Home / XDR + SIEM Use Cases
โš”๏ธ

Defender XDR + Sentinel: Advanced Threat Scenarios

Real-world attack scenarios demonstrating how Microsoft’s unified XDR and SIEM platform detects, investigates, and remediates advanced threats. with Security Copilot AI acceleration at every step.

Platform Architecture

How XDR + SIEM + Copilot Work Together

Defender XDR handles automated correlation across 9 security products. Sentinel extends this with custom KQL analytics, third-party data, and Logic App playbook automation. Security Copilot provides AI-powered investigation, natural language queries, and automated reporting.

Detection & Response Pipeline

Defender XDR
โ€ข 9 products send telemetry
โ€ข Auto-correlation engine
โ€ข AIR automated remediation
โ€ข 78% incidents resolved automatically
Microsoft Sentinel
โ€ข 300+ data connectors
โ€ข Custom KQL analytics rules
โ€ข UEBA user behaviour
โ€ข Logic App playbook SOAR
Security Copilot
โ€ข Natural language โ†’ KQL
โ€ข Incident summarisation
โ€ข Threat intel enrichment
โ€ข Automated report generation
Logic App Playbooks
โ€ข Auto-containment actions
โ€ข ITSM ticket creation
โ€ข Stakeholder notifications
โ€ข Evidence preservation
Before You Begin

Security Frameworks & Acronyms Used

Each scenario is tagged with industry-standard security frameworks. Here is what they mean and why they matter.

๐Ÿ”’ Zero Trust Security Model

Zero Trust is a security strategy that assumes no user, device, or network is trustworthy by default. even inside the corporate network. Every access request is fully authenticated, authorised, and encrypted. It is built on three principles:

๐Ÿ” Verify Explicitly
Always authenticate and authorise based on all available data: identity, location, device health, service, data classification, and anomalies.
๐Ÿ” Least Privilege Access
Limit user access to only what they need, only when they need it. Use just-in-time access, risk-based policies, and data protection controls.
โš ๏ธ Assume Breach
Operate as if attackers are already inside. Minimise blast radius, segment access, verify encryption, use analytics to detect threats, and improve defences continuously.

๐Ÿ“‹ NIST Cybersecurity Framework (CSF 2.0)

Created by the U.S. National Institute of Standards and Technology, the NIST CSF is the most widely adopted framework for organising cybersecurity activities. When you see badges like NIST: Detect · Respond, they identify which NIST functions a scenario exercises:

CodeFunctionWhat It MeansExample Activities
GVGovernEstablish and monitor cybersecurity risk management strategy and policiesRisk assessments, security policies, compliance requirements
IDIdentifyUnderstand your assets, risks, and business contextAsset inventory, risk assessment, supply chain risk
PRProtectImplement safeguards to prevent or limit impactMFA, encryption, endpoint protection, access controls
DEDetectDiscover cybersecurity events using monitoring and analyticsSIEM alerts, XDR correlation, anomaly detection, KQL hunting
RSRespondTake action to contain the damage when an incident is detectedContainment, forensics, communication, playbook execution
RCRecoverRestore services after an incident and apply lessons learnedSystem restoration, backup recovery, post-incident review

๐Ÿ“– Key Acronyms

These acronyms appear throughout the scenarios:

