for different different uh technique but uh that is
54:43
different uh technique but uh that is
54:43
different uh technique but uh that is very important to take into account uh
54:48
very important to take into account uh
54:48
very important to take into account uh because many company must guarantee of
54:51
because many company must guarantee of
54:51
because many company must guarantee of digital evidence they provide in
54:53
digital evidence they provide in
54:53
digital evidence they provide in response to legal requirements in inv
54:55
response to legal requirements in inv
54:55
response to legal requirements in inv valid of
54:57
valid of
54:57
valid of custom the second part of my
55:00
custom the second part of my
55:00
custom the second part of my presentation is actually uh uh how we
55:04
presentation is actually uh uh how we
55:04
presentation is actually uh uh how we use uh copilot how we use Defender in
55:09
use uh copilot how we use Defender in
55:09
use uh copilot how we use Defender in day-to-day in investigation I can use
55:12
day-to-day in investigation I can use
55:13
day-to-day in investigation I can use copilot from summarizing incident for
55:15
copilot from summarizing incident for
55:15
copilot from summarizing incident for providing response for script analysis
55:18
providing response for script analysis
55:18
providing response for script analysis for natural language for my custom query
55:22
for natural language for my custom query
55:22
for natural language for my custom query language I can analyze this file I can
55:25
language I can analyze this file I can
55:25
language I can analyze this file I can conduct in incident report and I can
55:28
conduct in incident report and I can
55:28
conduct in incident report and I can Define some device summary with copilot
55:32
Define some device summary with copilot
55:32
Define some device summary with copilot but you can see in contain many many
55:35
but you can see in contain many many
55:35
but you can see in contain many many others in order to be summarized I have
55:38
others in order to be summarized I have
55:38
others in order to be summarized I have a lot of indicator of comp that is very
55:41
a lot of indicator of comp that is very
55:41
a lot of indicator of comp that is very very heavy for my manual work and I can
55:44
very heavy for my manual work and I can
55:44
very heavy for my manual work and I can use I can use pilot in that way what is
55:49
use I can use pilot in that way what is
55:49
use I can use pilot in that way what is my idea uh to share some some
55:53
my idea uh to share some some
55:53
my idea uh to share some some knowledge regarding regarding this
55:58
knowledge regarding regarding this
55:58
knowledge regarding regarding this part I I can go now in security
56:01
part I I can go now in security
56:01
part I I can go now in security Microsoft
56:03
Microsoft
56:03
Microsoft home and in in my in my homepage and you
56:08
home and in in my in my homepage and you
56:08
home and in in my in my homepage and you can see now that is actually my Defender
56:11
can see now that is actually my Defender
56:11
can see now that is actually my Defender ISD a
56:13
ISD a
56:13
ISD a portal and when I click here in in
56:16
portal and when I click here in in
56:16
portal and when I click here in in investigation part because yes that is a
56:20
investigation part because yes that is a
56:20
investigation part because yes that is a uh UniFi experience with the next level
56:23
uh UniFi experience with the next level
56:23
uh UniFi experience with the next level of Security operation Center efficiency
56:26
of Security operation Center efficiency
56:26
of Security operation Center efficiency with
56:27
with
56:27
with one portal for my hunting for my triage
56:30
one portal for my hunting for my triage
56:30
one portal for my hunting for my triage for my investigation from respond better
56:33
for my investigation from respond better
56:33
for my investigation from respond better with the Sentinel in Defender portal you
56:36
with the Sentinel in Defender portal you
56:36
with the Sentinel in Defender portal you can see Microsoft Sentinel is via
56:39
can see Microsoft Sentinel is via
56:39
can see Microsoft Sentinel is via workspace integrated with Defender xdr
56:42
workspace integrated with Defender xdr
56:42
workspace integrated with Defender xdr how we uh see that I can go in settings
56:46
how we uh see that I can go in settings
56:46
how we uh see that I can go in settings and I can go in Microsoft sent and when
56:49
and I can go in Microsoft sent and when
56:49
and I can go in Microsoft sent and when I click on Microsoft Cent you can see
56:51
I click on Microsoft Cent you can see
56:51
I click on Microsoft Cent you can see this my logal analytic that is a central
56:54
this my logal analytic that is a central
56:54
this my logal analytic that is a central place to collect for your security and
56:57
place to collect for your security and
56:57
place to collect for your security and operation logs connect with my
57:00
operation logs connect with my
57:00
operation logs connect with my subscription and Resource Group here uh
57:04
subscription and Resource Group here uh
57:04
subscription and Resource Group here uh with with xdr and I'm using a predefined
57:07
with with xdr and I'm using a predefined
57:07
with with xdr and I'm using a predefined connector for that propos se that is xdr
57:11
connector for that propos se that is xdr
57:11
connector for that propos se that is xdr connector that is also
57:13
connector that is also
57:13
connector that is also prerequisite and with a point of view uh
57:17
prerequisite and with a point of view uh
57:17
prerequisite and with a point of view uh integration that is that is very easy to
57:20
integration that is that is very easy to
57:20
integration that is that is very easy to integrate with Defender and when I C
57:23
integrate with Defender and when I C
57:23
integrate with Defender and when I C from some incident you can see in
57:26
from some incident you can see in
57:26
from some incident you can see in dashboard incident name incident ID teex
57:30
dashboard incident name incident ID teex
57:30
dashboard incident name incident ID teex severity uh in investigation State and
57:33
severity uh in investigation State and
57:33
severity uh in investigation State and many different category here
57:36
many different category here
57:36
many different category here and I I give you
57:39
and I I give you
57:39
and I I give you some example I can use uh this 101
57:44
some example I can use uh this 101
57:44
some example I can use uh this 101 incident it is very interesting for
57:47
incident it is very interesting for
57:47
incident it is very interesting for forensic investigation and when I when I
57:52
forensic investigation and when I when I
57:52
forensic investigation and when I when I uh see here I can op a
57:56
uh see here I can op a
57:56
uh see here I can op a open attex story attex story with the
57:59
open attex story attex story with the
57:59
open attex story attex story with the incident graph that is a part of
58:01
incident graph that is a part of
58:01
incident graph that is a part of Microsoft Sentinel but you can see now
58:05
Microsoft Sentinel but you can see now
58:05
Microsoft Sentinel but you can see now also many recommendation many
58:08
also many recommendation many
58:08
also many recommendation many classification I can see my users I can
58:11
classification I can see my users I can
58:11
classification I can see my users I can see uh my IP address but I can see a lot
58:15
see uh my IP address but I can see a lot
58:15
see uh my IP address but I can see a lot of a lot of different file for example
58:19
of a lot of different file for example
58:19
of a lot of different file for example 25 I can view this file and in forensic
58:24
25 I can view this file and in forensic
58:24
25 I can view this file and in forensic way to continue with with the incident
