Local Windows accounts remain a challenge during incident response. As incident responder you probably recognize the struggle of responding to incidents that include local accounts, the response capabilities for AD or Entra accounts are there. Native password, disable and token rotation features exsits in the portal, but for local accounts these functions are not supported. This blog describes how you can solve this gap using a single script to combat incidents in which local accounts are usied in the attach chain.

Deep dive into detection engineering best practices focusing on KQL performance, readability, and maintainability for Microsoft Sentinel and Defender XDR.

Last week I noticed the post of John Lambert about a new Kusto operator lift and thought this is something that needs further investigation. The lift operator takes a tabular structure as input and “lifts” the data into a graph for a visual representation. We all know that visualizing data in Graphs is beneficial, as it can give other perspectives to the data and by doing so, allow you to identify new things.

Detection engineering is far more than just writing a couple of rules and you are done, it is about building resilient, high quality detections that detect evolving threats. This blog series covers both the technical and process related best practises of detection engineering. These best practices help you to build better custom detections or analytics rules and optimizes the process in which these detections are deployed and analysed. This blog series starts with three parts and will be expanded over time as additional detection best practice blogs are added.

Explore Microsoft Defender for Endpoint timeline internals, OneCyber telemetry, MITRE mapping, and DFIR workflows using exported timeline data, jq and KQL.

Learn how to monitor new actions in Microsoft Sentinel and Defender XDR with KQL, Logic Apps, and Graph API. Automate weekly reports and improve SOC detection engineering.