AcronymFull NameWhat It Does
XDRExtended Detection & ResponseUnified platform correlating alerts from all Defender products into single incidents
MDEMicrosoft Defender for EndpointProtects endpoints. detects malware, ransomware, and suspicious behaviour
MDOMicrosoft Defender for Office 365Protects email. blocks phishing, malicious attachments, and unsafe links
MDIMicrosoft Defender for IdentityMonitors Active Directory for identity-based attacks and lateral movement
MDAMicrosoft Defender for Cloud AppsMonitors cloud app usage, detects shadow IT, enforces session controls
MDCMicrosoft Defender for CloudProtects cloud workloads across Azure, AWS, and GCP
AIRAutomated Investigation & ResponseXDR automation that investigates and remediates without human intervention
KQLKusto Query LanguageQuery language used in Sentinel and Defender XDR to search security data
SCUSecurity Compute UnitBilling unit for Security Copilot AI processing capacity
UEBAUser and Entity Behaviour AnalyticsSentinel feature building behavioural baselines and detecting anomalies
SOARSecurity Orchestration, Automation & ResponseAutomated playbooks (Logic Apps) for incident response
APTAdvanced Persistent ThreatA prolonged, targeted cyberattack where an intruder gains access and remains undetected
IOCIndicator of CompromiseEvidence (IP addresses, file hashes, domains) that a system has been breached
C2Command and ControlServer or channel an attacker uses to communicate with compromised systems
Jump to scenario 1. Nation-State APT Campaign 2. Supply Chain Compromise 3. Multi-Cloud Attack Path 4. Proactive Threat Hunting
Attack Timeline

Advanced Threat Scenario Timelines

Full kill chain timelines showing how sophisticated threat actors operate. and how Defender XDR, Sentinel, and Security Copilot detect and respond at each stage.

🏴 Nation-State APT (SC1)

Day 0. Initial Access
Spear-Phishing PDF
Storm-1234 sends weaponised PDF to procurement team via compromised vendor email.
T1566.001
Day 1. Execution
DLL Side-Loading
PDF exploit drops PowerShell loader. Legitimate signed binary loads malicious DLL.
T1574.002
Day 3-14. Persistence
Golden Ticket and C2
KRBTGT hash extracted. Golden Ticket forged. DNS tunnelling established for C2 and data exfiltration.
T1558.001T1071.004
Day 14. Detection
Multi-Product Correlation
MDE detects DLL anomaly. MDI flags Golden Ticket. Sentinel KQL catches DNS tunnelling patterns.
MDEMDISentinel
Day 14. Response
APT Containment
Copilot profiles Storm-1234 TTPs. KRBTGT rotated twice. DNS sinkhole deployed. All C2 channels severed.
CopilotDFARS 7012
Day 15-21. Recovery
Full Remediation
AD forest recovery. 37 new detection rules deployed. Threat hunting programme established.
Recovery

📦 Supply Chain Compromise (SC2)

Day 0. Compromise
Poisoned RMM Update
Trusted RMM vendor build system compromised. Backdoor injected into signed update package.
T1195.002
Day 1. Distribution
4,200 Servers Updated
Auto-update distributes backdoored agent to 4,200 production servers across 8 data centres.
T1072 Software Deployment
Day 2-5. Exploitation
Credential Harvesting
Backdoor harvests service account credentials. Cloud-based C2 established via legitimate SaaS endpoints.
T1003 Credential Dumping
Day 5. Detection
Behavioural Anomaly
MDE flags agent spawning unexpected child processes. Sentinel baseline KQL detects deviation from 90-day norm.
MDESentinel KQL
Day 5-6. Response
Quarantine and Rollback
Copilot compares binary hashes. All 4,200 servers quarantined. Clean version force-deployed via SCCM.
CopilotSOX Compliance
Day 7-14. Recovery
Vendor Audit
Vendor build pipeline audited. Code signing requirements tightened. Supply chain monitoring deployed.
Recovery

☁ Multi-Cloud Attack Path (SC3)

Hour 0. Discovery
AWS IAM Key Exposed
Developer accidentally pushes AWS IAM access key to public GitHub repository.
T1552.001 Credentials in Files
Hour 2. AWS Exploitation
AWS Resource Discovery
Attacker enumerates S3 buckets, Lambda functions, and cross-account roles using stolen IAM key.
T1580 Cloud Discovery
Hour 4. Cross-Cloud Pivot
Azure Federation Abuse
Attacker discovers AWS-to-Azure federated trust. Pivots to Azure AD via SAML token forgery.
T1199 Trusted Relationship
Hour 6-10. Impact
AKS Cryptominer + Data Exfil
Cryptominer deployed on AKS cluster. 142K records exfiltrated from Cosmos DB.
T1496 CryptominingT1567 Exfil over Web
Hour 10. Detection
Cross-Cloud Correlation
MDC detects AKS anomaly. Sentinel correlates AWS CloudTrail with Azure sign-in logs. Copilot maps full path.
MDCSentinelCopilot
Hour 11-14. Response
Multi-Cloud Containment
AWS key rotated, Azure sessions revoked, AKS pods terminated, Cosmos DB network locked, GitHub secret scanning enabled.
PCI DSS Breach