58:27
way to continue with with the incident
58:27
way to continue with with the incident investigation the third part is copilot
58:31
investigation the third part is copilot
58:31
investigation the third part is copilot copilot with your incident summary that
58:35
copilot with your incident summary that
58:35
copilot with your incident summary that is automatically
58:37
is automatically
58:37
is automatically generated High severity information
58:40
generated High severity information
58:40
generated High severity information about the incident what we are doing in
58:44
about the incident what we are doing in
58:44
about the incident what we are doing in initial phase Discovery uh I have some
58:48
initial phase Discovery uh I have some
58:48
initial phase Discovery uh I have some potential credential access involving
58:51
potential credential access involving
58:51
potential credential access involving MIM mimat too um and uh with a point of
58:55
MIM mimat too um and uh with a point of
58:55
MIM mimat too um and uh with a point of view uh lateral moment I can see
58:58
view uh lateral moment I can see
58:58
view uh lateral moment I can see activity by crypto Locker here and I can
59:01
activity by crypto Locker here and I can
59:01
activity by crypto Locker here and I can continue with with conducting my
59:06
continue with with conducting my
59:06
continue with with conducting my investigation virus total is also
59:08
investigation virus total is also
59:08
investigation virus total is also integrated but I have seen malies
59:11
integrated but I have seen malies
59:11
integrated but I have seen malies detected I have see
59:14
detected I have see
59:14
detected I have see fet and I can see object for datails
59:17
fet and I can see object for datails
59:17
fet and I can see object for datails with the uh with the with actually point
59:22
with the uh with the with actually point
59:22
with the uh with the with actually point of view and inte integrity of of of Fire
59:26
of view and inte integrity of of of Fire
59:26
of view and inte integrity of of of Fire I can open a crypto Locker page and
59:31
I can open a crypto Locker page and
59:31
I can open a crypto Locker page and using copilot from get generated file
59:34
using copilot from get generated file
59:34
using copilot from get generated file analyzis here that is very very uh easy
59:39
analyzis here that is very very uh easy
59:39
analyzis here that is very very uh easy to to to understand and when I click for
59:42
to to to understand and when I click for
59:42
to to to understand and when I click for example now for copilot security I have
59:45
example now for copilot security I have
59:45
example now for copilot security I have different uh pront I'm currently using
59:48
different uh pront I'm currently using
59:48
different uh pront I'm currently using here in my usage monitoring free uh
59:52
here in my usage monitoring free uh
59:52
here in my usage monitoring free uh actually security compute unit that is
59:56
actually security compute unit that is
59:56
actually security compute unit that is standard Microsoft standard for the
59:58
standard Microsoft standard for the
59:58
standard Microsoft standard for the serious
59:59
serious
59:59
serious investigation and I can you can see now
1:00:03
investigation and I can you can see now
1:00:03
investigation and I can you can see now my my session here and when I go in
1:00:07
my my session here and when I go in
1:00:07
my my session here and when I go in prompt library that is very interesting
1:00:10
prompt library that is very interesting
1:00:10
prompt library that is very interesting I can use different prompt contains one
1:00:13
I can use different prompt contains one
1:00:13
I can use different prompt contains one or more prompt in seconds automatically
1:00:16
or more prompt in seconds automatically
1:00:16
or more prompt in seconds automatically I can use for example Microsoft Cent me
1:00:20
I can use for example Microsoft Cent me
1:00:20
I can use for example Microsoft Cent me investigation but the subject on my
1:00:22
investigation but the subject on my
1:00:22
investigation but the subject on my investigation is some suspicious script
1:00:26
investigation is some suspicious script
1:00:26
investigation is some suspicious script this I can generate Report with prompts
1:00:30
this I can generate Report with prompts
1:00:30
this I can generate Report with prompts different prompts here but I I
1:00:33
different prompts here but I I
1:00:33
different prompts here but I I previously have have some session in
1:00:35
previously have have some session in
1:00:35
previously have have some session in that way and I can go in sear session
1:00:39
that way and I can go in sear session
1:00:39
that way and I can go in sear session for example
1:00:41
for example
1:00:41
for example script uh and I can see some script
1:00:45
script uh and I can see some script
1:00:45
script uh and I can see some script analysis here to to conduct some some
1:00:48
analysis here to to conduct some some
1:00:48
analysis here to to conduct some some investigation and when I click
1:00:50
investigation and when I click
1:00:51
investigation and when I click here that is very uh that is very
1:00:53
here that is very uh that is very
1:00:53
here that is very uh that is very important I can import some on script
1:00:56
important I can import some on script
1:00:56
important I can import some on script here uh I I I imported before uh but
1:01:00
here uh I I I imported before uh but
1:01:00
here uh I I I imported before uh but following script was found as a part
1:01:03
following script was found as a part
1:01:03
following script was found as a part some potentially security incident and
1:01:05
some potentially security incident and
1:01:05
some potentially security incident and uh that is very very good how uh
1:01:08
uh that is very very good how uh
1:01:08
uh that is very very good how uh security copilot explain us with the
1:01:10
security copilot explain us with the
1:01:10
security copilot explain us with the point of view security protocol attempt
1:01:13
point of view security protocol attempt
1:01:14
point of view security protocol attempt on convert
1:01:15
on convert
1:01:15
on convert s file how we decrypt context using some
1:01:20
s file how we decrypt context using some
1:01:20
s file how we decrypt context using some key how to execute this decrypt content
1:01:23
key how to execute this decrypt content
1:01:23
key how to execute this decrypt content with the PO shell command in forensic
1:01:25
with the PO shell command in forensic
1:01:25
with the PO shell command in forensic way and I provide reputation for any IP
1:01:29
way and I provide reputation for any IP
1:01:29
way and I provide reputation for any IP address here uh investigation show me I
1:01:35
address here uh investigation show me I
1:01:35
address here uh investigation show me I reveal some domain malicious malicious
1:01:38
reveal some domain malicious malicious
1:01:38
reveal some domain malicious malicious IP address and Ur who is including
1:01:42
IP address and Ur who is including
1:01:42
IP address and Ur who is including investigation lot of different domain
1:01:45
investigation lot of different domain
1:01:45
investigation lot of different domain when I uh generated this script and very
1:01:49
when I uh generated this script and very
1:01:49
when I uh generated this script and very important part is recommendation from
1:01:53
important part is recommendation from
1:01:53
important part is recommendation from responding script execution uh what is
1:01:56
responding script execution uh what is
1:01:56
responding script execution uh what is what we what are doing in order to
1:01:59
what we what are doing in order to
1:01:59
what we what are doing in order to isolate affected system through the
1:02:01
isolate affected system through the
1:02:01
isolate affected system through the network forensic analyis I canie Network
1:02:05
