A retail threat detection and incident response content pack for Microsoft Sentinel.
RetailShield provides KQL analytics rules, Azure Logic App playbooks, and a Sentinel workbook β all purpose-built for the retail threat landscape and deployable directly on top of a Microsoft Sentinel workspace.
- What this is / What this is not
- Why retail needs its own rules
- Architecture
- Content overview
- MITRE ATT&CK coverage
- Folder structure
- Quick start
- Contributing
- Author
- License
| This IS | A content pack for Microsoft Sentinel β KQL detection rules, Logic App playbooks, and a workbook that you deploy into your existing Sentinel workspace |
| This IS | Opinionated detection logic tuned to retail-specific TTPs: POS RAM scraping, gift card fraud, supply chain compromise, AI voice fraud, MFA fatigue |
| This IS | Mapped to MITRE ATT&CK and linked to automated response playbooks so alerts trigger containment actions |
| This IS NOT | A standalone SIEM, SOC platform, or replacement for Microsoft Sentinel |
| This IS NOT | A generic threat detection library β rules are explicitly tuned for retail environments |
| This IS NOT | A managed service β you own the deployment and tuning in your own Azure tenant |
Microsoft Sentinel is the SIEM/SOAR platform. RetailShield is the retail-specific content that runs on top of it.
Retail is the most breach-targeted industry in the UK and globally. The consequences are no longer just reputational β they are existential.
| Incident | Organisation | Impact |
|---|---|---|
| Supply-chain ransomware (2025) | Marks & Spencer | Β£300 M operating-profit loss; online sales suspended for weeks |
| Coordinated social engineering (2025) | Co-op | Customer data exfiltrated; stores disrupted |
| Data exfiltration via third-party (2018) | Nike | 1.4 TB of customer & IP data exposed |
| Point-of-Sale malware | Multiple UK retailers | Millions of payment cards compromised |
| Insider fraud | Retail sector average | Β£1,000+ loss per employee per year (CIFAS 2024) |
Retailers face a unique attack surface: fragmented POS networks, seasonal workforce spikes, large third-party supplier ecosystems, and high-volume transaction data that masks malicious activity. Generic Sentinel rules produce alert fatigue without retail-specific context.
RetailShield closes that gap.
RETAILSHIELD
Retail-specific threat detection & automated response
built natively for Microsoft Sentinel
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. RETAIL DATA SOURCES β
β POS/Till Β· Identity (Azure AD) Β· Email/M365 Β· Network/Firewall β
β Endpoints Β· Supply Chain & Suppliers β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INGESTION β Microsoft Sentinel Log Analytics Workspace β
β Standard tables + custom POS table (HMAC-SHA256 signed) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 2. DETECTION β 20 KQL rules mapped to MITRE ATT&CK β
β β
β Retail-specific (14): gift-card fraud Β· POS void/refund Β· β
β credential stuffing Β· MFA fatigue Β· phishing Β· ransomware Β· β
β supplier compromise Β· data exfil Β· AI voice fraud Β· POS β
β anomaly Β· privileged role abuse Β· after-hours Β· impossible β
β travel Β· TLS downgrade (PCI) β
β β
β Generic SOC (6): brute force Β· bulk file access Β· C2 beacon Β· β
β DNS exfil Β· RDP lateral movement Β· suspicious PowerShell β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
Sentinel correlates alerts β INCIDENT (IP Β· account Β· host)
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 3. AUTOMATED RESPONSE & MITIGATION β 8 Logic App playbooks β
β β
β ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββββ β
β β STEP 1 ββββΆ STEP 2 ββββΆ STEP 3 β β
β β Triage & β β Contain / β β UK Compliance β β
β β Enrich β β Mitigate β β Assistant β β
β β β β β β β β
β β classify + β β block IP Β· β β NCSC 24h + β β
β β severity Β· β β disable acct Β· β β ICO 72h trackingβ β
β β threat-intel β β isolate host β β Β· drafts report β β
β β (VT/AbuseIPDB) β β (Defender) β β (assists human) β β
β ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
MODULES: [Threat Detection: LIVE] [Compliance Centre: LIVE] [Vulnerability Scanner: LIVE]
[Loss Prevention: PLANNED] [ChainShield: PLANNED]
Validated in a controlled lab Β· published methodology (DOI 10.5281/zenodo.20608262) Β· avg ~22 min MTTD
A Sentinel-native content pack β not a standalone SIEM.