🔍 Proactive Threat Hunting (SC4)

Week 1. Hunt 1
LOLBin Detection
Copilot-generated KQL finds certutil downloading payload on 3 medical imaging workstations.
T1218 LOLBins
Week 2. Hunt 2
Dormant Service Account
Hunt finds svc-radiology-backup active from Eastern European IP after 8 months of inactivity.
T1078 Valid Accounts
Week 3. Hunt 3
Anomalous Data Access
Billing employees accessing 10x normal patient records. Investigation reveals data selling scheme.
HIPAA Violation
Week 4. Hunt 4
Shadow IT Discovery
340 files containing PHI uploaded to unsanctioned cloud storage services by 12 employees.
T1567 Exfil over Web
Month 2+. Programme
Ongoing Results
24 hunts conducted. 9 active threats found. 37 new detection rules created. 75% time saved with Copilot.
9 Threats37 Rules75% Faster
💾
Simulation Scripts Available
Download PowerShell scripts to simulate and remediate these advanced threat scenarios in your lab.
Download Script
๐ŸŽฏ

Scenario 1: Nation-State APT Campaign (MITRE ATT&CK Full Kill Chain)

Assume Breach NIST: Identify ยท Protect ยท Detect ยท Respond ยท Recover

๐Ÿ“‹ Enterprise Scenario

Organisation: Defence contractor ยท 25,000 employees ยท classified and unclassified environments ยท US Government CMMC Level 2 required
Adversary: Nation-state threat actor (tracked as Storm-1234) conducting long-term espionage campaign targeting defence supply chain
Attack chain: Spear-phishing with weaponised PDF โ†’ exploit-based initial access โ†’ DLL side-loading โ†’ Golden Ticket forging โ†’ domain-wide persistence โ†’ data staging and exfiltration over DNS tunnelling

Full Kill Chain: Attack Progress vs. Detection

Kill Chain PhaseMITRE TechniqueAttacker ActionDetection ProductDetection Method
1. Initial AccessT1566.001Spear-phishing PDF to procurement teamMDOSafe Attachments detonation; PDF triggers exploit in sandbox
2. ExecutionT1203 ยท T1059.001PDF exploit drops PowerShell loaderMDEAMSI scan detects obfuscated PS script; ASR blocks child process
3. PersistenceT1574.002DLL side-loading via legitimate signed binaryMDEBehavioural detection: unsigned DLL loaded by signed process
4. Credential AccessT1558.001Golden Ticket forging using krbtgt hashMDIAnomalous TGT with abnormal lifetime and encryption type
5. Lateral MovementT1021.002SMB admin share access to file serversMDI + MDEAbnormal lateral movement path; first-time SMB connection
6. CollectionT1560.001Data staged in compressed archivesMDEHigh-volume file access + compression on sensitive file share
7. ExfiltrationT1048.003DNS tunnelling to exfil compressed dataSentinelCustom KQL: high-entropy DNS queries to newly registered domain

