Microsoft Security Enterprise Use Cases

Executive Summary

The Microsoft Unified Security Operations Model

Modern enterprise security requires an integrated platform where machines detect, AI triages, humans decide, and automation responds. These use cases demonstrate this model in action, showing specific tools, queries, and workflows at each stage.

Zero Trust Security Operations Workflow

1. Detect

Defender XDR auto-correlates
alerts across 9 products

2. Enrich

Sentinel adds 3rd-party data,
custom KQL, threat intel

3. Investigate

Security Copilot summarises,
generates KQL, enriches IOCs

4. Respond

XDR AIR + Sentinel playbooks
auto-contain & remediate

5. Learn

Post-incident review, new
detections, posture hardening

Solutions Referenced in These Use Cases

Defender XDR Defender for Endpoint (MDE) Defender for Office 365 (MDO) Defender for Identity (MDI) Defender for Cloud Apps (MDA) Microsoft Sentinel Entra ID Protection Security Copilot Purview DLP Defender for Cloud (MDC)

Before You Begin

Security Frameworks & Acronyms Used

Each use case is tagged with industry-standard security frameworks. Here is what they mean and why they matter.

🔒 Zero Trust Security Model

Zero Trust is a security strategy that assumes no user, device, or network is trustworthy by default. even inside the corporate network. Instead of trusting anything behind the firewall, every access request is fully authenticated, authorised, and encrypted before granting access. It is built on three core principles:

🔍 Verify Explicitly

Always authenticate and authorise based on all available data points: user identity, location, device health, service, data classification, and anomalies.

🔐 Least Privilege Access

Limit user access to only what they need, only when they need it. Use just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection.

⚠️ Assume Breach

Operate as if attackers are already inside. Minimise blast radius and segment access. Verify end-to-end encryption, use analytics to detect threats, and improve defences continuously.

📋 NIST Cybersecurity Framework (CSF 2.0)

The NIST Cybersecurity Framework, created by the U.S. National Institute of Standards and Technology, is the most widely adopted framework for organising cybersecurity activities. It defines six core functions. When you see badges like NIST: Detect · Respond on a use case, it tells you which functions that scenario exercises:

Code	Function	What It Means	Example Activities
GV	Govern	Establish and monitor the organisation’s cybersecurity risk management strategy and policies	Risk assessments, security policies, roles & responsibilities, compliance requirements
ID	Identify	Understand your assets, risks, and business context so you know what to protect	Asset inventory, risk assessment, business impact analysis, supply chain risk
PR	Protect	Implement safeguards to prevent or limit the impact of a security event	MFA, encryption, endpoint protection, access controls, security training
DE	Detect	Discover cybersecurity events in a timely manner using monitoring and analytics	SIEM alerts, XDR correlation, anomaly detection, threat hunting with KQL
RS	Respond	Take action when a cybersecurity incident is detected to contain the damage	Incident response, containment, forensics, communication, playbook execution
RC	Recover	Restore capabilities and services after an incident, and apply lessons learned	System restoration, backup recovery, post-incident review, process improvements

🎯 STRIDE Threat Model

STRIDE is a threat classification model developed by Microsoft to help security teams categorise what an attacker is trying to achieve. Each letter represents a category of threat. When you see a badge like STRIDE: Spoofing, it identifies the primary threat types in that scenario:

Letter	Threat	What the Attacker Does	Example
S	Spoofing	Pretends to be someone or something they are not	Phishing email impersonating a CFO, stolen credentials, forged authentication tokens
T	Tampering	Modifies data or code without authorisation	Ransomware encrypting files, modifying firewall rules, altering backup agents
R	Repudiation	Denies having performed an action (no audit trail)	Deleting logs to cover tracks, disabling auditing, clearing browser history
I	Information Disclosure	Accesses data they should not be able to see	Reading confidential emails, exfiltrating design files, dumping a database
D	Denial of Service (DoS)	Makes a system or service unavailable	Ransomware making servers inaccessible, disabling backup services, cryptomining consuming resources
E	Elevation of Privilege	Gains higher access than authorised	Exploiting a vulnerability to gain admin rights, Golden Ticket attack, lateral movement to domain controller

📖 Microsoft Security Product Acronyms

These acronyms appear throughout the use cases. Here is the full name of each product and what it does:

