Sentinel

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

detecting-azure-lateral-movement helps security analysts hunt lateral movement in Azure AD/Entra ID and Microsoft Sentinel using Microsoft Graph audit logs, sign-in telemetry, and KQL correlation. Use it for incident triage, detection engineering, and security audit workflows covering consent abuse, service principal misuse, token theft, and cross-tenant pivoting.

detecting-fileless-attacks-on-endpoints helps build detections for memory-only attacks on Windows endpoints, including PowerShell abuse, WMI persistence, reflective loading, and process injection. Use it for Security Audit, threat hunting, and detection engineering with Sysmon, AMSI, and PowerShell logging.

deploying-edr-agent-with-crowdstrike helps plan, install, and verify CrowdStrike Falcon sensor rollout across Windows, macOS, and Linux endpoints. Use this deploying-edr-agent-with-crowdstrike skill for install guidance, policy setup, telemetry-to-SIEM integration, and Incident Response readiness.

building-threat-hunt-hypothesis-framework helps you build testable threat hunt hypotheses from threat intelligence, ATT&CK mapping, and telemetry. Use this building-threat-hunt-hypothesis-framework skill to plan hunts, map data sources, run queries, and document findings for threat hunting and building-threat-hunt-hypothesis-framework for Threat Modeling.

building-detection-rules-with-sigma helps analysts build portable Sigma detection rules from threat intel or vendor rules, map them to MITRE ATT&CK, and convert them for SIEMs like Splunk, Elastic, and Microsoft Sentinel. Use this building-detection-rules-with-sigma guide for Security Audit workflows, standardization, and detection-as-code.

building-cloud-siem-with-sentinel is a practical guide for deploying Microsoft Sentinel as a cloud SIEM and SOAR layer. It covers multi-cloud log ingestion, KQL detections, incident investigation, and Logic Apps response playbooks for Security Audit and SOC operations. Use this building-cloud-siem-with-sentinel skill when you need a repo-backed starting point for centralized cloud security monitoring.