In this course, you’ll master identity threat hunting with Microsoft’s security stack. Learn how to build complex Kusto Query Language (KQL) queries to detect threats and anomalies across your environment, set up real-time alerts, and automate investigations to crush response times. We’ll show you how Sentinel and Defender XDR team up for full visibility into identity-based attacks, privilege abuse, and shady sign-ins. By the end, you’ll be running automated hunts and slashing response times like a pro.

Identity Threat Hunting: A Modern KQL Approach

Introduction to Identity Threat Hunting

Why Identity is the New Security Perimeter

Overview of Microsoft Security Suite (Entra, Sentinel, Defender)

Role of Threat Hunting in Modern SOCs

Understanding Identity Threats

Common Identity Attack Vectors

Indicators of Compromise for Identity-Based Attacks

Microsoft Entra and Identity Logs

Key Log Sources for Identity Threat Hunting

KQL Fundamentals for Identity Hunting

KQL Syntax and Query Basics

Advanced KQL for Identity Threat Detection

Correlating Identity Data Across Multiple Sources

Using Joins and Summarize for Complex Queries

Real-Time Alerts and Automation

Configuring Sentinel Analytics Rules for Identity

Defender for Identity Deep Dive

Investigating Alerts in Defender for Identity

End-to-End Hunting Scenarios

Detecting Compromised Accounts in Real Time

Investigating OAuth Abuse and Privilege Escalation

Building a Full Hunting Workflow

Reporting and Continuous Improvement

Best Practices for Continuous Threat Hunting

Your logs deserve better.