Cloud-native SIEM & SOAR . from deployment to advanced threat hunting.
๐ Script Repository. Deployment and configuration scripts
Provision a Log Analytics workspace, deploy Microsoft Sentinel, configure the Azure Active Directory data connector, and create a basic analytics rule for failed sign-ins.
Write KQL queries to detect password-spray and brute-force patterns, create a scheduled analytics rule with entity mapping, and validate with simulated events.
Create a Logic App playbook that auto-enriches incidents with threat intelligence, posts to Teams, isolates compromised accounts, and updates remediation evidence.
Build hunting queries mapped to MITRE ATT&CK techniques, use bookmarks, configure livestream queries, and create a hunting coverage workbook.
Unified threat protection across endpoints, email, identity, and cloud apps.
๐ Script Repository. KQL hunting queries and cross-product investigations
Enable the unified security portal, connect all Defender products, configure incident routing, and triage cross-product incidents with correlated alerts.
Write advanced hunting queries joining DeviceEvents, EmailEvents, and IdentityLogonEvents to trace a multi-stage attack across your enterprise.
Create custom detection rules using KQL, configure automated investigation and response, set up suppression rules, and validate detection accuracy.
Full incident response lifecycle. detection, investigation, containment, eradication, and recovery across endpoints, email, identity, and cloud apps.
Endpoint protection. onboarding, ASR rules, ransomware investigation, and EDR policies.
๐ Script Repository. Detection tests, ransomware simulation, and sensor validation
Plan deployment rings, create onboarding packages via Group Policy and Intune, deploy to Windows Server 2022, and troubleshoot onboarding failures.
Audit your attack surface, deploy ASR rules in audit mode via Intune, analyze impact reports, transition to block mode, and configure exclusions.
Trigger a safe ransomware simulation, trace the attack chain, analyze process trees, collect an investigation package, and perform live response remediation.
Configure next-gen protection, enable EDR in block mode, create custom indicators, set up device groups with RBAC, and build automated investigation playbooks.
Deploy network protection, disable QUIC/ECH for non-Edge browsers, create custom IP/URL/domain indicators, troubleshoot silent enforcement failures, and validate with KQL.
Master all Defender AV modes (Active, Passive, EDR Block, Disabled). Map what works with CrowdStrike for MDA unsanctioned app blocking, custom indicators, network protection, and endpoint DLP.
Cloud security. Defender plans, CSPM, workload hardening, and multi-cloud protection.
๐ Script Repository. Defender plan deployment and protection configuration
Activate Defender for Servers, configure auto-provisioning, review Secure Score, resolve top recommendations, and validate protection on production VMs.
Enable CSPM, create custom security initiatives, configure governance rules, map controls to regulatory frameworks, and build a compliance dashboard.
Set up JIT VM access policies, configure adaptive application controls, enable file integrity monitoring, and create workflow automations for auto-remediation.
Connect AWS to Defender for Cloud, deploy Azure Arc on EC2, extend CSPM cross-cloud, and build a multi-cloud security posture dashboard.
Discover AI workloads, assess AI model risks, configure DSPM for AI policies, monitor AI data flows, and build an AI security governance dashboard.
SaaS security. shadow IT discovery, session controls, risky OAuth apps, and cloud DLP.
๐ Script Repository. App discovery, session policies, and OAuth governance
Configure Cloud Discovery with log uploads, analyze shadow IT findings, risk-score unsanctioned apps, and create governance policies to block high-risk services.
Connect enterprise SaaS apps via API connectors, configure Conditional Access App Control, create session policies, and test enforcement end-to-end.
Audit OAuth app permissions, identify over-privileged apps, create policies for risky consent grants, revoke suspicious access, and remediate compromised accounts.
Create file policies with DLP content inspection, configure automatic sensitivity labeling, set up alert workflows, and generate compliance reports for auditors.
Discover shadow AI and LLM apps across the organization, assess AI app risk scores, configure session policies for AI tools, and monitor sensitive data shared with AI services.
Identity security. sensor deployment, threat detection, attack path investigation, and posture assessments.
๐ Script Repository. Recon, credential theft, lateral movement, and DCSync simulations
Plan sensor placement, install sensors on domain controllers, configure ports and gMSA service accounts, verify portal health, and resolve installation issues.
Set up honeytoken accounts, tag sensitive entities, tune lateral movement and privilege escalation alerts, and configure SOC notification policies.
Simulate pass-the-hash and golden ticket attacks, trace in the MDI timeline, analyze lateral movement paths, and perform identity-focused remediation.
Remediate MDI security assessments, fix unsecure account attributes, deploy LAPS, disable legacy protocols, and build an identity maturity dashboard.
Email and collaboration security. protection policies, phishing simulations, and BEC investigations.
๐ Script Repository. Phishing simulation, mail flow rules, and Safe Links/Attachments
Create Safe Attachments with dynamic delivery, configure Safe Links URL scanning, enable internal sender protection, and validate with simulated malicious content.
Design a credential-harvesting campaign, target user groups, analyze click rates, assign security awareness training, and track completion rates.
Set up anti-phishing with impersonation protection, configure ZAP for email and Teams, create layered anti-spam policies, and validate SPF/DKIM/DMARC.
Analyze email headers, trace mail flow, identify compromised mailbox rules, review Threat Explorer data, apply remediation actions, and create post-incident rules.
Cloud identity risk detection. risky sign-ins, leaked credentials, and risk-based Conditional Access.