Acronym	Full Name	What It Does
XDR	Extended Detection & Response	Unified platform that correlates alerts from all Defender products into single incidents
MDE	Microsoft Defender for Endpoint	Protects laptops, desktops, and servers. detects malware, ransomware, and suspicious behaviour
MDO	Microsoft Defender for Office 365	Protects email and collaboration tools. blocks phishing, malicious attachments, and unsafe links
MDI	Microsoft Defender for Identity	Monitors Active Directory for identity-based attacks like credential theft and lateral movement
MDA	Microsoft Defender for Cloud Apps	Monitors cloud application usage, detects shadow IT, and enforces session-level controls
MDC	Microsoft Defender for Cloud	Protects cloud workloads (VMs, containers, databases) across Azure, AWS, and GCP
AIR	Automated Investigation & Response	XDR’s built-in automation that investigates alerts and takes remediation actions without human intervention
KQL	Kusto Query Language	The query language used in Sentinel and Defender XDR to search and analyse security data
SCU	Security Compute Unit	The billing unit for Security Copilot. each SCU provides a fixed amount of AI processing capacity
DLP	Data Loss Prevention	Policies that detect and block sensitive data from being shared outside the organisation
IRM	Insider Risk Management	Purview feature that detects risky user behaviour such as data theft by departing employees
UEBA	User and Entity Behaviour Analytics	Sentinel feature that builds behavioural baselines and detects anomalies for users and devices
SOAR	Security Orchestration, Automation & Response	Automated playbooks (Logic Apps) that run response actions when incidents are detected

Jump to use case 1. Ransomware Attack & Recovery 2. Business Email Compromise 3. Insider Data Exfiltration 4. Cloud-Native SOC Transformation

Attack Timeline

Cross-Scenario Attack and Response Timeline

A consolidated view of how attacks unfold across all four enterprise scenarios. from initial compromise to full recovery and lessons learned.

🔒 Ransomware Attack (UC1)

Day 0. Initial Access

VPN Credential Compromise

Attacker uses stolen VPN credentials from dark web to access hospital network perimeter.

T1078 Valid Accounts

Day 1-3. Discovery

Internal Reconnaissance

Lateral movement across 23 systems. Active Directory enumeration, backup server identification.

T1018 Remote System Discovery

Day 4-7. Preparation

Backup Tampering and Staging

Shadow copies deleted. Backup agent disabled on 4 servers. Encryption payload staged via scheduled tasks.

T1490 Inhibit System Recovery

Day 9. T+00:00

XDR Correlation Triggers

Defender XDR correlates 23 alerts across MDE, MDI, and Sentinel into a single Critical incident.

Defender XDRSentinel

Day 9. T+00:04

Automated Containment

AIR isolates 23 endpoints. Copilot generates executive briefing. Sentinel playbook blocks lateral IPs.

AIRCopilot

Day 9. T+04:00

Full Recovery

Systems restored from offline backups. $14.8M cost avoided. Zero patient data compromised.

Recovery

📧 Business Email Compromise (UC2)

Hour 0. Initial Access

CFO Credential Phish

Spear-phishing email with fake DocuSign link targets CFO. AiTM proxy captures session token.

T1566.002 Spear-phishing Link

Hour 1. Persistence

Inbox Rule Creation

Attacker creates hidden inbox rules forwarding finance emails. Registers malicious OAuth app.

T1564.008 Email Rules

Hour 3. Execution

Wire Transfer Request

Fraudulent $2.4M wire transfer request sent to accounts payable from CFO's compromised account.

T1534 BEC

Hour 3.5. Detection

5-Signal Correlation

MDO detects impossible travel. MDA flags risky OAuth. Sentinel UEBA triggers anomaly alert.

MDOMDASentinel

Hour 4. Response

Account Lockdown

Session revoked, inbox rules deleted, OAuth app consent revoked, wire transfer frozen by bank.

CopilotApp Governance

Hour 6. Recovery

Full Remediation

$2.4M wire transfer reversed. MFA enforced on all executive accounts. Anti-phishing policies hardened.

Recovery

🕵 Insider Data Exfiltration (UC3)

Day 0. Trigger

Resignation Submitted

Senior engineer submits resignation. HR system triggers Insider Risk Management policy.

IRM Trigger

Day 1-3. Collection

Mass SharePoint Downloads

2,400 files downloaded from chip design SharePoint library. 340% above 90-day baseline.

T1530 Data from Cloud Storage

Day 4-5. Staging

USB and Personal Email

Files copied to personal USB drive. 180 files emailed to personal Gmail account.

