Deploy Detection Rules and Investigation Playbooks Today — Free.
These aren't reference documents. They're production artifacts you deploy into Sentinel this afternoon. Detection rules that catch real attacks. Investigation playbooks that walk you through incidents step by step. KQL query packs that answer the questions your SOC asks every day. Download, deploy, and share with your team — no account required.
Practical Threat Hunting in Microsoft 365
After deploying these, your team runs proactive hunts against AiTM, OAuth abuse, data exfiltration, and lateral movement — instead of waiting for alerts that may never fire.
Threat Hunting KQL Starter Pack
10 production-ready hunt queries. Each includes: objective, detailed breakdown, what it searches for, how to analyze results, when to use it, and operational notes. Covers AiTM detection, TrendRatio anomaly, external sharing, backup disruption, ransomware tools, new country sign-in, OAuth consent, C2 beaconing, service account anomaly, and after-hours activity.
AiTM Hunt Playbook
Introduction to threat hunting (what it is, why it matters, who should do it) followed by a complete investigation walkthrough for AiTM credential phishing. 7-query funnel from orientation through campaign scope expansion, 5-dimension analysis framework, worked classification examples, and detection rule conversion.
Practical Incident Response: Windows & Microsoft 365
After deploying these, your Sentinel workspace catches AiTM, BEC, token replay, consent phishing, and insider exfiltration automatically — and your team has step-by-step playbooks for investigating each one when an alert fires.
Detection Rule Pack — 29 Sentinel Analytics Rules
Complete KQL detection rules for AiTM credential phishing (8 rules), BEC financial fraud (6 rules), token replay and session hijacking (5 rules), consent phishing and OAuth abuse (5 rules), and insider threat data exfiltration (5 rules). Includes an introduction to detection rule design principles, and each rule has: objective, complete KQL query, detailed breakdown, what it searches for, how to analyze the results, when to deploy, and operational guidance.
Investigation Playbooks — 5 Complete Walkthroughs
Step-by-step investigation procedures for AiTM credential phishing, business email compromise, token replay and session hijacking, consent phishing and OAuth abuse, and insider threat. Includes an introduction to incident investigation methodology, and each playbook walks through the full cycle: scoping, evidence collection with KQL queries, analysis, containment with ordered action sequences, eradication, and reporting.
SOC Operations
After deploying these, your SOC analysts build detection rules that produce actionable alerts (not noise) and investigate credential theft end-to-end using a tested 5-phase methodology.
Sentinel Analytics Rules — Design, Build, Test, and Deploy
A complete guide to building detection rules that produce actionable alerts. Includes a basic rule template for quick deployments, a comprehensive production template with full metadata and review checklist, a best practice worked example (AiTM token replay rule with completed 30-day review showing 87% TP rate), and a detailed testing and troubleshooting section covering pre-deployment validation, the 14-day evaluation process, common problems with fixes, and ongoing maintenance.
Credential Theft Investigation Playbook
A complete KQL-based investigation walkthrough for credential compromise in Microsoft 365. Five phases: confirm the compromise (sign-in analysis, failed auth patterns, token replay detection), determine attacker actions (mailbox activity timeline, persistence mechanisms), determine scope (phishing campaign search, lateral movement, privilege escalation), containment (8-step ordered sequence with verification), and post-incident hardening (control gap assessment by attack method, detection rule deployment).
Mastering KQL for Cybersecurity
After deploying these, your team has a structured query library that answers recurring investigation questions consistently — and a playbook for tracing malicious email delivery from initial delivery through post-click compromise.
KQL Investigative Query Template Library
A structured approach to building and maintaining a production KQL query library. Includes 5 query templates (single-table investigation, baseline comparison, cross-table correlation, population-wide sweep, operational health check), 3 fully completed best practice examples with documentation standard, and a detailed testing and troubleshooting section covering 4-test validation, common problems with fixes, and library maintenance.
Malicious Email Delivery Investigation Playbook
A complete KQL-based investigation walkthrough for suspicious email delivery in Microsoft 365. Six phases: identify the email (search by sender, URL, or attachment hash), determine campaign scope (recipient count, delivered vs blocked ratio), track user interactions (Safe Links click analysis, ClickAllowed vs ClickBlocked), assess post-click impact (sign-in correlation, mailbox activity, persistence), remediation (inbox purge, indicator blocking, user notification), and post-incident hardening (detection gap analysis, rule deployment).
Prerequisites
All detection rules and KQL queries require Microsoft Sentinel or Defender XDR Advanced Hunting with the relevant data tables populated. Replace northgateeng.com with your domain wherever it appears. The IR detection rule packs require a CorporateExternalIPs watchlist in Sentinel containing your external IP ranges.
These resources are extracted from courses that go much deeper.
The detection rules and playbooks above are a starting point. The courses teach you to write your own — rules tuned to your environment, playbooks for your threat model, queries that answer your team's questions. Start with the free modules.