1 Detection: Custom KQL Analytics Rules

๐Ÿ“ก Sentinel: DNS Tunnelling Exfiltration Detection

// Sentinel Analytics Rule: DNS Tunnelling Detection
// Severity: High | Run: every 15 min | Look back: 1 hour
let knownDomains = externaldata(Domain:string) 
    [@"https://raw.githubusercontent.com/contoso/secops/main/allowlist.csv"]
    with (format="csv");
DnsEvents
| where TimeGenerated > ago(1h)
| where QueryType in ("TXT", "CNAME", "MX") // Tunnelling favours TXT
| extend SubdomainLength = strlen(tostring(split(Name, ".")[0]))
| extend DomainPart = strcat(tostring(split(Name, ".")[-2]),".",
                             tostring(split(Name, ".")[-1]))
| where DomainPart !in (knownDomains) // Exclude corporate domains
| where SubdomainLength > 30 // High-entropy subdomain = data encoding
| summarize QueryCount = count(),
            AvgSubdomainLen = avg(SubdomainLength),
            UniqueSubdomains = dcount(Name),
            SampleQueries = make_set(Name, 5) by ClientIP, DomainPart
| where QueryCount > 50 and UniqueSubdomains > 30
| extend TunnellingScore = QueryCount * AvgSubdomainLen / 100
| where TunnellingScore > 50
| project TimeGenerated=now(), ClientIP, DomainPart, QueryCount, 
          UniqueSubdomains, TunnellingScore, SampleQueries

Entity mapping: IP โ†’ ClientIP | MITRE: T1048.003 Exfiltration Over Alternative Protocol (DNS) | Tactic: Exfiltration

๐Ÿ“ก Sentinel: Golden Ticket Anomaly Detection

// Detect TGT anomalies indicating Golden Ticket usage
IdentityLogonEvents
| where Timestamp > ago(1h)
| where LogonType == "Kerberos" and ActionType == "LogonSuccess"
| where Application == "Active Directory"
| extend TicketLifetime = datetime_diff('hour', 
         todatetime(AdditionalFields.TicketExpiry), Timestamp)
| where TicketLifetime > 10 // Default max TGT = 10 hours
| extend EncryptionType = tostring(AdditionalFields.EncryptionType)
| where EncryptionType == "RC4_HMAC" // Golden Tickets often use RC4
| summarize Count=count(), Devices=make_set(DeviceName) 
    by AccountUpn, TicketLifetime, EncryptionType
| project Timestamp=now(), AccountUpn, TicketLifetime, 
          EncryptionType, AnomalyReason="TGT lifetime exceeds policy; RC4 encryption", Devices

2 Security Copilot Investigation

Prompt: “Analyse the threat actor profile for the IP addresses and domains in this incident. Cross-reference with Microsoft Threat Intelligence.”

Result: Copilot identifies the C2 infrastructure as linked to Storm-1234 (nation-state actor targeting defence sector). Returns 14 associated IOCs including 8 domains and 6 IPs from Microsoft TI database. Maps all MITRE techniques used to known Storm-1234 TTPs.

Prompt: “Calculate the total data exfiltrated via DNS tunnelling. Estimate the volume from subdomain encoding.”

Result: Copilot analyses DNS query patterns: 12,400 unique subdomains ร— ~180 bytes encoded per query = ~2.2 MB estimated data exfiltration. Cross-references with file staging activity to identify 3 compressed archives totalling 2.1 MB matching the estimate.

Prompt: “Generate a KQL query to hunt for any other devices in our organisation that have communicated with the same C2 infrastructure.”

// Copilot-generated: Hunt for C2 communication across fleet
let c2Domains = dynamic(["cdn-update.example.com", 
    "api-sync.example.net", "telemetry-v2.example.org"]);
let c2IPs = dynamic(["203.0.113.45", "198.51.100.22"]);
union DeviceNetworkEvents, DnsEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (c2Domains) 
    or RemoteIP in (c2IPs) 
    or Name has_any (c2Domains)
| summarize FirstContact=min(Timestamp), LastContact=max(Timestamp),
    ConnectionCount=count() by DeviceName, RemoteUrl, RemoteIP
| extend DaysActive = datetime_diff('day', LastContact, FirstContact)
| sort by FirstContact asc

3 Automated Response & Containment

Sentinel Playbook: “APT-ContainAndReport”