network forensic analyis I canie Network
1:02:05
network forensic analyis I canie Network traffic with the point of view education
1:02:08
traffic with the point of view education
1:02:08
traffic with the point of view education and aware and security awareness lot of
1:02:10
and aware and security awareness lot of
1:02:10
and aware and security awareness lot of lot of and in summary I have all
1:02:14
lot of and in summary I have all
1:02:14
lot of and in summary I have all information regarding with this incident
1:02:17
information regarding with this incident
1:02:17
information regarding with this incident that is definitely save your time save
1:02:20
that is definitely save your time save
1:02:20
that is definitely save your time save your time if you don't have some specify
1:02:24
your time if you don't have some specify
1:02:24
your time if you don't have some specify forensic analy in your team in
1:02:27
forensic analy in your team in
1:02:27
forensic analy in your team in correlation and work closely with your
1:02:31
correlation and work closely with your
1:02:31
correlation and work closely with your um security analyst but uh you can see
1:02:35
um security analyst but uh you can see
1:02:35
um security analyst but uh you can see here a lot of lot of different option
1:02:39
here a lot of lot of different option
1:02:39
here a lot of lot of different option how how how to to to revil and when I
1:02:43
how how how to to to revil and when I
1:02:43
how how how to to to revil and when I have I I go back in in my previously
1:02:47
have I I go back in in my previously
1:02:47
have I I go back in in my previously incident and when I click incident part
1:02:52
incident and when I click incident part
1:02:52
incident and when I click incident part for example I I have some recommendation
1:02:56
for example I I have some recommendation
1:02:56
for example I I have some recommendation uh uh automatically generated incident
1:02:59
uh uh automatically generated incident
1:02:59
uh uh automatically generated incident report but uh also important for me uh
1:03:04
report but uh also important for me uh
1:03:04
report but uh also important for me uh some different information in
1:03:07
some different information in
1:03:07
some different information in containment phase okay you must isolate
1:03:11
containment phase okay you must isolate
1:03:11
containment phase okay you must isolate your device from rest of the network you
1:03:14
your device from rest of the network you
1:03:14
your device from rest of the network you can see now easily device and when I
1:03:17
can see now easily device and when I
1:03:17
can see now easily device and when I click here for easily device I have
1:03:19
click here for easily device I have
1:03:19
click here for easily device I have option for manually isolated my my doain
1:03:23
option for manually isolated my my doain
1:03:23
option for manually isolated my my doain machine here and and uh uh but you can
1:03:29
machine here and and uh uh but you can
1:03:29
machine here and and uh uh but you can use l generated contest may be incorrect
1:03:32
use l generated contest may be incorrect
1:03:32
use l generated contest may be incorrect you can you can check everything you can
1:03:35
you can you can check everything you can
1:03:35
you can you can check everything you can manage with your incident with incident
1:03:38
manage with your incident with incident
1:03:38
manage with your incident with incident name with your severity with the text
1:03:41
name with your severity with the text
1:03:41
name with your severity with the text how to assign your incident and
1:03:44
how to assign your incident and
1:03:44
how to assign your incident and status I have information that my
1:03:47
status I have information that my
1:03:47
status I have information that my incident is automatically resolve in at
1:03:49
incident is automatically resolve in at
1:03:50
incident is automatically resolve in at disruption and classification because I
1:03:53
disruption and classification because I
1:03:53
disruption and classification because I conducting some security testing I I uh
1:03:56
conducting some security testing I I uh
1:03:56
conducting some security testing I I uh finish with my manage incident and I
1:03:59
finish with my manage incident and I
1:04:00
finish with my manage incident and I resolve s with this incident but uh most
1:04:04
resolve s with this incident but uh most
1:04:04
resolve s with this incident but uh most important how we stop lateral Mo
1:04:07
important how we stop lateral Mo
1:04:07
important how we stop lateral Mo movement in automatic way uh with the
1:04:10
movement in automatic way uh with the
1:04:10
movement in automatic way uh with the forensic investigation uh completed
1:04:13
forensic investigation uh completed
1:04:13
forensic investigation uh completed disable account what is next steps okay
1:04:18
disable account what is next steps okay
1:04:18
disable account what is next steps okay you can arrest password for this device
1:04:21
you can arrest password for this device
1:04:21
you can arrest password for this device uh you can disable this device and of
1:04:25
uh you can disable this device and of
1:04:25
uh you can disable this device and of course the first steps is to isolate on
1:04:28
course the first steps is to isolate on
1:04:28
course the first steps is to isolate on on on the rest of the network because
1:04:30
on on the rest of the network because
1:04:30
on on the rest of the network because you have Rover activity here uh that is
1:04:35
you have Rover activity here uh that is
1:04:35
you have Rover activity here uh that is actually crucial in in in in forensic
1:04:38
actually crucial in in in in forensic
1:04:38
actually crucial in in in in forensic investigation to found to found the best
1:04:40
investigation to found to found the best
1:04:40
investigation to found to found the best performance and I am connected with my
1:04:43
performance and I am connected with my
1:04:43
performance and I am connected with my indicator of compromise I am connected
1:04:46
indicator of compromise I am connected
1:04:46
indicator of compromise I am connected with my vulnerability management
1:04:48
with my vulnerability management
1:04:48
with my vulnerability management database I can create summary from my
1:04:51
database I can create summary from my
1:04:51
database I can create summary from my incident reporting here and that is that
1:04:54
incident reporting here and that is that
1:04:54
incident reporting here and that is that is very cool
1:04:56
is very cool
1:04:56
is very cool U and when I click here in action in
1:04:59
U and when I click here in action in
1:04:59
U and when I click here in action in action
1:05:00
action
1:05:00
action center I can go in history and in a
1:05:04
center I can go in history and in a
1:05:04
center I can go in history and in a history I can see all the process of my
1:05:08
history I can see all the process of my
1:05:08
history I can see all the process of my at description action type is a stops uh
1:05:12
at description action type is a stops uh
1:05:12
at description action type is a stops uh I can I I have file in my karantin I can
1:05:16
I can I I have file in my karantin I can
1:05:16
I can I I have file in my karantin I can contain users disable users uh file
1:05:20
contain users disable users uh file
1:05:20
contain users disable users uh file current in action and Etc that is
1:05:23
current in action and Etc that is
1:05:23
current in action and Etc that is actually very important part in order to
1:05:26
actually very important part in order to
1:05:26
actually very important part in order to stop uh lateral movement activity I have
1:05:31
stop uh lateral movement activity I have
1:05:31
stop uh lateral movement activity I have uh potentially used enumeration from my
1:05:34
uh potentially used enumeration from my
1:05:34
uh potentially used enumeration from my domain controller but artificial
1:05:37