T1052 Exfiltration over Physical

Day 5. Detection

Adaptive Protection Triggers

Purview DLP blocks USB copy. Insider Risk score reaches Critical. Sentinel correlation alert fires.

PurviewDLP

Day 6. Response

Legal and HR Investigation

Copilot quantifies exposure: 2,400 files, $50M+ IP value. eDiscovery case created. Legal hold applied.

CopiloteDiscovery

Day 8. Resolution

Containment Complete

All exfiltrated data identified. Employee access revoked. Forensic evidence package delivered to legal.

Recovery

🛠 SOC Transformation (UC4)

Month 1-2. Phase 1

Foundation

Deploy Sentinel workspace. Connect Entra ID, M365, and Defender XDR data connectors.

SentinelData Connectors

Month 3-4. Phase 2

Detection Engineering

Migrate 120 Splunk detection rules to KQL analytics rules. Build 15 automated playbooks.

KQLPlaybooks

Month 5-6. Phase 3

Automation and AI

Deploy Security Copilot for Tier 1 triage. Automate 60% of routine alerts. Build promptbooks.

CopilotAutomation

Month 7. Phase 4

Optimization and Decommission

Decommission Splunk. 82% faster MTTD. $2M annual savings. SOC team upskilled on KQL and Copilot.

ROI: $2M/year82% faster

💾

Simulation Scripts Available
Download PowerShell scripts to simulate and remediate these scenarios in your own lab environment.

Download Script

🔒

Use Case 1: Enterprise Ransomware Attack & Recovery

Zero Trust: Assume Breach NIST: Protect · Detect · Respond · Recover STRIDE: Tampering · Denial of Service · Elevation of Privilege

📋 Enterprise Scenario

Organisation: Regional hospital network · 8,000 endpoints · 12 facilities · 3,500 employees · HIPAA-regulated
Attack vector: Compromised VPN credential (no MFA enforced) → 9 days of undetected lateral movement → backup agent tampering → encryption at 2:00 AM Saturday
Potential impact: $15M+ recovery costs · 3–6 week operational disruption · patient safety risks · HIPAA breach notification

1 Phase 1: Detection. How the Platform Catches the Attack

⚔️ Defender XDR: Automated Alert Correlation

Defender XDR automatically correlates 23 individual alerts from 5 products into 1 unified incident:

Entra ID Protection: Risky sign-in from anonymous IP address (VPN compromise) → CA policy should have blocked this
MDI: Kerberoasting detected → service account TGS requests from non-service workstation
MDE: Encoded PowerShell execution on finance workstation (first-ever PS execution on this device)
MDE: LSASS credential dumping attempt blocked by ASR rule
MDE: Lateral movement via admin shares to 14 servers

📡 Sentinel: Custom KQL Detection

A custom Sentinel analytics rule detects backup agent service disruption. a critical early warning that traditional tools miss:

// Sentinel Analytics Rule: Backup Agent Service Stops
// Severity: High | Run every: 5 min | Look back: 10 min
Syslog
| where Facility == "daemon" and SeverityLevel == "err"
| where ProcessName in ("veeamservice", "VeeamBackupSvc", "wbengine")
| where SyslogMessage has_any ("stopped", "terminated", "disabled")
| summarize StoppedCount = dcount(Computer), 
            AffectedServers = make_set(Computer) by bin(TimeGenerated, 5m)
| where StoppedCount >= 3 // 3+ backup agents stopped = suspicious
| extend AlertTitle = strcat("CRITICAL: ", StoppedCount, 
         " backup agents stopped in 5 minutes")
| project TimeGenerated, AlertTitle, StoppedCount, AffectedServers

Entity mapping: Host → AffectedServers | MITRE: T1490 Inhibit System Recovery | Auto-response: Triggers playbook to restart services

2 Phase 2: AI-Accelerated Investigation with Security Copilot

🛡️ Copilot Incident Triage Promptbook (runs in 90 seconds)

The SOC has a custom Ransomware Triage Promptbook that runs automatically when the unified incident is opened:

Prompt 1: Attack Summary

“Summarise incident INC-2026-4891 including all affected entities, the attack timeline, MITRE ATT&CK techniques used, and the current blast radius.”

Copilot output: Generates a structured narrative identifying the initial access (compromised VPN), 14 affected devices, 3 compromised accounts, and 7 MITRE techniques across the kill chain.

