From 4814bc36f39c3acaf8a5fc9af7053b6304568b38 Mon Sep 17 00:00:00 2001 From: Tanvir Farhad Date: Tue, 23 Jun 2026 20:28:17 +0000 Subject: [PATCH] Add animated system flowchart SVG to docs and README (closes #156) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CSS-animated, transparent-background SVG showing the RetailShield end-to-end flow: data sources → Sentinel ingestion → 24 KQL rules → incident engine → 3-step automated response → SOC portal modules → analyst output. Works on GitHub light and dark mode. Replaces the ASCII architecture block in README.md. --- README.md | 60 +-------- docs/images/retailshield_flow.svg | 200 ++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+), 59 deletions(-) create mode 100644 docs/images/retailshield_flow.svg diff --git a/README.md b/README.md index ae5cb27..9baf9fd 100644 --- a/README.md +++ b/README.md @@ -68,65 +68,7 @@ RetailShield closes that gap. ## Architecture -``` - RETAILSHIELD - Retail-specific threat detection & automated response - built natively for Microsoft Sentinel - -┌─────────────────────────────────────────────────────────────────┐ -│ 1. RETAIL DATA SOURCES │ -│ POS/Till · Identity (Azure AD) · Email/M365 · Network/Firewall │ -│ Endpoints · Supply Chain & Suppliers │ -└─────────────────────────────────────────────────────────────────┘ - │ - ▼ -┌─────────────────────────────────────────────────────────────────┐ -│ INGESTION → Microsoft Sentinel Log Analytics Workspace │ -│ Standard tables + custom POS table (HMAC-SHA256 signed) │ -└─────────────────────────────────────────────────────────────────┘ - │ - ▼ -┌─────────────────────────────────────────────────────────────────┐ -│ 2. DETECTION — 24 KQL rules mapped to MITRE ATT&CK │ -│ │ -│ Retail-specific (14): gift-card fraud · POS void/refund · │ -│ credential stuffing · MFA fatigue · phishing · ransomware · │ -│ supplier compromise · data exfil · AI voice fraud · POS │ -│ anomaly · privileged role abuse · after-hours · impossible │ -│ travel · TLS downgrade (PCI) │ -│ │ -│ Loss Prevention (4): void/refund abuse · gift card fraud · │ -│ sweethearting · after-hours POS transaction │ -│ │ -│ Generic SOC (6): brute force · bulk file access · C2 beacon · │ -│ DNS exfil · RDP lateral movement · suspicious PowerShell │ -└─────────────────────────────────────────────────────────────────┘ - │ - ▼ - Sentinel correlates alerts → INCIDENT (IP · account · host) - │ - ▼ -┌─────────────────────────────────────────────────────────────────┐ -│ 3. AUTOMATED RESPONSE & MITIGATION — 8 Logic App playbooks │ -│ │ -│ ┌────────────────┐ ┌────────────────┐ ┌──────────────────┐ │ -│ │ STEP 1 │──▶ STEP 2 │──▶ STEP 3 │ │ -│ │ Triage & │ │ Contain / │ │ UK Compliance │ │ -│ │ Enrich │ │ Mitigate │ │ Assistant │ │ -│ │ │ │ │ │ │ │ -│ │ classify + │ │ block IP · │ │ NCSC 24h + │ │ -│ │ severity · │ │ disable acct · │ │ ICO 72h tracking│ │ -│ │ threat-intel │ │ isolate host │ │ · drafts report │ │ -│ │ (VT/AbuseIPDB) │ │ (Defender) │ │ (assists human) │ │ -│ └────────────────┘ └────────────────┘ └──────────────────┘ │ -└─────────────────────────────────────────────────────────────────┘ - -MODULES: [Threat Detection: LIVE] [Compliance Centre: LIVE] [Vulnerability Scanner: LIVE] - [Loss Prevention: LIVE] [ChainShield: PLANNED] - -Validated in a controlled lab · published methodology (DOI 10.5281/zenodo.20608262) · avg ~22 min MTTD -A Sentinel-native content pack — not a standalone SIEM. -``` +![RetailShield system flow](docs/images/retailshield_flow.svg) --- diff --git a/docs/images/retailshield_flow.svg b/docs/images/retailshield_flow.svg new file mode 100644 index 0000000..cebc7af --- /dev/null +++ b/docs/images/retailshield_flow.svg @@ -0,0 +1,200 @@ + +RetailShield animated system flow +Animated end-to-end flow from retail data sources through Microsoft Sentinel detection to automated response and UK compliance output + + + + + + + + + + + + + + + + + + + + + +RetailShield — system flow +Retail data → Microsoft Sentinel detection → automated response → UK compliance + + + + DATA SOURCES + + POS / till + transactions, voids + + Identity + Azure AD, MFA, roles + + Email / M365 + phishing, file access + + Network + firewall, DNS, TLS + + Suppliers + B2B, invoices + + + + + + HMAC-SHA256 signed ingestion + + + + + + + + Microsoft Sentinel — Log Analytics workspace + SigninLogs · SecurityEvent · OfficeActivity · CommonSecurityLog · RetailShield_Logs_CL + + DETECTION — 20 KQL rules mapped to MITRE ATT&CK + + + + + + Retail-specific (14) + Gift-card fraud · POS void / refund + Credential stuffing · MFA fatigue + Phishing · Ransomware · Data exfil + AI voice fraud · POS anomaly + Supplier compromise · TLS downgrade + After-hours · Impossible travel + + + Generic SOC (6) + Brute force login + Bulk file access + C2 beacon · DNS exfil + RDP lateral movement + Suspicious PowerShell + + + + + + + + + Sentinel incident engine + correlates alerts → incident (IP · account · host · severity) + + + + + + AUTOMATED RESPONSE — 8 LOGIC APP PLAYBOOKS + + + + + + Step 1 — Triage + classify + set severity + VirusTotal · AbuseIPDB + threat-intel enrichment + + + + + + + Step 2 — Contain + block IP via NSG + disable AD account + isolate host (Defender) + + + Step 3 — Comply + NCSC 24h deadline + ICO 72h deadline + drafts incident report + assists human, never auto-files + + + + + + + SOC portal dashboard + real-time threat feed · incident timeline · KPI metrics · one-click simulation + + MODULES + + Threat detection + LIVE — 19 rules + + Compliance centre + LIVE — UK deadlines + + Vulnerability scanner + LIVE — passive + human review + + Loss prevention + planned + + ChainShield + planned + + + + + + + Analyst — threat already contained + enriched incident · compliance clock running · report drafted + + avg ~22 min MTTD + Validated in a controlled lab · DOI 10.5281/zenodo.20608262 + Sentinel-native content pack — not a standalone SIEM · ShieldTech Ltd, London + + +