| Content type | Count | Description |
|---|---|---|
| KQL Analytics Rules | 13 retail + 6 generic | Scheduled analytics rules covering POS fraud, ransomware, exfiltration, identity abuse, supply chain, voice fraud |
| Logic App Playbooks | 3 | Triage & classify, threat-intel enrichment (AbuseIPDB / VirusTotal), containment (block IP / disable account / isolate host) |
| Sentinel Workbook | 1 | Live incident feed, TTP heatmap, analyst KPIs |
| Watchlists | 5 | RetailIOCWatchlist, RetailApprovedSenders, AbuseIPDBWatchlist, RetailSupplierAccounts, RetailServiceAccounts |
| Hunting Queries | Planned | Proactive threat hunting queries for retail TTPs |
| Tactic | Technique ID | Technique Name | Detection Rule | Playbook |
|---|---|---|---|---|
| Initial Access | T1566.001 | Spearphishing Attachment | retail/phishing_detection.kql |
quarantine_email |
| Collection | T1056.001 | Input Capture β Keylogging | retail/pos_anomaly.kql |
suspend_terminal |
| Collection | T1056.001 | Input Capture β Keylogging | retail/pos_void_refund.kql |
notify_soc |
| Impact | T1657 | Financial Theft | retail/gift_card_fraud.kql |
notify_soc |
| Reconnaissance | T1598 | Phishing for Information | retail/ai_voice_fraud.kql |
notify_soc |
| Credential Access | T1621 | MFA Request Generation | retail/mfa_fatigue.kql |
block_ip |
| Credential Access | T1110.004 | Credential Stuffing | retail/credential_stuffing.kql |
block_ip |
| Persistence | T1078 | Valid Accounts | retail/after_hours_access.kql |
notify_soc |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol | retail/data_exfiltration.kql |
data_exfil_contain |
| Impact | T1486 | Data Encrypted for Impact | retail/ransomware_indicator.kql |
isolate_endpoint |
| Initial Access | T1195 | Supply Chain Compromise | retail/supply_chain_anomaly.kql |
notify_soc |
| Initial Access | T1199 / T1078 | Trusted Relationship / Valid Accounts | retail/supplier_impossible_travel.kql |
notify_soc |
| Persistence | T1098 / T1078 | Account Manipulation / Valid Accounts | retail/privileged_role_addition.kql |
notify_soc |
| Tactic | Technique ID | Technique Name | Detection Rule | Playbook |
|---|---|---|---|---|
| Credential Access | T1110 | Brute Force | generic/brute-force-login.kql |
β |
| Collection | T1005 | Data from Local System | generic/bulk-file-access.kql |
β |
| Command and Control | T1041 | Exfiltration Over C2 Channel | generic/c2-beacon.kql |
β |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol | generic/dns-exfil.kql |
β |
| Lateral Movement | T1021.001 | Remote Desktop Protocol | generic/rdp-lateral-movement.kql |
β |
| Execution | T1059.001 | Command and Scripting Interpreter β PowerShell | generic/suspicious-powershell.kql |
β |
RetailShield/
βββ .github/
β βββ workflows/
β βββ ci.yml # GitHub Actions CI pipeline
β
βββ detection-rules/
β βββ retail/ # Retail-specific KQL analytics rules
β β βββ phishing_detection.kql # RS-PHI-001 β T1566.001 β High
β β βββ pos_anomaly.kql # RS-POS-001 β T1056.001 β High
β β βββ pos_void_refund.kql # RS-POS-002 β T1056.001 β High
β β βββ gift_card_fraud.kql # RS-GCF-001 β T1657 β High
β β βββ ai_voice_fraud.kql # RS-VOI-001 β T1598 β High
β β βββ mfa_fatigue.kql # RS-MFA-001 β T1621 β High
β β βββ credential_stuffing.kql # RS-CRD-001 β T1110.004 β High
β β βββ after_hours_access.kql # RS-AHA-001 β T1078 β Medium
β β βββ data_exfiltration.kql # RS-EXF-001 β T1048 β Critical
β β βββ ransomware_indicator.kql # RS-RAN-001 β T1486 β Critical
β β βββ supply_chain_anomaly.kql # RS-SUP-001 β T1195 β High