domain controller but artificial
1:05:37
domain controller but artificial intelligence in forensic investigation
1:05:40
intelligence in forensic investigation
1:05:40
intelligence in forensic investigation automatically uh resolve this activity
1:05:44
automatically uh resolve this activity
1:05:44
automatically uh resolve this activity in containment phase and stop attack
1:05:47
in containment phase and stop attack
1:05:47
in containment phase and stop attack that is very important uh uh actually
1:05:51
that is very important uh uh actually
1:05:51
that is very important uh uh actually actually uh when we talking about of of
1:05:55
actually uh when we talking about of of
1:05:55
actually uh when we talking about of of of of this part okay uh I have
1:05:58
of of this part okay uh I have
1:05:58
of of this part okay uh I have information of of Jonathan hakan I I'm
1:06:01
information of of Jonathan hakan I I'm
1:06:01
information of of Jonathan hakan I I'm I'm very close to to finish I previously
1:06:05
I'm very close to to finish I previously
1:06:05
I'm very close to to finish I previously explained here just in time access for
1:06:09
explained here just in time access for
1:06:09
explained here just in time access for my virtual machine I conduct with with
1:06:12
my virtual machine I conduct with with
1:06:12
my virtual machine I conduct with with my specific port and file Integrity
1:06:15
my specific port and file Integrity
1:06:15
my specific port and file Integrity moning with my Linux and Windows machine
1:06:18
moning with my Linux and Windows machine
1:06:18
moning with my Linux and Windows machine uh I add modify and remove uh with a
1:06:22
uh I add modify and remove uh with a
1:06:22
uh I add modify and remove uh with a point of view registry file Integrity
1:06:25
point of view registry file Integrity
1:06:25
point of view registry file Integrity monitoring is the best practice
1:06:27
monitoring is the best practice
1:06:27
monitoring is the best practice comparation method to use to detect
1:06:29
comparation method to use to detect
1:06:29
comparation method to use to detect suspicious modification in the registry
1:06:31
suspicious modification in the registry
1:06:31
suspicious modification in the registry and change to be indicated in a tech and
1:06:35
and change to be indicated in a tech and
1:06:35
and change to be indicated in a tech and we are using different different ATT
1:06:38
we are using different different ATT
1:06:38
we are using different different ATT tool like Hulk like security assessment
1:06:42
tool like Hulk like security assessment
1:06:42
tool like Hulk like security assessment po shell model for our for our incident
1:06:46
po shell model for our for our incident
1:06:46
po shell model for our for our incident uh incident investigation and actually
1:06:50
uh incident investigation and actually
1:06:50
uh incident investigation and actually exchange line management power model is
1:06:52
exchange line management power model is
1:06:52
exchange line management power model is also amazing cic a SP tools and uh
1:06:58
also amazing cic a SP tools and uh
1:06:58
also amazing cic a SP tools and uh everything U for example that is example
1:07:04
everything U for example that is example
1:07:04
everything U for example that is example uh when we're talking about office res f
1:07:07
uh when we're talking about office res f
1:07:08
uh when we're talking about office res f foring tool that is procedure you can
1:07:11
foring tool that is procedure you can
1:07:11
foring tool that is procedure you can look in Signal data you can use paral to
1:07:13
look in Signal data you can use paral to
1:07:13
look in Signal data you can use paral to retrieve Microsoft enter ID uh and you
1:07:17
retrieve Microsoft enter ID uh and you
1:07:17
retrieve Microsoft enter ID uh and you can use different for example UNIF audit
1:07:21
can use different for example UNIF audit
1:07:21
can use different for example UNIF audit tool to Deep D on particular users on
1:07:23
tool to Deep D on particular users on
1:07:23
tool to Deep D on particular users on indicator when you're extracting power
1:07:26
indicator when you're extracting power
1:07:26
indicator when you're extracting power you can use an instructor you can use
1:07:28
you can use an instructor you can use
1:07:28
you can use an instructor you can use forensic data the microne is in the
1:07:31
forensic data the microne is in the
1:07:31
forensic data the microne is in the response but uh aure data uh Explorer is
1:07:36
response but uh aure data uh Explorer is
1:07:36
response but uh aure data uh Explorer is not recommended a for at hoc forensic
1:07:40
not recommended a for at hoc forensic
1:07:40
not recommended a for at hoc forensic that is that is very important it the
1:07:42
that is that is very important it the
1:07:42
that is that is very important it the point to VI action I have additional
1:07:45
point to VI action I have additional
1:07:45
point to VI action I have additional five minutes I
1:07:47
five minutes I
1:07:47
five minutes I promise uh after directory hardening is
1:07:50
promise uh after directory hardening is
1:07:50
promise uh after directory hardening is very important you should review your
1:07:52
very important you should review your
1:07:52
very important you should review your tier model zero you can found a way how
1:07:56
tier model zero you can found a way how
1:07:56
tier model zero you can found a way how to restrict service account from
1:07:58
to restrict service account from
1:07:58
to restrict service account from interactive logins you can use the
1:08:02
interactive logins you can use the
1:08:02
interactive logins you can use the uh different method for uh service
1:08:05
uh different method for uh service
1:08:05
uh different method for uh service account with the point of view patching
1:08:07
account with the point of view patching
1:08:07
account with the point of view patching you can Implement in standard
1:08:09
you can Implement in standard
1:08:09
you can Implement in standard comprehensive patching strateg or close
1:08:12
comprehensive patching strateg or close
1:08:12
comprehensive patching strateg or close all system you can use in tune Microsoft
1:08:16
all system you can use in tune Microsoft
1:08:16
all system you can use in tune Microsoft tune you can use secm for that propose
1:08:19
tune you can use secm for that propose
1:08:19
tune you can use secm for that propose or some thirdparty product but enroll of
1:08:22
or some thirdparty product but enroll of
1:08:22
or some thirdparty product but enroll of your 100% of devices very important to
1:08:27
your 100% of devices very important to
1:08:27
your 100% of devices very important to be all your device in rooll in micros
1:08:30
be all your device in rooll in micros
1:08:30
be all your device in rooll in micros Defender foreign Point
1:08:32
Defender foreign Point
1:08:33
Defender foreign Point um uh cyber security hean is very very
1:08:36
um uh cyber security hean is very very
1:08:36
um uh cyber security hean is very very important with the point of view how to
1:08:39
important with the point of view how to
1:08:39
important with the point of view how to enable conditional device exploit guard
1:08:43
enable conditional device exploit guard
1:08:43
enable conditional device exploit guard a lot of lot a lot of password La
1:08:46
a lot of lot a lot of password La
1:08:46
a lot of lot a lot of password La techniques in that way and using
1:08:49
techniques in that way and using
1:08:50
techniques in that way and using firewall to block incoming connection or
1:08:52
firewall to block incoming connection or
1:08:52
firewall to block incoming connection or some n security groups I I
1:08:56
some n security groups I I
1:08:56
some n security groups I I uh previously mentioned the point of
1:08:58
uh previously mentioned the point of
1:08:58
uh previously mentioned the point of view identity how we deal in using uh
1:09:02
view identity how we deal in using uh