  1. Network isolation: MDE API isolates all 6 compromised devices; allow communication only to MDE cloud service for continued monitoring
  2. Block IOCs globally: Push all 14 IOCs (8 domains + 6 IPs) to MDE custom indicators, Sentinel TI feed, and firewall deny lists via API
  3. Disable compromised identities: Entra ID API disables 4 compromised accounts, revokes all tokens, removes from all security groups
  4. Reset krbtgt: Generate change request ticket for double krbtgt password reset (Golden Ticket invalidation)
  5. Trigger forensic collection: MDE investigation packages collected from all 6 devices; disk images initiated for 2 critical servers
  6. Notify CISO + Legal: Automated email with Copilot-generated executive briefing; Teams alert to IR commander; government reporting clock started (DFARS 7012 = 72 hours)

4 Lessons Learned

FindingRemediationSolution
No DNS anomaly monitoringDeploy Sentinel DNS tunnelling detection rule (as shown above)Sentinel KQL
krbtgt password never rotatedImplement quarterly krbtgt rotation with MDI health alertsMDI + Sentinel
DLL side-loading not detectedEnable MDE behavioural monitoring for unsigned DLL loads by signed executablesMDE custom detection
No government breach reporting automationAdd DFARS 7012 notification step to all severity-high playbooksSentinel + Logic App
๐Ÿ”—

Scenario 2: Software Supply Chain Compromise

Assume Breach NIST: Identify ยท Detect ยท Respond

๐Ÿ“‹ Enterprise Scenario

Organisation: Financial services firm ยท 30,000 endpoints ยท SOX compliance required
Attack: The firm’s IT management vendor (RMM platform) is compromised. A poisoned update includes a backdoor trojan that communicates via legitimate cloud services (Azure Blob, AWS S3) to evade detection. The trojan deploys a credential harvester designed to target financial application service accounts.
Challenge: The malicious payload arrives as a legitimate signed update from a trusted vendor. Traditional signature-based detection cannot catch it. Attack surface: 8,000 servers running the RMM agent.

1 Detection

Multiple products detect different stages of the supply chain attack:

  • MDE: Behavioural anomaly. RMM agent (trusted process) spawns PowerShell that accesses LSASS memory. This never happened before across 8,000 monitored agents.
  • MDC: Cloud workload protection detects suspicious outbound traffic from Azure VMs to unusual Azure Storage endpoints not in the organisation’s subscription.
  • MDA: Anomalous cloud traffic pattern. RMM process making API calls to unknown cloud storage endpoints.
  • Sentinel: Custom KQL rule detects new child processes spawned by the RMM agent process that were never seen in the 90-day behavioural baseline.

๐Ÿ“ก Sentinel: Supply Chain Process Anomaly KQL

// Detect new child processes from trusted software agents
// Builds a 90-day baseline and alerts on novel process trees
let trustedAgents = dynamic(["rmmservice.exe", "rmmagent.exe"]);
let baseline = DeviceProcessEvents
| where Timestamp between (ago(90d) .. ago(1d))
| where InitiatingProcessFileName in~ (trustedAgents)
| distinct FileName;
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName in~ (trustedAgents)
| where FileName !in (baseline)  // NEW process never seen before
| where FileName !in~ ("updater.exe","msiexec.exe") // Known update processes
| summarize DeviceCount=dcount(DeviceName), 
            Devices = make_set(DeviceName, 10),
            Commands = make_set(ProcessCommandLine, 5) by FileName
| where DeviceCount >= 3 // Widespread = coordinated deployment
| project TimeGenerated=now(), FileName, DeviceCount, Devices, Commands,
          AlertReason = "New child process from trusted agent across multiple devices"

2 Security Copilot Investigation

“Compare the file hash of the current RMM agent binary against the last known-good version. Is the binary modified or newly signed?”

Result: Binary hash does not match vendor’s published hash. Code signature is valid but issued 3 days ago (vs. 6 months for the known-good version). Certificate chain includes a new intermediate CA. potentially compromised signing infrastructure.

“How many of our 8,000 servers received the poisoned update? Which ones have already executed the backdoor?”