Prompt 2: Lateral Movement Scope

“Generate a KQL query showing all devices the compromised user john.doe@contoso.com accessed via SMB admin shares in the last 14 days, including process details.”

// Copilot-generated KQL
DeviceLogonEvents
| where Timestamp > ago(14d)
| where AccountUpn =~ "john.doe@contoso.com"
| where LogonType in ("RemoteInteractive", "Network")
| where ActionType == "LogonSuccess"
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
    LogonCount=count() by DeviceName, RemoteIP, LogonType
| join kind=inner (
    DeviceProcessEvents
    | where InitiatingProcessAccountUpn =~ "john.doe@contoso.com"
    | where FileName in~ ("cmd.exe","powershell.exe","wmic.exe")
    | summarize Commands=make_set(ProcessCommandLine) by DeviceName
) on DeviceName
| sort by FirstSeen asc

Prompt 3: Backup Impact Assessment

“Which backup agents were disabled vs. still operational? Can we recover from the last clean backup?”

Copilot output: Cross-references Sentinel Syslog data with CMDB to report: 5 of 12 backup agents disabled. 7 agents operational with last clean backup at 01:30 AM (30 minutes before encryption started). Recovery feasible for all critical systems.

Prompt 4: Executive Briefing

“Generate a board-ready incident briefing for the CISO covering: what happened, business impact, containment status, recovery timeline, and HIPAA notification assessment.”

Copilot output: 1-page executive summary ready for the CISO within 3 minutes of incident opening. vs. 4+ hours of manual report writing.

3 Phase 3: Automated Response & Containment

⚔️ Defender XDR: Automated Investigation & Response (AIR)

Auto-isolate devices: All 14 compromised devices isolated from the network within 4 minutes of the unified incident creation
Disable accounts: 3 compromised accounts disabled in Entra ID, all active sessions revoked
Quarantine malware: Ransomware binary quarantined across all endpoints fleet-wide
Block IOCs: C2 domains and IP addresses added as custom indicators (block and alert)

📡 Sentinel: Logic App Playbook. “Ransomware-ContainAndNotify”

This playbook triggers automatically via a Sentinel automation rule when an incident has the tag “ransomware” and severity “high”:

Block C2 on firewalls: Calls Palo Alto API to add blocking rules for all C2 IPs across all branch firewalls (30 seconds)
Restart backup agents: Executes remote PowerShell on affected servers to restart Veeam services
Create P1 incident ticket: Creates a ServiceNow Severity 1 incident with full alert details, affected asset list, and containment status
Notify stakeholders: Sends Teams messages to the SOC channel, emails the CISO and CIO, and pages the on-call incident commander
Trigger evidence preservation: Initiates MDE investigation package collection on all isolated devices for forensic analysis
Update incident: Adds playbook execution log back to the Sentinel incident as a comment for audit trail

4 Phase 4: Recovery & Restoration

Backup restoration: 7 operational backup agents restore encrypted servers within 4 hours (vs. 3–6 weeks without protected backups)
Credential rotation: All service accounts and admin credentials rotated across affected systems
Device rebuild: 5 devices without clean backups rebuilt from gold images and re-onboarded to MDE
Monitoring escalation: Sentinel hunting queries scheduled hourly for 72 hours to detect any persistence mechanisms missed

5 Phase 5: Lessons Learned & Hardening

Post-Incident Review (PIR) conducted 72 hours after recovery:

Finding	Root Cause	Remediation	Microsoft Solution
VPN without MFA	Legacy VPN excluded from CA policies	Enforce MFA on all VPN connections	Entra ID CA policy
9-day dwell time	No anomaly detection for unusual logon patterns	Deploy Sentinel UEBA analytics for user behaviour baselines	Sentinel UEBA
Backup agents disabled	Backup service accounts had local admin on all servers	Remove local admin, use gMSA accounts, deploy tamper protection	MDE Tamper Protection
Saturday timing exploited	Reduced weekend SOC coverage	Deploy AIR auto-remediation for ransomware patterns 24/7	XDR AIR
Manual C2 blocking	No firewall automation	Deploy Sentinel playbook for automatic C2 blocking	Sentinel + Logic App

📊 Incident Metrics

4 min

Detection to
containment

4 hours

Full recovery
(vs. 6 weeks)

14/8000

Devices affected
(blast radius limited)