1:09:02
view identity how we deal in using uh protection from inventory disable S&P
1:09:06
protection from inventory disable S&P
1:09:06
protection from inventory disable S&P protocol inventory to disable nlm
1:09:09
protocol inventory to disable nlm
1:09:09
protocol inventory to disable nlm version one and some TS
1:09:11
version one and some TS
1:09:12
version one and some TS like um 1.0 on
1:09:16
like um 1.0 on
1:09:16
like um 1.0 on 1.1 that is inventory to discontin to
1:09:20
1.1 that is inventory to discontin to
1:09:20
1.1 that is inventory to discontin to use but you can use
1:09:21
use but you can use
1:09:21
use but you can use GPO very in and uh after that for some
1:09:27
GPO very in and uh after that for some
1:09:27
GPO very in and uh after that for some for example computer account in order to
1:09:29
for example computer account in order to
1:09:29
for example computer account in order to resolve this this strong authentication
1:09:32
resolve this this strong authentication
1:09:32
resolve this this strong authentication with with multiactor authentication that
1:09:34
with with multiactor authentication that
1:09:34
with with multiactor authentication that is a mandatory option when you loging
1:09:37
is a mandatory option when you loging
1:09:37
is a mandatory option when you loging for your a Azure portal your admin or in
1:09:40
for your a Azure portal your admin or in
1:09:40
for your a Azure portal your admin or in tune portal that is a mandatory from uh
1:09:43
tune portal that is a mandatory from uh
1:09:43
tune portal that is a mandatory from uh 15 September to to work and strong
1:09:47
15 September to to work and strong
1:09:47
15 September to to work and strong authentication with theal he is very
1:09:51
authentication with theal he is very
1:09:51
authentication with theal he is very very important and the recommendation
1:09:53
very important and the recommendation
1:09:53
very important and the recommendation for Access uh uh you can different use
1:09:57
for Access uh uh you can different use
1:09:57
for Access uh uh you can different use but main important part is how to plan
1:10:00
but main important part is how to plan
1:10:00
but main important part is how to plan for the deployment for a pre work
1:10:04
for the deployment for a pre work
1:10:04
for the deployment for a pre work station uh monitor your t zero account
1:10:07
station uh monitor your t zero account
1:10:07
station uh monitor your t zero account and aing usage regularly you can perform
1:10:11
and aing usage regularly you can perform
1:10:11
and aing usage regularly you can perform regular audit for any external vendor
1:10:13
regular audit for any external vendor
1:10:14
regular audit for any external vendor management from an activity uh using VPN
1:10:17
management from an activity uh using VPN
1:10:17
management from an activity uh using VPN clients that legit monitoring mfi is
1:10:21
clients that legit monitoring mfi is
1:10:21
clients that legit monitoring mfi is also required but actually uh you can
1:10:24
also required but actually uh you can
1:10:24
also required but actually uh you can different
1:10:25
different
1:10:25
different techniques using for activity Defender
1:10:28
techniques using for activity Defender
1:10:28
techniques using for activity Defender for identity I I I mentioned before
1:10:32
for identity I I I mentioned before
1:10:32
for identity I I I mentioned before inventory your application enable up up
1:10:35
inventory your application enable up up
1:10:35
inventory your application enable up up Locker in audit mode for inventory
1:10:38
Locker in audit mode for inventory
1:10:38
Locker in audit mode for inventory application uh White list approve
1:10:40
application uh White list approve
1:10:40
application uh White list approve application Black List from your
1:10:43
application Black List from your
1:10:43
application Black List from your unauthorized
1:10:44
unauthorized
1:10:44
unauthorized application uh with fining tune uh your
1:10:48
application uh with fining tune uh your
1:10:48
application uh with fining tune uh your comprehensive incident plan including
1:10:51
comprehensive incident plan including
1:10:51
comprehensive incident plan including cost isolation including out of Bend
1:10:54
cost isolation including out of Bend
1:10:54
cost isolation including out of Bend communication quick implementation of
1:10:56
communication quick implementation of
1:10:56
communication quick implementation of different Ag and you can
1:10:59
different Ag and you can
1:10:59
different Ag and you can using entity Behavior
1:11:02
using entity Behavior
1:11:02
using entity Behavior analytics uh in combination with the
1:11:04
analytics uh in combination with the
1:11:04
analytics uh in combination with the defender xdr Sentinel and security
1:11:07
defender xdr Sentinel and security
1:11:07
defender xdr Sentinel and security co-pilot I I uh show you before uh for
1:11:11
co-pilot I I uh show you before uh for
1:11:11
co-pilot I I uh show you before uh for your anti- fishing policy for example
1:11:14
your anti- fishing policy for example
1:11:14
your anti- fishing policy for example for defender of office and because SMB
1:11:17
for defender of office and because SMB
1:11:17
for defender of office and because SMB is in remote file system that is require
1:11:19
is in remote file system that is require
1:11:19
is in remote file system that is require protection from M when Windows computer
1:11:22
protection from M when Windows computer
1:11:22
protection from M when Windows computer may be tricking to to contact in some
1:11:24
may be tricking to to contact in some
1:11:24
may be tricking to to contact in some isue
1:11:25
isue
1:11:26
isue and impact of changes blocking
1:11:27
and impact of changes blocking
1:11:27
and impact of changes blocking connectivity for SB prevent various
1:11:30
connectivity for SB prevent various
1:11:30
connectivity for SB prevent various applicational services from functioning
1:11:33
applicational services from functioning
1:11:33
applicational services from functioning of course and that is very very
1:11:35
of course and that is very very
1:11:36
of course and that is very very important to to to know in the practice
1:11:39
important to to to know in the practice
1:11:39
important to to to know in the practice ENT protection I mention before but you
1:11:43
ENT protection I mention before but you
1:11:43
ENT protection I mention before but you can use signing risk use a risk policy
1:11:46
can use signing risk use a risk policy
1:11:46
can use signing risk use a risk policy in combination with your conditional
1:11:47
in combination with your conditional
1:11:47
in combination with your conditional access policy in order to protect U on
1:11:51
access policy in order to protect U on
1:11:51
access policy in order to protect U on premise deployment on then TRD pass
1:11:53
premise deployment on then TRD pass
1:11:53
premise deployment on then TRD pass protection use some global custom B
1:11:56
protection use some global custom B
1:11:56
protection use some global custom B password list that is our store in ENT
1:11:59
password list that is our store in ENT
1:11:59
password list that is our store in ENT ID and the dis check are performed
1:12:02
ID and the dis check are performed
1:12:02
ID and the dis check are performed during the password change and
1:12:04
during the password change and
1:12:04
during the password change and everything P arrested against on premise
1:12:06
everything P arrested against on premise
1:12:06
everything P arrested against on premise at directory domain service for your
1:12:09
at directory domain service for your
1:12:09
at directory domain service for your domain controller it is it is very
1:12:11
domain controller it is it is very
1:12:11
domain controller it is it is very important and finally uh that is what I
1:12:14
important and finally uh that is what I
1:12:14
important and finally uh that is what I mention ENT identity protection in order