β β βββ supplier_impossible_travel.kql # RS-SUP-002 β T1199 β Medium
β β βββ privileged_role_addition.kql # RS-PRA-001 β T1098 β High
β βββ generic/ # General-purpose SOC rules
β β βββ brute-force-login.kql # GEN-001 β T1110
β β βββ bulk-file-access.kql # GEN-002 β T1005
β β βββ c2-beacon.kql # GEN-003 β T1041
β β βββ dns-exfil.kql # GEN-004 β T1048
β β βββ rdp-lateral-movement.kql # GEN-005 β T1021.001
β β βββ suspicious-powershell.kql # GEN-006 β T1059.001
β βββ README.md # Rule index with MITRE mapping
β
βββ logic-apps/
β βββ triage-classify/
β β βββ workflow.json # Auto-triage and severity classification
β βββ threat-intel-enrich/
β β βββ workflow.json # IOC enrichment (AbuseIPDB, VirusTotal)
β βββ containment/
β β βββ workflow.json # Block IP / Disable account / Isolate host
β β βββ README.md
β βββ DEPLOYMENT.md # Step-by-step Logic App deployment guide
β
βββ sentinel/
β βββ workbooks/
β β βββ retailshield-workbook.json # Sentinel Workbook ARM template
β βββ watchlists/
β β βββ retail-ioc-watchlist.csv # Sample IOC watchlist
β βββ data-connectors/
β β βββ connectors.json # Data connector definitions
β βββ README.md
β
βββ docs/
β βββ architecture.md
β βββ threat-model.md
β βββ onboarding.md
β
βββ scripts/
β βββ validate_kql.py # KQL rule static validator (used by CI)
β βββ validate_logicapps.py # Logic App JSON validator (used by CI)
β βββ retail_log_generator.py # Sample retail log generator for testing
β βββ cve_scanner.py # CVE scanner utility
β
βββ tests/
β βββ detection-rules/
β β βββ test_kql_rules.py
β βββ playbooks/
β βββ test_playbook_schema.py
β
βββ CONTENT_PACK.md # How RetailShield maps to a Sentinel Solution
βββ requirements.txt # Python dependencies for CI and tests
βββ README.md # This file
| Requirement | Version |
|---|---|
| Azure Subscription | Active, with Microsoft Sentinel workspace |
| Azure CLI | Latest |
| Git | 2.40+ |
| Python 3.11+ | Only needed to run the local test suite |
git clone https://github.com/tft444/retailshield.git
cd retailshield
git checkout devRules are deployed manually through the Microsoft Sentinel Analytics blade. There is no automated deployment script at this time.
For each .kql file in detection-rules/retail/ (and optionally detection-rules/generic/):
- In the Azure Portal, open your Sentinel workspace β Analytics β + Create β Scheduled query rule
- Set the rule name and description using the
// Rule IDand// Titlecomments at the top of the file - Paste the full contents of the
.kqlfile into the Set rule query box - Set Run query every and Lookup data from the last to match the
// Frequencycomment in the file - Set severity from the
// Severitycomment - Under Automated response, attach the relevant Logic App playbook (see the
// PlaybookTriggercomment) - Save and enable the rule
Repeat for each rule you want to enable.
See logic-apps/DEPLOYMENT.md for the full step-by-step guide.
az login
az account set --subscription "<YOUR_SUBSCRIPTION_ID>"
az deployment group create \
--resource-group "<RESOURCE_GROUP>" \
--template-file logic-apps/triage-classify/workflow.jsonpip install -r requirements.txt
pytest tests/ -vContributions are welcome. Please open an issue first to discuss proposed changes, then submit a pull request against the dev branch.
- Fork the repository
- Create a feature branch:
git checkout -b feature/your-feature - Commit with clear messages
- Push and open a pull request against
dev
Tanvir Farhad
Security Engineer β ShieldTech Ltd, London
MIT Β© 2025 Tanvir Farhad β ShieldTech Ltd