Skill UI

Executes Azure Monitor activity and sign-in log queries using azure-monitor-query to spot suspicious admin operations, impossible travel, privilege escalation, and resource changes, supporting incident investigations and cloud SIEM detections.

Deploy Microsoft Sentinel as a cloud-native SIEM and SOAR platform, configure multi-cloud connectors, author KQL detection rules, and automate incident responses to support centralized SOC threat hunting.

Detect Azure AD/Entra ID lateral movement by correlating Microsoft Graph audit logs, sign-in anomalies, and Sentinel KQL rules to surface credential abuse, token theft, and cross-tenant pivots, then automate responses via playbooks.

Analyze domain controller Kerberos logs to spot Golden Ticket TGT anomalies such as RC4 encryption, impossible lifetimes, missing TGT requests, and forged PAC signatures, letting SOC teams hunt credential abuse and persistent AD footholds with Splunk or KQL queries.

Proactively hunt threats in Elastic Security SIEM with KQL/EQL queries, Timeline investigations, and detection rules, helping SOC teams validate ATT&CK techniques, investigate anomalies, and close coverage gaps when automated alerts miss adversaries.