1:12:18
mention ENT identity protection in order
1:12:18
mention ENT identity protection in order to to protect for leaking credal
1:12:21
to to protect for leaking credal
1:12:22
to to protect for leaking credal impossible for example traff for a
1:12:24
impossible for example traff for a
1:12:24
impossible for example traff for a typical location
1:12:25
typical location
1:12:25
typical location signing from infected devices from
1:12:28
signing from infected devices from
1:12:28
signing from infected devices from Anonymous IP address suspicious activity
1:12:32
Anonymous IP address suspicious activity
1:12:32
Anonymous IP address suspicious activity unfamiliar location that is also part in
1:12:35
unfamiliar location that is also part in
1:12:35
unfamiliar location that is also part in when you're going in identity protection
1:12:37
when you're going in identity protection
1:12:38
when you're going in identity protection this detection you can see but properly
1:12:40
this detection you can see but properly
1:12:40
this detection you can see but properly using this type of policy combination
1:12:43
using this type of policy combination
1:12:43
using this type of policy combination conditional policy and aure policy that
1:12:46
conditional policy and aure policy that
1:12:46
conditional policy and aure policy that is actually wi wi
1:12:51
is actually wi wi
1:12:51
is actually wi wi situation that is uh from Al all from my
1:12:54
situation that is uh from Al all from my
1:12:54
situation that is uh from Al all from my side
1:12:58
and we can discuss if you have any
1:13:01
and we can discuss if you have any
1:13:02
and we can discuss if you have any question during this session or after
1:13:08
that okay so thank you thank you so much
1:13:12
that okay so thank you thank you so much
1:13:12
that okay so thank you thank you so much a really great uh session here I'm not
1:13:16
a really great uh session here I'm not
1:13:16
a really great uh session here I'm not sure here if we have any comments from
1:13:19
sure here if we have any comments from
1:13:19
sure here if we have any comments from our our
1:13:20
our our
1:13:20
our our audience yes uh first of all thank you
1:13:23
audience yes uh first of all thank you
1:13:23
audience yes uh first of all thank you oros for a great session I I was like
1:13:27
oros for a great session I I was like
1:13:27
oros for a great session I I was like taking notes and learning from the
1:13:29
taking notes and learning from the
1:13:29
taking notes and learning from the background uh we do do not have any
1:13:32
background uh we do do not have any
1:13:32
background uh we do do not have any questions but I do have one I mean from
1:13:35
questions but I do have one I mean from
1:13:35
questions but I do have one I mean from the audience we don't have any they're
1:13:37
the audience we don't have any they're
1:13:37
the audience we don't have any they're very quiet today and also maybe just
1:13:41
very quiet today and also maybe just
1:13:41
very quiet today and also maybe just learning from you oros uh a lot of a lot
1:13:44
learning from you oros uh a lot of a lot
1:13:44
learning from you oros uh a lot of a lot of security topics or concepts to absorb
1:13:49
of security topics or concepts to absorb
1:13:49
of security topics or concepts to absorb uh of course but one question that came
1:13:51
uh of course but one question that came
1:13:51
uh of course but one question that came up to my mind that probably our audience
1:13:53
up to my mind that probably our audience
1:13:53
up to my mind that probably our audience is also interested uh to learn uh to
1:13:57
is also interested uh to learn uh to
1:13:57
is also interested uh to learn uh to know is that I really liked what what
1:14:00
know is that I really liked what what
1:14:00
know is that I really liked what what you showed about how uh Microsoft
1:14:02
you showed about how uh Microsoft
1:14:02
you showed about how uh Microsoft co-pilot for security can help with uh
1:14:06
co-pilot for security can help with uh
1:14:06
co-pilot for security can help with uh like forensics as well do you have any
1:14:09
like forensics as well do you have any
1:14:09
like forensics as well do you have any idea or can you share to us how uh how
1:14:12
idea or can you share to us how uh how
1:14:13
idea or can you share to us how uh how any person or any Asher user or co-pilot
1:14:16
any person or any Asher user or co-pilot
1:14:16
any person or any Asher user or co-pilot user can utilize or use it uh is it free
1:14:20
user can utilize or use it uh is it free
1:14:20
user can utilize or use it uh is it free is it does it cost something yes you
1:14:23
is it does it cost something yes you
1:14:23
is it does it cost something yes you have some cost for your actually $5 per
1:14:27
have some cost for your actually $5 per
1:14:27
have some cost for your actually $5 per per hour you have security consumption
1:14:31
per hour you have security consumption
1:14:31
per hour you have security consumption unit but I I uh actually when I talking
1:14:36
unit but I I uh actually when I talking
1:14:36
unit but I I uh actually when I talking about here
1:14:37
about here
1:14:37
about here in but uh you you don't have some time
1:14:42
in but uh you you don't have some time
1:14:42
in but uh you you don't have some time yes that is that is very important here
1:14:44
yes that is that is very important here
1:14:44
yes that is that is very important here for example you can analyze this file
1:14:47
for example you can analyze this file
1:14:47
for example you can analyze this file very sophisticated attack using uh using
1:14:51
very sophisticated attack using uh using
1:14:51
very sophisticated attack using uh using security copilot in micros Defender indr
1:14:55
security copilot in micros Defender indr
1:14:55
security copilot in micros Defender indr to quickly identify malicious and
1:14:57
to quickly identify malicious and
1:14:57
to quickly identify malicious and suspicious file and after that you have
1:15:00
suspicious file and after that you have
1:15:00
suspicious file and after that you have overview finaly is usually contain overw
1:15:04
overview finaly is usually contain overw
1:15:04
overview finaly is usually contain overw of contains of an assessment of the file
1:15:07
of contains of an assessment of the file
1:15:07
of contains of an assessment of the file and Thea section including string API
1:15:11
and Thea section including string API
1:15:11
and Thea section including string API calls and relevant certificate for that
1:15:15
calls and relevant certificate for that
1:15:15
calls and relevant certificate for that propose but you can use in summary to
1:15:18
propose but you can use in summary to
1:15:19
propose but you can use in summary to get device in security post vulnerably
1:15:21
get device in security post vulnerably
1:15:21
get device in security post vulnerably software information and copilot when I
1:15:24
software information and copilot when I
1:15:24
software information and copilot when I click you can got all device summary
1:15:27
click you can got all device summary
1:15:27
click you can got all device summary report regarding what is vulnerable and
1:15:31
report regarding what is vulnerable and
1:15:31
report regarding what is vulnerable and with with a point of view recommendation
1:15:34
with with a point of view recommendation
1:15:34
with with a point of view recommendation and everything in that we uh comp help
1:15:37
and everything in that we uh comp help
1:15:37
and everything in that we uh comp help you in in three stage in order to
1:15:40
you in in three stage in order to
1:15:40
you in in three stage in order to summarize report in order to to have
1:15:43
summarize report in order to to have
1:15:43
summarize report in order to to have some reverse technique of engineering
1:15:46
some reverse technique of engineering
1:15:46
some reverse technique of engineering with the forensic investigation and
