In this course, we’ll dive deep into identity threat hunting using Microsoft’s security ecosystem. You’ll learn how to use Kusto Query Language (KQL) to detect identity threats and anomalies in Microsoft Entra, set up real-time alerts, and automate investigations to reduce response time. We’ll explore how Microsoft Sentinel and Defender XDR work together to provide end-to-end visibility into identity-based attacks, privilege misuse, and suspicious sign-in patterns. You’ll leverage automation, analytics, and advanced hunting techniques to stay ahead of evolving threats, with a major focus on building and refining KQL queries

Identity Threat Hunting: A Modern KQL Approach

Introduction to Identity Threat Hunting

Why Identity is the New Security Perimeter

Overview of Microsoft Security Suite (Entra, Sentinel, Defender)

Role of Threat Hunting in Modern SOCs

Understanding Identity Threats

Common Identity Attack Vectors

Indicators of Compromise for Identity-Based Attacks

Microsoft Entra and Identity Logs

Key Log Sources for Identity Threat Hunting

KQL Fundamentals for Identity Hunting

KQL Syntax and Query Basics

Advanced KQL for Identity Threat Detection

Correlating Identity Data Across Multiple Sources

Using Joins and Summarize for Complex Queries

Real-Time Alerts and Automation

Configuring Sentinel Analytics Rules for Identity

Defender for Identity Deep Dive

Investigating Alerts in Defender for Identity

End-to-End Hunting Scenarios

Detecting Compromised Accounts in Real Time

Investigating OAuth Abuse and Privilege Escalation

Building a Full Hunting Workflow

Reporting and Continuous Improvement

Best Practices for Continuous Threat Hunting

Your logs deserve better, give em a damn good dashboard.