ð Demo Scenarios Overview
This document outlines the current status and progress of our SOC and Non-SOC demo scenarios. Each demo corresponds to a specific threat type or a set of security controls area relevant to our solution offerings.
Definitions & Prerequisitesâ
- Victim account: john.doe@legionsecurityai.onmicrosoft.com (you do not need to login to this account, ever). Phishing emails are sent to this account, malware are automatically run on a weekly basis on this account's Win11 device. These trigger the required incident and alerts across all our lab security control and ticketing suite, enabling us to run demos on live, up-to-date data.
- Demo analyst account: demoanalyst@legionsecurityai.onmicrosoft.com. You must be logged in to this Microsoft account in order to run demos. You can login to portal.azure.com â it will be enough to have a live session cookie for all other systems. Credentials can be found in 1Password under the name "Demo analyst", along with its 2FA saved there. It will be most effective to create an Edge profile and login as a work profile with demoanalyst@legionsecurityai.onmicrosoft.com.
- Install 1Password browser extension Link
- Install Legion browser extension Link
- Login to Crowdstrike using "Demo Analyst Crowdstrike" credentials in 1Password (not SSO â requires a separate login).
| Use Case | Demo ID | Trigger From Here | Workflow |
|---|---|---|---|
| Account Takeover | 1.1 | Link â choose latest Jira ticket starting with Unfamiliar sign-in (Sentinel) | Anomalous Sign-in (Jira, Sentinel) |
| Account Takeover | 1.2 | Link â choose latest Jira ticket starting with Unfamiliar sign-in (Defender) | Anomalous Sign-in (Splunk, Defender) |
| Account Takeover | 1.3 | ServiceNow Ticket You must login to Servicenow ven08053 | Anomalous Sign-in (ServiceNow, Splunk, Defender) OR Unfamiliar Sign-In (ServiceNow, Splunk, Defender, Suggessions) |
| Account Takeover | 1.4 | TheHive V5 - DEMO â choose latest case with Unfamiliar Sign-In (Defender, Splunk) | Unfamiliar Sign-In (Hive, Splunk, Defender) |
| Account Takeover | 1.5 | Link â choose latest Jira ticket starting with Unfamiliar sign-in (Defender) | Unfamiliar Sign-in (Risky User) |
| Malware | 2.1 | Link â choose latest Jira ticket named Malware detected - Defender Incident | Malware (Jira, Defender) |
| Malware | 2.2 | Link, if Crowdstrike detection epxired, login here and choose latest detection, copy its URL to the Jira CS-88 ticket | Malware (Jira, Crowdstrike, SilentPush) |
| Malware | 2.3 | Link | Malware - ServiceNow Deep Search |
| Phishing | 3.1 | Link â choose latest Jira ticket starting with Phishing Incident (Defender) | Phishing (Jira, Defender) or Phishing (Defender, SilentPush) or Phishing (Jira, Defender, Suggestions) |
| Phishing | 3.2 | Link | Phishing (Jira, Sentinel) |
| Phishing | 3.3 | Link | Phishing (Jira, Proofpoint Essentials) |
| Phishing | 3.4 | Link â choose latest Jira ticket starting with Phishing Incident (Defender) | Re-Investigate Phishing (Jira, Defender, JoeSandbox) |
| Non-SOC - Access Requests | 4 | Link | Non-SOC AWS Access Review via Jira |
| DLP | 5.1 | Link â choose latest Jira ticket starting with Defender DLP Incident | DLP (Jira, Defeder Incident) |
| DLP | 5.2 | Link â choose latest Jira ticket starting with Defender DLP Alert | DLP (Jira, Defender Alert, Purview) |
| Vulnerability Management | 6 | Analyst input of CVE | Vulnerability Management (CVE Search) |
| Lead investigator | 7.1 | Link â choose latest Jira ticket starting with Phishing Incident (Defender) | Phishing (Lead investigator) |
| Lead investogator | 7.2 | Link â choose latest Jira ticket starting with Defender DLP Incident | DLP (Lead investigator) |
| Insider Risk Threat (IRM) | 8.1 | Link â choose latest Jira ticket named IRM - Purview Alert | Insider Risk Threat (Purview Alert) |
| Insider Risk Threat (IRM) | 8.2 | Link | Pre-Hire Background Check - Persona Package |
ð Notesâ
- All demos are part of our internal efforts to showcase Legion's principles.
- Each demo is tied to a broader use case in threat detection, response, or prevention.
- The Tools Used column lists only the integrations involved. Full scenario context is captured in the linked Jira tickets.
- Demo 5.3 scenario: user sent an email to an external address containing a file with sensitive credentials. The investigation reveals the recipient identity, number of emails sent, and assesses business impact of the exfiltrated data.