1:15:49
with the forensic investigation and
1:15:49
with the forensic investigation and finally to connect some uh indicator of
1:15:52
finally to connect some uh indicator of
1:15:52
finally to connect some uh indicator of compromise to found and connected with
1:15:55
compromise to found and connected with
1:15:55
compromise to found and connected with Timeline Activity and everything and
1:15:58
Timeline Activity and everything and
1:15:58
Timeline Activity and everything and your work many many
1:16:01
your work many many
1:16:01
your work many many fast and you have save the time
1:16:04
fast and you have save the time
1:16:04
fast and you have save the time investigation of your security incident
1:16:06
investigation of your security incident
1:16:06
investigation of your security incident and that is how we understand the
1:16:09
and that is how we understand the
1:16:09
and that is how we understand the security co-pilot in order in order to
1:16:12
security co-pilot in order in order to
1:16:12
security co-pilot in order in order to help GPT is something different for the
1:16:15
help GPT is something different for the
1:16:15
help GPT is something different for the user communication but security copilot
1:16:18
user communication but security copilot
1:16:18
user communication but security copilot is dedicated for your uh inant
1:16:22
is dedicated for your uh inant
1:16:22
is dedicated for your uh inant investigation threat hunting activity I
1:16:24
investigation threat hunting activity I
1:16:24
investigation threat hunting activity I can create a custom query language uh
1:16:27
can create a custom query language uh
1:16:27
can create a custom query language uh with with my with my uh query and after
1:16:33
with with my with my uh query and after
1:16:33
with with my with my uh query and after that my automatization process of
1:16:36
that my automatization process of
1:16:36
that my automatization process of Investigation incident is much much much
1:16:39
Investigation incident is much much much
1:16:39
Investigation incident is much much much better okay all right thank you for for
1:16:43
better okay all right thank you for for
1:16:44
better okay all right thank you for for that uh I know it's a very new um
1:16:47
that uh I know it's a very new um
1:16:47
that uh I know it's a very new um service and I I believe pretty well that
1:16:49
service and I I believe pretty well that
1:16:49
service and I I believe pretty well that it works uh uh great with a Microsoft
1:16:52
it works uh uh great with a Microsoft
1:16:52
it works uh uh great with a Microsoft Defender for cloud uh for Asher so thank
1:16:55
Defender for cloud uh for Asher so thank
1:16:55
Defender for cloud uh for Asher so thank you so much I don't have any questions
1:16:58
you so much I don't have any questions
1:16:58
you so much I don't have any questions and uh do how about you hoken I know we
1:17:00
and uh do how about you hoken I know we
1:17:00
and uh do how about you hoken I know we have a feal reserved for uh after
1:17:03
have a feal reserved for uh after
1:17:03
have a feal reserved for uh after session you have anything that you want
1:17:05
session you have anything that you want
1:17:05
session you have anything that you want to like hear open to public I think we
1:17:08
to like hear open to public I think we
1:17:08
to like hear open to public I think we can take it in the the F session yes all
1:17:11
can take it in the the F session yes all
1:17:11
can take it in the the F session yes all right that's good so thank you so much
1:17:14
right that's good so thank you so much
1:17:14
right that's good so thank you so much uh orus for the great session and for
1:17:16
uh orus for the great session and for
1:17:16
uh orus for the great session and for sharing your knowledge with us we
1:17:18
sharing your knowledge with us we
1:17:18
sharing your knowledge with us we appreciate it and also for our audience
1:17:20
appreciate it and also for our audience
1:17:20
appreciate it and also for our audience that joined us along the way in the last
1:17:23
that joined us along the way in the last
1:17:23
that joined us along the way in the last past hour it's weekend uh it's like
1:17:25
past hour it's weekend uh it's like
1:17:25
past hour it's weekend uh it's like lunch time but you learned with us so we
1:17:27
lunch time but you learned with us so we
1:17:27
lunch time but you learned with us so we appreciate it and if you're someone that
1:17:30
appreciate it and if you're someone that
1:17:30
appreciate it and if you're someone that has like more questions to ask to or or
1:17:33
has like more questions to ask to or or
1:17:33
has like more questions to ask to or or to just want to connect to me in hokan
1:17:35
to just want to connect to me in hokan
1:17:35
to just want to connect to me in hokan uh feel free to join us on our after
1:17:38
uh feel free to join us on our after
1:17:38
uh feel free to join us on our after session F you can scan the QR code it's
1:17:41
session F you can scan the QR code it's
1:17:41
session F you can scan the QR code it's a private Zoom meeting between uh the
1:17:44
a private Zoom meeting between uh the
1:17:44
a private Zoom meeting between uh the community and the speaker so feel free
1:17:46
community and the speaker so feel free
1:17:46
community and the speaker so feel free to join us you're welcome uh anytime and
1:17:50
to join us you're welcome uh anytime and
1:17:50
to join us you're welcome uh anytime and uh I will be sharing the bitly link it's
1:17:52
uh I will be sharing the bitly link it's
1:17:52
uh I will be sharing the bitly link it's actually this one so it's just bitly Ash
1:17:56
actually this one so it's just bitly Ash
1:17:56
actually this one so it's just bitly Ash Ash asuk Sweden F Dash the date of today
1:18:00
Ash asuk Sweden F Dash the date of today
1:18:00
Ash asuk Sweden F Dash the date of today in that format so yes um any any
1:18:06
in that format so yes um any any
1:18:06
in that format so yes um any any anything else from your side or is uh
1:18:09
anything else from your side or is uh
1:18:09
anything else from your side or is uh where can our community can reach out to
1:18:12
where can our community can reach out to
1:18:12
where can our community can reach out to you uh for more information or learn
1:18:16
you uh for more information or learn
1:18:16
you uh for more information or learn more about what you do is follow me on
1:18:19
more about what you do is follow me on
1:18:19
more about what you do is follow me on LinkedIn and and my my actually my I
1:18:23
LinkedIn and and my my actually my I
1:18:23
LinkedIn and and my my actually my I have I also have here I I share with you
1:18:28
have I also have here I I share with you
1:18:28
have I also have here I I share with you a very interesting blog in regarding
1:18:33
a very interesting blog in regarding
1:18:33
a very interesting blog in regarding regarding Cloud investigation my fure I
1:18:36
regarding Cloud investigation my fure I
1:18:36
regarding Cloud investigation my fure I have I have my YouTube YouTube channel
1:18:40
have I have my YouTube YouTube channel
1:18:40
have I have my YouTube YouTube channel and I have my Meetup Serbian Meetup like
1:18:45
and I have my Meetup Serbian Meetup like
1:18:46
and I have my Meetup Serbian Meetup like like yours Meetup and I'm looking
1:18:49
like yours Meetup and I'm looking
1:18:49
like yours Meetup and I'm looking forward in the next challenge to be uh
1:18:51
forward in the next challenge to be uh
1:18:51
forward in the next challenge to be uh Jonah and hak guest in Serbia group and
1:18:55
Jonah and hak guest in Serbia group and
1:18:55
Jonah and hak guest in Serbia group and discuss many different topics in yes yes
1:19:00
discuss many different topics in yes yes
1:19:00
discuss many different topics in yes yes we we do have we hokan and I planned
1:19:03
we we do have we hokan and I planned
1:19:03
we we do have we hokan and I planned October to be the cloud