Result: 4,200 servers received the update. 1,800 have executed the backdoor payload. 340 show credential harvesting activity. 12 financial application service accounts have been compromised.

“Generate the SOX impact assessment: which financial systems were accessed with the compromised service accounts?”

Result: 3 of 12 compromised service accounts had access to SAP financial modules. Copilot cross-references with SAP Sentinel connector logs: no unauthorised financial transactions detected yet. SOX auditors should be notified within 24 hours.

3 Automated Response

Sentinel Playbook: “SupplyChain-QuarantineAndRollback”

  1. Kill malicious processes: MDE API stops the backdoor process on all 1,800 affected servers (batch operations, 50 servers/minute)
  2. Block cloud C2: Add the attacker’s cloud storage URLs to MDE network indicators and firewall ACLs
  3. Quarantine binary: MDE quarantines the poisoned RMM agent binary fleet-wide
  4. Rotate credentials: Entra ID API rotates all 12 compromised service account passwords and revokes tokens
  5. Rollback to safe version: Deploy the last known-good RMM agent via SCCM emergency deployment task sequence
  6. Vendor notification: Automated email to vendor CISO with IOCs and supply chain compromise evidence

4 Lessons Learned

FindingRemediationSolution
No process baseline for trusted agentsDeploy Sentinel analytics rule to baseline trusted software behaviourSentinel KQL
RMM agent had LSASS accessEnforce credential guard and LSASS protection on all serversMDE + Windows Security
No vendor update hash verificationImplement hash whitelist verification before deploying vendor updatesSCCM + custom automation
Service accounts over-privilegedImplement just-in-time access for financial application service accountsEntra ID PIM
โ˜๏ธ

Scenario 3: Multi-Cloud Attack Path Exploitation

Verify Explicitly NIST: Protect ยท Detect ยท Respond

๐Ÿ“‹ Enterprise Scenario

Organisation: E-commerce platform ยท Azure + AWS mixed environment ยท 500+ compute workloads ยท PCI DSS Level 1
Attack: Attacker compromises an AWS IAM user key exposed in a public GitHub repository. Uses it to access AWS resources, then pivots to Azure via a misconfigured Azure AD B2C trust relationship. Deploys a cryptominer on Azure Kubernetes Service and exfiltrates customer PII from a Cosmos DB instance.
Multi-cloud challenge: Traditional single-cloud security tools can’t see the cross-cloud attack path.

1 Detection: Cross-Cloud Visibility

StageCloudAttacker ActionDetection
1. Initial AccessAWSCompromised IAM key from GitHub exposureSentinel: AWS CloudTrail connector detects API calls from new IP with exposed key
2. DiscoveryAWSEnumerate S3 buckets, RDS instances, IAM rolesSentinel: Anomalous spike in AWS API calls. 200+ discovery APIs in 5 minutes
3. Privilege EscalationAWS โ†’ AzureExploit azure AD B2C federated trust to obtain Azure tokenMDC: Cross-cloud identity anomaly. unfamiliar AWS role accessing Azure resources
4. ExecutionAzureDeploy cryptominer pods to AKS clusterMDC: Running container image not in allowed registry; CPU spike detected
5. ExfiltrationAzureCosmos DB query dumping customer recordsSentinel: Cosmos DB diagnostic logs show full table scan from unauthorised principal

๐Ÿ“ก Sentinel: Cross-Cloud Lateral Movement Detection

// Detect AWS-to-Azure lateral movement via federated trust
let awsSuspiciousIPs = AWSCloudTrail
| where TimeGenerated > ago(1h)
| where EventName in ("AssumeRole","AssumeRoleWithSAML","GetFederationToken")
| where SourceIpAddress !in (knownCorporateIPs)
| distinct SourceIpAddress;
SigninLogs
| where TimeGenerated > ago(1h)
| where IPAddress in (awsSuspiciousIPs)
| where AppDisplayName has "Azure" or ResourceDisplayName has "Azure"
| extend CrossCloudPivot = true
| project TimeGenerated, UserPrincipalName, IPAddress, 
          AppDisplayName, Location, CrossCloudPivot,
          RiskLevel, ConditionalAccessStatus

2 Security Copilot Investigation

“Map the full cross-cloud attack path: from the AWS IAM key compromise to the Azure data exfiltration. Show every identity, permission, and resource accessed.”

