Intune Compliance Policies: Enforcing Standards Post-Deployment
The 9 AM Call That Started the Audit It is 9 AM on a Monday and the client’s CISO is on the bridge. Their Defender dashboard shows 1,847 enrolled Windows…
MITRE ATT&CK Mapping in Sentinel Detection Rules
Two Alerts, Forty-Five Noise Events, and a Missed Lateral Move It is 2 AM and your SIEM fires 47 alerts in three minutes. Forty-five are false positives. The other two…
Internal vs External IP Analysis in Threat Hunting
Two Addresses, Two Investigations Your SIEM fires a high-severity alert at 3 AM. A workstation on the finance VLAN just made an outbound connection to an IP address flagged in…
PowerShell JEA: Restricting Remote Admin Access
The Night a DNS Admin Became a Domain Admin It was 11 PM on a Tuesday when the SIEM flagged a credential harvesting alert on a domain controller. Someone had…
Windows USB Forensics: Tracking External Device Connections
Forty-Seven USB Drives Walk Into a Network A financial services client called us on a Friday afternoon. Their DLP solution flagged 14 GB of data copied to a removable device,…
Ransomware Encryption Analysis: Attack Mechanics on Windows
Forty-Seven Alerts at 2 AM and One of Them Was Real A managed services client called our SOC at 2:14 AM on a Tuesday. Their file server was throwing access…
Forensic Triage on Windows: Rapid Evidence Collection
The Clock Is Already Running Your SIEM flags a suspicious PowerShell execution on a domain controller at 11:43 PM. The endpoint detection tool confirms process injection consistent with MITRE ATT&CK…
Using the PowerShell Certificate Provider for Cert Management
It is 3 AM. Your SIEM is generating Kerberos pre-authentication failures across 47 workstations. You escalate to Tier 3 and begin triage. The answer is not malware, not a credential…
Set-NetIPsecMainModeCryptoSet: Enforce IKE Encryption in PowerShell
During a network security review for a logistics company we took over last year, we pulled their Windows Server 2025 IPsec policy and found the main mode crypto set negotiating…
Docker Container Security: 15-Checkpoint Audit
It is 2:47 AM. Your SIEM fires a privilege escalation alert on a production Linux host. You pull the process tree and find the origin: a Docker container launched six…