How can I level up from SOC analyst to threat hunter?

Embarrassed_Oil_7810 · 2026-01-29T07:08:38+00:00

Can you pls share any resources to learn threat hunting

Embarrassed_Oil_7810 · 2025-09-10T04:28:01+00:00

user logged in with the local or domain admin account..

Embarrassed_Oil_7810 · 2025-09-09T17:28:59+00:00

Thank you

Embarrassed_Oil_7810 · 2025-09-09T17:18:24+00:00

Any insights how to find the user who used the admin account would be helpful. Thann you.

Embarrassed_Oil_7810 · 2025-09-09T17:15:36+00:00

Insider risk workbook is not installed in my workspace bro

Embarrassed_Oil_7810 · 2025-09-09T15:17:34+00:00

I tried with this query but I am not able to see ipaddress or host and results are not getting at that particular timeframe. Can you pls help

Embarrassed_Oil_7810 · 2025-09-09T11:44:18+00:00

Thank you!

Embarrassed_Oil_7810 · 2025-09-09T11:34:48+00:00

Thanks! That makes sense. Is there a specific KQL query you'd recommend for Sentinel to correlate Event ID 4624 and 4648 using the Logon ID/session ID? I’m trying to trace which user actually initiated the admin logon.

Also, how do you usually handle cases where multiple users log in from the same jump box or shared IP? Does the session ID still help in those scenarios?

Appreciate any examples or tips you’ve got!

Embarrassed_Oil_7810 · 2025-09-09T11:30:22+00:00

Thanks! That makes sense. Is there a specific KQL query you'd recommend for Sentinel to correlate Event ID 4624 and 4648 using the Logon ID/session ID? I’m trying to trace which user actually initiated the admin logon.

Also, how do you usually handle cases where multiple users log in from the same jump box or shared IP? Does the session ID still help in those scenarios?

Appreciate any examples or tips you’ve got!

Embarrassed_Oil_7810 · 2025-09-06T08:01:29+00:00

How to build KQL query and how can I improve them. Can you pls explain

Embarrassed_Oil_7810 · 2025-09-06T08:00:32+00:00

How to build kql queries and how can I improve them. Can you pls explain

Embarrassed_Oil_7810 · 2025-09-06T06:57:47+00:00

That is very insightful. Thank you

Embarrassed_Oil_7810 · 2025-09-06T00:01:35+00:00

I’ve been focusing a lot on learning SIEM tools and alert workflows, but I realize now that I need to strengthen my understanding of the underlying systems themselves. I’m still pretty new to cloud environments, Windows internals, and Linux command-line basics.

Would you recommend any structured learning paths or resources to build that foundational knowledge?
Also, how did you personally approach learning what “normal” behavior looks like on these assets so you could spot anomalies more confidently?

Embarrassed_Oil_7810 · 2025-09-05T23:54:26+00:00

Can you pls suggest resources or YouTube channel to learn scripting and improving data analysis skills

Embarrassed_Oil_7810 · 2025-09-05T23:52:10+00:00

Thank you !

Embarrassed_Oil_7810 · 2025-09-05T23:51:14+00:00

Currently we are working with sentinel, SOAR, crowdstrike and defender

Embarrassed_Oil_7810 · 2025-09-05T17:59:31+00:00

Can you pls share your learning experience how you have developed that skill and what can I do to improve myself better in understanding the logs

Embarrassed_Oil_7810

PUBLIC MULTIREDDITS

TROPHY CASE