3 min

Board briefing
generated by Copilot

$14.8M

Estimated cost
avoided

📧

Use Case 2: Business Email Compromise & Identity Attack

Zero Trust: Verify Explicitly NIST: Detect · Respond STRIDE: Spoofing · Information Disclosure

📋 Enterprise Scenario

Organisation: Global consulting firm · 20,000 employees · 40 countries · M365 E5
Attack: CFO’s credentials harvested via a sophisticated phishing site mimicking the Microsoft 365 login page. Attacker creates inbox rules forwarding financial emails to an external address, impersonates the CFO to request a $2.8M wire transfer from the Finance team, and consents to a malicious OAuth app to maintain persistence.
Zero Trust failure: The CFO’s account did not have phishing-resistant MFA (FIDO2), only SMS-based MFA which was bypassed via adversary-in-the-middle proxy.

1 Detection: Multi-Product Signal Correlation

Defender XDR creates a unified incident correlating 5 signals detected within 2 hours:

Signal	Product	Detection
Risky sign-in	Entra ID Protection	Impossible travel: sign-in from UK (real) and Nigeria (attacker) 30 min apart
Inbox rule creation	MDO	New rule forwarding emails containing "wire", "payment", "invoice" to external address
OAuth app consent	MDA / App Governance	Unverified app granted Mail.ReadWrite.All via user consent during the compromised session
Impersonation email	MDO	Email from CFO to Finance requesting urgent wire transfer. sent from attacker session
Anomalous mailbox activity	Sentinel	Custom KQL: 400+ emails read in 30 minutes (baseline: 15/hour for this user)

📡 Sentinel: BEC Detection KQL

// Sentinel Analytics Rule: Suspicious Inbox Rule + Impossible Travel
let riskyUsers = AADSignInEventsBeta
| where Timestamp > ago(2h)
| where RiskLevelDuringSignIn in ("medium", "high")
| distinct AccountObjectId, AccountUpn;
CloudAppEvents
| where Timestamp > ago(2h)
| where ActionType == "New-InboxRule"
| where AccountObjectId in (riskyUsers)
| extend RuleName = tostring(RawEventData.Parameters[0].Value)
| extend ForwardTo = tostring(RawEventData.Parameters[3].Value)
| where ForwardTo !endswith "@contoso.com" // External forwarding
| project Timestamp, AccountUpn, RuleName, ForwardTo, IPAddress

2 AI Investigation with Security Copilot

Copilot Prompt: “What emails did the attacker read and forward from the CFO’s mailbox?”

Result: Copilot queries MDO and returns: 47 emails read containing financial data, 12 emails forwarded to attacker-controlled address, 3 emails sent impersonating the CFO requesting wire transfers totalling $4.1M.

Copilot Prompt: “What OAuth apps were consented during this compromised session? What data did they access?”

Result: 1 app consented: "DocuSign Helper" (unverified publisher) with Mail.ReadWrite.All. App accessed 340 mailboxes over 2 hours using application-level permissions.

Copilot Prompt: “Generate the HIPAA breach assessment for this incident.”

Result: Copilot analyses the data exposure: 47 financial emails containing PII (client names, SSNs in tax documents). Determines HIPAA notification may not apply (financial data, not PHI), but state breach notification laws require assessment within 72 hours. Generates the legal team briefing.

3 Automated Response

XDR AIR: Revokes all CFO sessions, forces password reset, removes malicious inbox rules, soft-deletes the impersonation emails from all recipient mailboxes
App Governance: Auto-disables the malicious OAuth app, revokes all permission grants
Sentinel Playbook “BEC-Containment”: Sends recall notification for the wire transfer request, alerts the Finance department via Teams with verified instructions to halt any pending transfers, creates a Legal hold on the CFO’s mailbox for eDiscovery

4 Lessons Learned & Zero Trust Hardening

Finding	Remediation	Solution
SMS MFA bypassed by AiTM proxy	Deploy phishing-resistant MFA (FIDO2 keys) for all executives	Entra ID + FIDO2
User consented to malicious OAuth app	Restrict user consent to verified publishers; require admin approval for all others	Entra ID + App Governance
No monitoring for bulk email reads	Deploy Sentinel analytics rule for anomalous mailbox activity volume	Sentinel KQL
Wire transfer request not verified	Implement out-of-band verification process for transfers >$50K	Organisational process
Financial email forwarding to external	MDO transport rule blocking auto-forward to external for Finance department	MDO mail flow rule

👤

Use Case 3: Insider Data Exfiltration by Departing Employee

Zero Trust: Least Privilege NIST: Detect · Respond STRIDE: Information Disclosure · Repudiation

📋 Enterprise Scenario

Organisation: Semiconductor company · 5,000 employees · $50M+ IP in R&D designs
Threat: Senior product engineer submits resignation. Over 10 business days, downloads 2,400 design files from SharePoint, copies to personal USB, emails specs to personal Gmail, uploads source code to personal GitHub.
Challenge: Each individual action appears routine. engineers access design files daily. Only cross-product correlation reveals the exfiltration pattern.

