top of page
Blog
Search
Entra ID Attack & Defense: Exploiting App-Only Microsoft Graph Permissions
Welcome back! ENTRA GOAT is a free vulnerable Entra ID lab developed by Semperis for the cyber community. According to them, it is designed to help cyber professionals better understand Entra ID concepts and attack paths. What we have been doing here is stepping through the various attack paths and then investigating them in our Splunk SIEM to find detection or hunt opportunities. I hope you guys enjoyed Scenario 1 . We are going to get started on Scenario 2 where we will
Mar 911 min read
Entra ID: Azure→Splunk Log Pipeline using Azure Event Hub
This article is an update to Entra ID Attack & Defense: Building an Azure→Splunk Log Pipeline . We will be migrating our Log Pipeline from Using Microsoft Graph API to configuring diagnostic settings to stream Azure logs to an Event Hub, and then into Splunk. In reviewing how the current logging pipeline works, I noticed that our log visibility across non-interactive sign-ins were limited. In the Splunk Add on for Microsoft Azure docs it tells us that the sign-in input onl
Feb 128 min read
How to pass the Microsoft SC-200
Hey guys, welcome to my review and tips and tricks on preparing for the SC-200. The SC-200 exam is one that I've been putting off for a few years as I've been working with Defender XDR for sometime, but I finally decided to tackle it. As of yesterday, February 04, 2026, I am now a Microsoft Certified: Security Operations Analyst. Prep for this cert started around mid December 2025. I told myself I was going to get it in 2 weeks, but ended up rescheduling four times (yikes!).
Feb 57 min read
Entra ID Attack & Defense: Investigating Service Principal Misuse with EntraGoat
In the first article, we spent time setting up the foundation: getting Entra ID audit logs and sign-in logs flowing into Splunk through a dedicated ingestion pipeline. If you haven’t gone through that setup yet, I recommend starting there as everything we do in this post depends on having those logs available and searchable. ENTRA GOAT In this article we will be working through setting up ENTRAGOAT , an intentionally vulnerable Microsoft Entra ID lab created by Semperis . If
Dec 4, 202511 min read
Entra ID Attack & Defense: Building an Azure→Splunk Log Pipeline
It’s been about five months since my last post, life has been busy as I’ve been ramping up in my new Threat Response role. The learning curve has been thrilling. Over the past few months I’ve been deepening my understanding of detection engineering, incident response, and how attackers move across a much wider set of technologies beyond the traditional Windows stack. Now I’m shifting gears again, and I figured I shouldn’t leave you all behind. I’m going to spend some time bre
Nov 16, 20256 min read
Investigating Forwarding Rule Alerts on Shared Mailboxes
a-question-well-posed-is-a-problem-half-solved-investigating-mailbox-forwarding-alerts-on-shared-ma This past week, I was asked: “How can...
Jun 1, 20253 min read
Simulating a Real-World Attack: The Logs Don't Lie
This is the final part in the Breach and Containment series that I have worked on this weekend. In the first part, we played the role of...
May 25, 20259 min read
Simulating a Real-World Attack: The Breach Begins
In this post, we’re going to simulate a breach on an endpoint in our domain, investigate the activity through logs, and build the...
May 25, 20258 min read
Amadey Malware - Investigation Walkthrough
I have recently been doing Cyber Defenders labs in their Blue Yard Cyber range to get more reps in from a DFIR perspective. This week we...
Apr 2, 20257 min read
Building a Web Scraper with Python
I've been working on my Python skills for Cybersecurity, taking on various projects that expose me to various facets of Python that would...
Mar 23, 202511 min read
Building a Port Scanner with Python
One of my goals for this year was to work on improving my programming skills. The way I have been approaching this is by revisiting...
Mar 9, 20253 min read
Automating Response SOAR EDR - Building an Interactive Slack App (Bonus Section)
Part 1: Setup LimaCharlie sensor and exploring the telemetry and benefits of the EDR Part 2: Integrating our SOAR (Tines) and the...
Feb 25, 202512 min read
Automating Response SOAR EDR - The SOAR (Tines) Playbook - Part B
Part 1: Setup LimaCharlie sensor and exploring the telemetry and benefits of the EDR Part 2: Integrating our SOAR (Tines) and the...
Feb 25, 20258 min read
Automating Response SOAR EDR - The SOAR (Tines) Playbook - Part A
Part 1: Setup LimaCharlie sensor and exploring the telemetry and benefits of the EDR Part 2: Integrating our SOAR (Tines) and the...
Feb 25, 20258 min read
Automating Response SOAR EDR - Tines and Slack Integration
Part 1: Setup LimaCharlie sensor and exploring the telemetry and benefits of the EDR Part 2: Integrating our SOAR (Tines) and the...
Feb 25, 20254 min read
Automating Response SOAR EDR - LimaCharlie Setup
Part 1: Setup LimaCharlie sensor and exploring the telemetry and benefits of the EDR Part 2: Integrating our SOAR (Tines) and the...
Feb 25, 20258 min read
How to Ace the GCIH
SEC504 the GCIH Exam: Insights and Preparation In my last certification review post back in November 2024, found here:...
Feb 9, 20255 min read
Streamlining Incident Response: Using PowerShell to Compare Baselines and Detect IoCs
How PowerShell Can Fast-Track Your Security Incident Investigations In cybersecurity, the ability to quickly identify deviations from a...
Jan 22, 20253 min read
How to ACE the GIAC Certified Forensic Examiner (GCFE) Exam
Taking on FOR500 and sitting the GCFE Exam: Insights and Preparation It's been a minute since I last made a blog post, but as you can see...
Nov 26, 20248 min read
Unlocking the Windows Registry: A Hidden Goldmine for Cyber Threat Detection 🔒🛡️
A guide to Detecting and Mitigating Registry-Based Persistence Mechanisms The Windows Registry is often an underutilized asset in the...
Oct 28, 20244 min read
bottom of page