Enable Entra ID Protection, configure user risk and sign-in risk policies, set up risk-based Conditional Access, investigate risky users, and integrate with Defender XDR.
Create layered Conditional Access policies for sign-in and user risk, configure MFA registration, set up named locations, and monitor policy effectiveness.
Investigate identity-based attacks in the unified Defender XDR portal, correlate with endpoint and email evidence, contain compromised accounts, and build detection rules.
Create identity security dashboards tracking MFA adoption, Conditional Access coverage, legacy auth usage, risk remediation rates, and design an identity maturity roadmap.
Risk-based vulnerability assessment. software inventory, security baselines, and remediation tracking.
Configure Defender Vulnerability Management, assess vulnerabilities by exploitability and business impact, create remediation tasks, evaluate security baselines, and build dashboards.
Assess endpoints against CIS and Microsoft security baselines, identify configuration drift, create remediation plans, and generate audit-ready compliance reports.
Identify internet-facing vulnerabilities, exposed services, and browser extension risks. Build exposure monitoring and establish continuous attack surface management.
Correlate vulnerability data with active threat campaigns, exploit intelligence, and MITRE ATT&CK techniques. Build threat-informed remediation priorities.
OAuth app visibility. monitor data access, detect anomalous behaviour, and enforce app compliance.
Enable App Governance, monitor OAuth apps accessing M365 data, create policies for overprivileged apps, investigate app threats, and enforce consent controls.
Enable threat detection for anomalous OAuth app behaviour, credential changes, privilege escalation, cross-tenant activity, and integrate with automated response.
Audit the OAuth app estate, implement admin consent workflows, conduct access reviews, set up dormant app cleanup, and build compliance dashboards.
Investigate OAuth supply chain attacks, detect compromised app indicators, contain and remediate breaches, harden tenant defences, and build incident response playbooks.
Data security, governance & compliance. sensitivity labels, DLP, insider risk, eDiscovery, communication compliance, records management, and more.
📂 Script Repository. DLP policy deployment and eDiscovery content searches
Create a sensitivity label taxonomy, configure visual markings and encryption, publish to pilot groups, set up auto-labeling, and monitor with Activity Explorer.
Create DLP policies with custom sensitive information types, configure policy tips and notifications, set up incident reports, and tune rules for accuracy.
Deploy Endpoint DLP, configure USB, print, clipboard, and cloud upload monitoring, create DLP policies for sensitive data on devices, and investigate alerts in the XDR portal.
Deploy DLP for Teams chat, channels, and Exchange email. Configure policy tips, handle shared channels and meetings, and build incident management workflows.
Investigate DLP violations correlated with endpoint, identity, and cloud app signals. Trace data exfiltration, create custom detection rules, and automate response.
Build executive DLP dashboards, unify policies across workloads, create PCI-DSS and GDPR compliance evidence, measure program effectiveness, and design a DLP maturity roadmap.
Deploy Endpoint DLP across all Defender AV modes. Map which DLP activities work with CrowdStrike, understand MDE sensor dependency, and troubleshoot silent failures.
Configure prerequisites, create insider risk policies for departing employees, set up priority user groups, investigate alerts, and escalate to eDiscovery.
Create a Premium eDiscovery case, add custodians, build KQL search queries, process review sets, apply predictive coding, and export for legal counsel.
Set up communication monitoring for regulatory compliance, configure Audit Standard & Premium with retention policies, and deploy retention labels with adaptive scopes.
Declare regulatory records with event-based retention, enforce Chinese walls with information barrier policies, and run compliance assessments with Compliance Manager.
Configure DSPM for AI in Microsoft Purview, discover AI data flows, classify sensitive training data, monitor AI interactions with labeled content, and enforce responsible AI compliance policies.
AI-powered security operations. promptbooks, threat intelligence, and SOC workflow automation.
Activate Security Copilot with SCU capacity planning, configure data source plugins, run natural-language investigation prompts, and evaluate response accuracy.
Design a multi-step triage promptbook, create reusable prompt templates, share with the SOC team, and measure Mean Time to Triage improvements.
Connect TI plugins, build IOC enrichment prompts, create a daily threat briefing workflow, and integrate Copilot outputs with Sentinel watchlists.
Design a complete SOC workflow: automated triage, cross-product investigation, executive report generation, and post-incident lessons-learned documentation.
Explore Copilot embedded in Defender XDR, Sentinel, Entra, Intune, and Purview. Apply Zero Trust principles with Conditional Access, least privilege roles, PIM, and phased deployment.
Build a Microsoft AI agent that auto-acknowledges non-critical messages, generates draft replies for critical messages with human-in-the-loop review via Adaptive Cards, using M365 Agents SDK, Graph API, and Azure OpenAI.
Build real MCP servers. implement security tools, deploy to Azure, and create multi-server AI agents.
Scaffold a TypeScript MCP server, implement KQL query tools, add Azure AD authentication with MSAL, test with the MCP Inspector, and connect to Claude Desktop.
Build an MCP server for XDR incident management and advanced hunting, implement Zod validation, add resource endpoints, and configure multi-user access.
Containerize with Docker, deploy to Azure Container Apps with managed identity, configure SSE transport, set up monitoring, and integrate with a production app.
Create an AI agent connecting Sentinel, XDR, and TI MCP servers, implement cross-server correlation, build automated triage workflows, and deploy as an enterprise security copilot.