Threat Hunting

User Audit Investigation Workbook: Deploy in Minutes, Investigate in Seconds

All right class. This is the workbook I wish people

KQL User Audit Playbook V2: The Insider Threat Investigation Guide

All right class. This is a continuation of my previous

Teams Threat Protection: What Actually Changed and What You Can Actually Hunt

All right class Your SOC has limited visibility into Teams.

Threat Analytics in Microsoft Defender: What It Actually Does and Why Your SOC Needs It

All right class. You're doing your SOC investigations

Hunting in Microsoft Sentinel: What Hunting Actually Is and Why You Need It

Terminology matters here. Microsoft uses these words in specific ways,

Building a Brute Force Detection Query: How To Think Through Network Logon Failures

All right class, take your seats. This post is about

Continuous Export to Log Analytics: Getting Defender for Cloud Data Where You Need It

Alright, class. You've got Defender for Cloud on.

The KQL User Audit Playbook: Your Template for Investigations

Alright, class. Take your seats. It’s 3 PM on

The KQL Playbook (Play #4): The Correlation Play - Joining Tables and Enriching Data

Alright, class. Take your seats. In our last play, we

The KQL Playbook (Play #3): Mastering Strings, Timestamps, and Ugly JSON

Alright, class. Welcome back to the KQL Playbook. In our