Result: Copilot correlates CloudTrail + SigninLogs + MDC alerts into a visual attack path: AWS IAM User โ†’ IAM Role (via AssumeRole) โ†’ Azure AD B2C token (via federation) โ†’ AKS cluster (via Kubernetes RBAC) โ†’ Cosmos DB (via service connection string). Total of 6 identities and 14 resources touched.

“How many customer records were accessed from Cosmos DB? Generate the PCI DSS breach notification assessment.”

Result: Cosmos DB diagnostics show 142,000 records read containing cardholder data (name, last 4 digits, billing address). PCI DSS requires notification to acquiring bank within 24 hours and forensic investigation by PFI within 72 hours. Copilot generates the preliminary breach report for the QSA.

3 Automated Response

  1. AWS: Rotate compromised IAM key; apply deny-all policy to compromised role; enable GuardDuty findings forwarding to Sentinel
  2. Azure: Revoke Azure AD B2C federated token; restrict federation trust to specific IP ranges
  3. AKS: Delete cryptominer pods; apply network policy blocking outbound to mining pool IPs; scan all container images
  4. Cosmos DB: Rotate all access keys; restrict firewall to application VNet only; enable audit logging
  5. GitHub: Trigger GitHub secret scanning alert; rotate all secrets found in repository history

4 Lessons Learned

FindingRemediationSolution
IAM key exposed in public repoEnable GitHub Advanced Security secret scanning on all repos; no long-lived keysGitHub + AWS STS
AWS-Azure federation too permissiveRestrict federation trust to specific AWS accounts and roles; add IP restrictionsEntra ID + AWS IAM
No container image allow-listingDeploy MDC container image admission control; only allow from ACRMDC + AKS + Azure Policy
Cosmos DB accessible from any Azure VNetRestrict to application VNet + private endpoints; disable public accessCosmos DB + Azure Networking
No cross-cloud attack path monitoringDeploy Sentinel cross-cloud analytics rules correlating CloudTrail + Azure logsSentinel + MDC multi-cloud
๐Ÿ”

Scenario 4: Proactive Threat Hunting Programme

Assume Breach NIST: Detect ยท Respond

๐Ÿ“‹ Scenario

Organisation: Healthcare system ยท 50,000 endpoints ยท HIPAA compliance
Objective: Establish a structured weekly threat hunting programme using Copilot and Sentinel to proactively find threats before they trigger alerts. This scenario shows 4 hunts that discovered real threats.

1 Hunt 1: Living-off-the-Land Binaries (LOLBins)

Copilot Prompt: “Generate a KQL query to find unusual usage of certutil, bitsadmin, mshta, and regsvr32 on workstations in the last 30 days, excluding known IT admin devices.”

// Copilot-generated: LOLBin usage hunting query
let lolbins = dynamic(["certutil.exe","bitsadmin.exe","mshta.exe",
    "regsvr32.exe","msbuild.exe","installutil.exe","cmstp.exe"]);
let itAdminDevices = IdentityInfo
| where Department == "IT" and JobTitle has "admin"
| distinct AccountName;
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ (lolbins)
| where InitiatingProcessAccountName !in (itAdminDevices)
| extend CmdLine = tolower(ProcessCommandLine)
| where CmdLine has_any ("http","ftp","\\\\","decode","-urlcache",
                          "/i:http","dll","javascript")
| summarize Count=count(), 
            Devices=make_set(DeviceName, 10),
            SampleCmds=make_set(ProcessCommandLine, 3)
  by FileName, InitiatingProcessAccountName
| where Count >= 2
| sort by Count desc

Finding: certutil.exe used to download and decode a payload on 3 medical imaging workstations. Analyst escalated to incident. discovered a compromised PACS (medical imaging) application.

