Beginner
Introduction to Threat Hunting Workflows
Learn how to move from alert review into structured hunting by building hypotheses, validating activity, and documenting findings.
Read lab →Detection
Detection & Threat Hunting
Step-by-step exercises on investigations, attack patterns, hunting techniques, and useful KQL workflows.
Browse category →Featured detection labs
Use this category page to organize practical investigations, threat hunting walkthroughs, and query-driven exercises for defenders.
KQL
Useful KQL Queries for Microsoft Investigations
Practice practical KQL for sign-ins, suspicious process activity, email abuse, and investigation pivots across Microsoft security data.
Read lab →Investigation
Build an Investigation from a Single Alert
Start with one detection and work outward through users, hosts, processes, timestamps, and related activity to tell the full story.
Read lab →Attack Patterns
Recognize Common Initial Access Patterns
Walk through phishing, credential abuse, and suspicious remote access patterns to understand how attackers first get a foothold.
Read lab →Endpoint
Hunting for Suspicious Process Chains
Examine parent-child process relationships, command lines, and execution context to identify suspicious behavior beyond single alerts.
Read lab →Email
Investigating a Possible Email Compromise
Follow a realistic scenario involving inbox rules, mailbox changes, sign-in anomalies, and message activity to validate compromise.
Read lab →What this category covers
This section helps readers quickly understand the kind of hands-on security content they can expect before they dive into individual labs.
Investigations
Alert triage, pivoting, timelines, and practical methods for turning telemetry into findings.
Threat hunting
Hypothesis-based hunting, attacker behavior patterns, and repeatable workflows for finding hidden activity.
KQL workflows
Reusable query patterns for Microsoft environments, investigation pivots, and hunting-focused data analysis.