Skip to main content

🚀 Demo Scenarios Overview

This document outlines the current status and progress of our SOC and Non-SOC demo scenarios. Each demo corresponds to a specific threat type or a set of security controls area relevant to our solution offerings.

Definitions & Prerequisites

  1. Victim account: john.doe@legionsecurityai.onmicrosoft.com (you do not need to login to this account, ever). Phishing emails are sent to this account, malware are autmoatically run on a weekly basis on this this account's Win11 device. These trigger the required incident and alerts across all our lab security control and ticketing suite. Enabling us to run demo on live up to date data.
  2. Demo analyst account: demoanalyst@legionsecurityai.onmicrosoft.com. You must be logged in into this Microsoft account in order to run demos. You can login in to portal.azure.com, it will be enough to have a live session cookie for all other systems. Credentials can be found in 1Password under the name "Demo analyst", along with its 2FA saved in there. It will be most effective to create an Edge profile and login in as work profile with demoanalyst@legionsecurityai.onmicrosoft.com.
  3. Install 1password browser extension Link
  4. Install Legion browser extension Link
  5. Login to Crowdstrike using "Demo Analyst Crowdstrike" credentials in 1Password (due to the fact it's not SSO, needs a separate login).
Threat CategoryDemo IDDemo StatusNotes / Tools UsedTrigger From HereUse Case Name
Anomalous Signin1.1dev bugs - fix in progressEntraID, Sentinel, JiraLink choose latest Jira ticket with name starting as Unfamiliar sign-in propertiesAnomalous Sign-in (JIRA, Sentinel)
Anomalous Sign-in1.2dev bugs - fix in progressSplunk, Defender, JiraLink choose latest Jira ticket with name starting as Unfamiliar sign-in (Defender,Splunk)Anomalous Sign-in (Splunk, Defender)
Malware2.1dev bugs - fix in progressDefender, JiraLink choose latest Jira ticket with name starting as Malware detected - Defender AlertMultistage Attack - Endpoint (Defender, Jira)
Malware2.2in-progressDefender, ServiceNowLink TBA
Malware2.3CompletedCrowdstrike, JiraLinkMultistage Attack - Endpoint (Crowdstrike, Jira)
Phishing3.1Pending Development - Proofpoint skillProofpoint, EntraID, JiraLink TBA
Phishing3.2⭐✅ CompletedDefender, EntraIDLink choose latest Jira ticket with name starting as Phishing Incident (Defender)Phishing (Jira, Defender)
Phishing3.3dev bugs - fix in progressSentinel, EntraIDLinkPhishing (Jira, Sentinel)
Non-SOC - Access Requests4⭐✅ CompletedEntraID, AWS IAM/Identity Center, JiraLinkNon-SOC AWS Access Review via Jira
DLP5.1CompletedJira, Defender, Purview DLPLinkDLP (Jira, Defender)
DLP5.2CompletedJira, Defender, Purview DLPLink. If defender link expired, click here, copy latest incident link named "DLP policy (Detect clear text passwords)" and paste it within the Jira ticketDLP - Purview Alert
Re-Investigate Phishing (Optimize your SOC investigation process)6CompletedJira, Defender, JoeSandboxLinkDLP (Jira, Defender, JoeSandbox)
Deep Search - Phishing Campaign7.1CompletedJira, Defender Threat ExplorerLinkPhishing Campaign - Deep Search (Threat Explorer)
Deep Search - Phishing Campaign7.2CompletedJira, Defender Advanced Threat HuntingLinkPhishing Campaign - Deep Search (Threat Hunting)
Deep Search - Malware7.3CompletedJira, ServiceNow instance 53LinkMalware - ServiceNow Deep Search

✅ Legend

  • Completed: Task or demo has been successfully implemented.
  • In Progress: Work is currently underway.
  • Pending Quote: Waiting on budget approval or vendor estimate.
  • Pending Development: Skill Recorded, Video or demo walkthrough has been captured, Linear ticket raised, waiting for development

📌 Notes

  • All demos are part of our internal efforts to showcase Legion's principles
  • Each demo is tied to a broader use case in threat detection, response, or prevention.