2 Hunt 2: Dormant Service Accounts

Copilot Prompt: “Find service accounts that were dormant for 60+ days but became active in the last 7 days. Include what resources they accessed.”

// Hunt: Dormant service accounts reactivated
let serviceAccts = IdentityInfo
| where AccountName startswith "svc-" or AccountName startswith "sa-"
| distinct AccountUpn, AccountName;
let dormantPeriod = IdentityLogonEvents
| where Timestamp between (ago(67d) .. ago(7d))
| where AccountUpn in (serviceAccts)
| summarize LastActive = max(Timestamp) by AccountUpn
| where LastActive < ago(60d);
IdentityLogonEvents
| where Timestamp > ago(7d)
| where AccountUpn in (dormantPeriod)
| summarize ReactivationTime = min(Timestamp),
            LogonCount = count(),
            TargetDevices = make_set(DeviceName, 10),
            SourceIPs = make_set(IPAddress, 5) by AccountUpn
| join kind=inner dormantPeriod on AccountUpn
| extend DormantDays = datetime_diff('day', ReactivationTime, LastActive)
| project AccountUpn, DormantDays, ReactivationTime, LogonCount, 
          TargetDevices, SourceIPs

Finding: svc-radiology-backup (dormant 142 days) became active from an IP in Eastern Europe. Account was compromised via a password found in a leaked database. Immediate credential rotation and Entra ID CA policy applied.

3 Hunt 3: Anomalous Data Access Patterns

Copilot Prompt: “Find users who accessed patient records outside their department in the last 14 days. Cross-reference IdentityInfo department with EMR access logs.”

// Hunt: Cross-department patient record access
CloudAppEvents
| where Timestamp > ago(14d)
| where Application == "Epic EMR" and ActionType == "PatientRecordView"
| extend PatientDepartment = tostring(RawEventData.PatientDept)
| join kind=inner (
    IdentityInfo | project AccountUpn, StaffDepartment=Department
) on $left.AccountUpn == $right.AccountUpn
| where PatientDepartment != StaffDepartment
| summarize CrossDeptViews = count(),
            PatientsViewed = dcount(tostring(RawEventData.PatientId)),
            Departments = make_set(PatientDepartment)
  by AccountUpn, StaffDepartment
| where CrossDeptViews > 20 // Threshold for investigation
| sort by CrossDeptViews desc

Finding: 2 billing department employees accessed 80+ oncology patient records (not part of their role). Investigation revealed they were selling patient data. HIPAA violation reported; employees terminated.

4 Hunt 4: Shadow IT & Unsanctioned Cloud Services

Copilot Prompt: “What unsanctioned cloud apps are employees using to share files? Show the apps, the volume of data uploaded, and which departments.”

Result: Copilot queries MDA Shadow IT discovery and returns: 14 unsanctioned file-sharing apps detected. Top 3: WeTransfer (2.4 GB uploaded, 45 users), personal Dropbox (1.8 GB, 23 users), mega.nz (900 MB, 8 users). HR and Research departments are highest users. 340 files with PHI were uploaded to unsanctioned services.

Action: MDA deployed session controls blocking uploads of sensitive content to unsanctioned apps. Purview DLP endpoint policy deployed to block file uploads to known non-compliant cloud services. Employee training scheduled.

๐Ÿ“Š Threat Hunting Programme Metrics (6-Month Review)

24
Hunts
conducted
9
Real threats
discovered
37
New detection rules
created from hunts
75%
Analyst time saved
via Copilot KQL gen
45 days
Avg. dwell time
reduction
Related

Continue Learning

๐Ÿ›ก๏ธ

Unified Security Use Cases

Ransomware, BEC, insider threats, SOC transformation
๐Ÿงช

Hands-on Labs

60+ labs across 13 security products
๐Ÿ“‚

Script Repository

PowerShell scripts for security simulations