1 Detection: Cross-Product Signal Correlation

Day	Activity	Product	Detection
Day 0	Resignation submitted	Purview IRM (Workday connector)	HR trigger auto-enrolls user in “Departing Employee” policy. Adaptive Protection elevates DLP to “strict.”
Day 2	Bulk SharePoint downloads (800 files)	MDA	Download volume 15x above 90-day baseline. Alert generated.
Day 4	USB copy of labeled files	MDE + Purview DLP	Endpoint DLP blocks USB copy of “Confidential” labeled files. Alert correlated into XDR incident.
Day 6	Email to personal Gmail with attachments	MDO + Purview DLP	DLP policy detects technical drawings in email to external personal address. Email quarantined.
Day 8	GitHub upload (500 MB)	Sentinel	Custom KQL analytics rule detects large upload to github.com/[personal-account]

📡 Sentinel: Source Code Upload Detection KQL

// Detect large uploads to personal code repositories
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("github.com","gitlab.com","bitbucket.org")
| where RemoteUrl !has "contoso" // Exclude corporate repos
| summarize TotalBytesSent = sum(SentBytes),
            UploadCount = count() by DeviceName, AccountName, RemoteUrl
| where TotalBytesSent > 100000000 // 100 MB threshold
| extend UploadMB = round(TotalBytesSent / 1048576.0, 1)
| join kind=inner (
    IdentityInfo | where Department == "Engineering"
) on $left.AccountName == $right.AccountName
| project Timestamp=now(), AccountName, Department, 
          RemoteUrl, UploadMB, DeviceName

2 Security Copilot: Investigation Assistance

“Quantify the data exposure: How many of the 2,400 downloaded files had Confidential or Highly Confidential sensitivity labels?”

Result: 847 files labeled Confidential (chip design schematics), 23 labeled Highly Confidential (manufacturing process IP). Estimated IP value at risk: $12M based on R&D investment records.

“Generate the legal evidence package with chain-of-custody documentation for all exfiltration activities.”

Result: Copilot compiles timestamped activity log, DLP policy match records, USB device identifiers, recipient email addresses, and GitHub commit hashes. formatted for legal counsel with chain-of-custody metadata.

3 Response & Legal Action

Adaptive Protection automatically restricts the user’s DLP: USB blocked, external email quarantined, cloud uploads monitored
Purview eDiscovery Premium case created with legal hold on all user data (email, OneDrive, Teams, SharePoint activity)
Sentinel playbook generates evidence package for Legal and sends notification to HR
HR conducts exit interview with documented findings; Legal issues cease-and-desist and takedown request to GitHub

4 Lessons Learned

Finding	Remediation	Solution
No HR system integration	Connect Workday to Insider Risk Management for automated departure triggers	Purview IRM + HR connector
USB not blocked for departing employees	Deploy Adaptive Protection: automatic strict DLP for elevated-risk users	Purview Adaptive Protection
No code repo monitoring	Deploy Sentinel KQL rule for large uploads to personal code repos	Sentinel analytics rule
Sensitivity labels not enforced on all design files	Deploy auto-labeling policy for all files in Engineering SharePoint libraries	Purview auto-labeling

🏗️

Use Case 4: Cloud-Native SOC Transformation & ROI

Zero Trust: All Pillars NIST: Govern · Identify · Detect · Respond

📋 Enterprise Scenario

Organisation: Insurance company · 15,000 employees · 3 data centres · $4B revenue
Current state: Splunk Enterprise on-premises ($2.8M/year licence + $500K infrastructure) · 4 FTEs managing SIEM infrastructure · 150 TB annual ingestion · 35% analyst turnover · 22-minute average MTTT
Goal: Migrate to Microsoft unified security platform, reduce costs, improve SOC effectiveness, and enable Zero Trust architecture