1:19:05
October to be the cloud
1:19:05
October to be the cloud security um month uh so we're we're very
1:19:08
security um month uh so we're we're very
1:19:08
security um month uh so we're we're very glad that you you could share that uh
1:19:11
glad that you you could share that uh
1:19:11
glad that you you could share that uh Cloud security is very important so
1:19:13
Cloud security is very important so
1:19:13
Cloud security is very important so you're definitely welcome to come back
1:19:15
you're definitely welcome to come back
1:19:15
you're definitely welcome to come back again uh bear with us about the the the
1:19:19
again uh bear with us about the the the
1:19:19
again uh bear with us about the the the queue but we're we're thankful to have
1:19:23
queue but we're we're thankful to have
1:19:23
queue but we're we're thankful to have you and you finally uh uh got a session
1:19:26
you and you finally uh uh got a session
1:19:26
you and you finally uh uh got a session with us thank you thank you so much for
1:19:29
with us thank you thank you so much for
1:19:29
with us thank you thank you so much for your for your invitation and this
1:19:31
your for your invitation and this
1:19:31
your for your invitation and this session and discussion about very
1:19:33
session and discussion about very
1:19:33
session and discussion about very interesting Pro topics and uh I'm
1:19:37
interesting Pro topics and uh I'm
1:19:37
interesting Pro topics and uh I'm looking forward with you both of us in
1:19:40
looking forward with you both of us in
1:19:40
looking forward with you both of us in in new session and Challenge and
1:19:42
in new session and Challenge and
1:19:42
in new session and Challenge and discussion on different topics regarding
1:19:46
discussion on different topics regarding
1:19:46
discussion on different topics regarding security and other topic in
1:19:49
security and other topic in
1:19:49
security and other topic in mure and uh it is definitely uh plan for
1:19:53
mure and uh it is definitely uh plan for
1:19:54
mure and uh it is definitely uh plan for for the near future and uh have a nice
1:19:57
for the near future and uh have a nice
1:19:57
for the near future and uh have a nice uh weekend for all all participants and
1:20:02
uh weekend for all all participants and
1:20:02
uh weekend for all all participants and uh for today yes and you're joining us
1:20:06
uh for today yes and you're joining us
1:20:06
uh for today yes and you're joining us for the after session F right the in
1:20:09
for the after session F right the in
1:20:09
for the after session F right the in case someone joins for any question I
1:20:11
case someone joins for any question I
1:20:11
case someone joins for any question I sent the uh bit link bitly link to you
1:20:14
sent the uh bit link bitly link to you
1:20:14
sent the uh bit link bitly link to you in the private chat yes of
1:20:17
in the private chat yes of
1:20:17
in the private chat yes of course all right how can anything else
1:20:20
course all right how can anything else
1:20:20
course all right how can anything else before we say goodbye now yes wish
1:20:23
before we say goodbye now yes wish
1:20:23
before we say goodbye now yes wish everyone a happy weekend
1:20:25
everyone a happy weekend
1:20:25
everyone a happy weekend yes us and stay to be more
1:20:30
yes us and stay to be more
1:20:30
yes us and stay to be more proactive uh with the point of you how
1:20:33
proactive uh with the point of you how
1:20:33
proactive uh with the point of you how we protect from any sophisticated attack
1:20:36
we protect from any sophisticated attack
1:20:36
we protect from any sophisticated attack and I'm sure that this session helped
1:20:39
and I'm sure that this session helped
1:20:39
and I'm sure that this session helped many of of participants to found the
1:20:42
many of of participants to found the
1:20:42
many of of participants to found the best way to protect from different type
1:20:45
best way to protect from different type
1:20:45
best way to protect from different type of attack thank you very much you're
1:20:48
of attack thank you very much you're
1:20:48
of attack thank you very much you're welcome this session is recorded so feel
1:20:50
welcome this session is recorded so feel
1:20:50
welcome this session is recorded so feel free to reshare it to your colleagues uh
1:20:53
free to reshare it to your colleagues uh
1:20:53
free to reshare it to your colleagues uh and Friends also
1:20:55
and Friends also
1:20:55
and Friends also that might find this session of oras uh
1:20:58
that might find this session of oras uh
1:20:58
that might find this session of oras uh helpful so um see you again uh soon and
1:21:02
helpful so um see you again uh soon and
1:21:02
helpful so um see you again uh soon and I think uh hokan and I we're going to
1:21:04
I think uh hokan and I we're going to
1:21:04
I think uh hokan and I we're going to have uh uh by the end of this month we
1:21:07
have uh uh by the end of this month we
1:21:07
have uh uh by the end of this month we do have a session like a special edition
1:21:09
do have a session like a special edition
1:21:10
do have a session like a special edition session uh for Microsoft learn where we
1:21:12
session uh for Microsoft learn where we
1:21:12
session uh for Microsoft learn where we will be sharing about um how you can
1:21:16
will be sharing about um how you can
1:21:16
will be sharing about um how you can prepare for AI 900 uh or an AI
1:21:20
prepare for AI 900 uh or an AI
1:21:20
prepare for AI 900 uh or an AI certification so it's a special edition
1:21:22
certification so it's a special edition
1:21:22
certification so it's a special edition between me and okan as Microsoft
1:21:25
between me and okan as Microsoft
1:21:25
between me and okan as Microsoft certified trainers so the event is on
1:21:27
certified trainers so the event is on
1:21:27
certified trainers so the event is on our Meetup uh we can share it later on
1:21:30
our Meetup uh we can share it later on
1:21:30
our Meetup uh we can share it later on but it's there so feel free to join
1:21:32
but it's there so feel free to join
1:21:32
but it's there so feel free to join because uh we will be giving away uh 50%
1:21:36
because uh we will be giving away uh 50%
1:21:36
because uh we will be giving away uh 50% vouchers for those who wants to uh I
1:21:39
vouchers for those who wants to uh I
1:21:39
vouchers for those who wants to uh I mean get or try to get certified in AI
1:21:43
mean get or try to get certified in AI
1:21:43
mean get or try to get certified in AI so join us and ORS feel free to share it
1:21:45
so join us and ORS feel free to share it
1:21:45
so join us and ORS feel free to share it to your uh colleagues and friends if you
1:21:47
to your uh colleagues and friends if you
1:21:47
to your uh colleagues and friends if you have any that might be
1:21:50
have any that might be
1:21:50
have any that might be interested okay time to say goodbye and
1:21:53
interested okay time to say goodbye and
1:21:53
interested okay time to say goodbye and have a great weekend everyone see you
1:21:56
have a great weekend everyone see you
1:21:56
have a great weekend everyone see you next time bye
1:22:00
[Music]

How to Forensic Investigate Security Incidents in Microsoft Azure

CSharpCorner

Unlocking AI: Transforming Everyday Tasks with Agents

The Future of AI Engineering: Low Code, No Code Revolution

How AI Agents Enhance Employee Experience and Productivity

Unveiling Project Bluebeam: Military Deception Exposed

Create Azure ADLS Gen 2 and Fabric Lakehouse Shortcut for Analysis

Top CIA Tools Revealed: Malware and Espionage Secrets

Cyber Attack on Manufacturing Company Crown Equipment: Investigation and Recovery Process Revealed

Agentforce Data Library in Salesforce Prompt Builder

WATCH IN FULL: Counter Terrorism Police release statement on Manchester synagogue attack

Up next in 10

How to Forensic Investigate Security Incidents in Microsoft Azure

CSharpCorner