Migration Roadmap

Phase	Duration	Activities	Microsoft Solutions
Phase 1: Foundation	Month 1–2	Deploy Sentinel workspace. Connect M365 data sources (free ingestion). Enable Defender XDR unified incidents. Deploy Security Copilot with 2 SCUs for pilot team.	Sentinel, XDR, Copilot
Phase 2: Migration	Month 3–4	Migrate firewall/proxy logs to Sentinel (Basic Logs tier for high-volume). Translate 80 Splunk SPL rules to Sentinel KQL using SIEM migration tool. Deploy 15 Logic App playbooks replacing Phantom SOAR.	Sentinel, Logic Apps
Phase 3: Optimisation	Month 5–6	Enable UEBA for user behaviour analytics. Deploy custom workbooks replacing Splunk dashboards. Train all analysts on Copilot promptbooks. Expand Copilot to full SOC (4 SCUs).	Sentinel UEBA, Copilot
Phase 4: Decommission	Month 7	1-month parallel operation. Validate detection parity. Decommission Splunk. Redeploy 4 infrastructure FTEs to threat hunting and detection engineering.	All platforms

SOC Effectiveness: Before vs. After

Metric	Before (Splunk + Legacy)	After (XDR + Sentinel + Copilot)	Improvement
Mean Time to Triage	22 minutes	8 minutes (Copilot promptbooks)	-64%
Mean Time to Respond	4.2 hours	45 minutes (AIR + playbooks)	-82%
False positive rate	35%	12% (XDR correlation)	-66%
MITRE ATT&CK coverage	35%	75% (Copilot-generated detections)	+114%
Annual SIEM cost	$3.3M (licence + infra + staff)	$1.3M (Sentinel + SCUs)	-61%
Infra management FTEs	4	0 (cloud-native)	Redeployed to hunting
New analyst ramp time	4–6 months	6–8 weeks (Copilot assistance)	-67%
Data sources integrated	45	120+ (300+ connectors available)	+167%

ROI Summary for Executive Briefing

$2M

Annual cost
savings

82%

Faster incident
response

4 FTEs

Redeployed to
threat hunting

7 months

Full migration
timeline

Explore

Continue Learning

⚔️

Microsoft Security: Enterprise Use Cases

The Microsoft Unified Security Operations Model

Zero Trust Security Operations Workflow

Solutions Referenced in These Use Cases

Security Frameworks & Acronyms Used

🔒 Zero Trust Security Model

📋 NIST Cybersecurity Framework (CSF 2.0)

🎯 STRIDE Threat Model

📖 Microsoft Security Product Acronyms

Cross-Scenario Attack and Response Timeline

🔒 Ransomware Attack (UC1)

📧 Business Email Compromise (UC2)

🕵 Insider Data Exfiltration (UC3)

🛠 SOC Transformation (UC4)

Use Case 1: Enterprise Ransomware Attack & Recovery

📋 Enterprise Scenario

1 Phase 1: Detection. How the Platform Catches the Attack

⚔️ Defender XDR: Automated Alert Correlation

📡 Sentinel: Custom KQL Detection

2 Phase 2: AI-Accelerated Investigation with Security Copilot

🛡️ Copilot Incident Triage Promptbook (runs in 90 seconds)

3 Phase 3: Automated Response & Containment

⚔️ Defender XDR: Automated Investigation & Response (AIR)

📡 Sentinel: Logic App Playbook. “Ransomware-ContainAndNotify”

4 Phase 4: Recovery & Restoration

5 Phase 5: Lessons Learned & Hardening

📊 Incident Metrics

Use Case 2: Business Email Compromise & Identity Attack

📋 Enterprise Scenario

1 Detection: Multi-Product Signal Correlation

📡 Sentinel: BEC Detection KQL

2 AI Investigation with Security Copilot

3 Automated Response

4 Lessons Learned & Zero Trust Hardening

Use Case 3: Insider Data Exfiltration by Departing Employee

📋 Enterprise Scenario

1 Detection: Cross-Product Signal Correlation

📡 Sentinel: Source Code Upload Detection KQL

2 Security Copilot: Investigation Assistance

3 Response & Legal Action

4 Lessons Learned

Use Case 4: Cloud-Native SOC Transformation & ROI

📋 Enterprise Scenario

Migration Roadmap

SOC Effectiveness: Before vs. After

ROI Summary for Executive Briefing

Continue Learning

Defender XDR

Microsoft Sentinel

Security Copilot