This demo shows how to use advanced hunting in Microsoft 365 Defender to dig deeper into incidents using Microsoft Cloud App Security data. It starts with a real incident workflow: review the incident’s alerts to capture the timeframe (May 4 in the example), then check the Users tab to identify the impacted user (Megan Bowen) and her elevated investigation priority. From the user profile, it notes risky activity and, crucially, the sign-in locations tied to the timeline—primarily the United States, Belgium, and Israel, plus locations like Singapore, Ireland, and Albania—then uses that context to aim hunting queries. The video explains why you don’t just “look in the activity log”: it’s detailed, but it’s easy to miss things and hard to filter deeply. In advanced hunting, it demonstrates a practical query pattern—use the Cloud app events table, map the user’s UPN to an account object ID via the identity info table, then review accessed emails by filtering to the target locations and time window. From there it pulls structured details out of raw event JSON (folders accessed and “folder items” mail arrays) using mv-expand and extend, cleans up results with project, and finally joins to the email events table using internet message IDs to add the human-meaningful context—subject, sender, recipient, and other message details.
We produced this as a developer- and analyst-friendly walkthrough: preproduction locked the narrative (incident context → hunting strategy → query mechanics → richer results) and the exact sequence of steps, production captured clean screens with confident voiceover and steady pacing, and post trimmed away the noise so the key technique lands—extract, expand, and enrich. The benefit is a repeatable investigation approach your SOC can apply immediately: fewer blind spots, more context per incident, and a clearer path from “something happened” to “here’s exactly what was accessed, when, and why it matters.” Final delivery includes closed captions, audio description, and thumbnails.
The inevitable sequels
Hollywood keeps stretching good ideas into progressively worse sequels. We don’t. These are the related videos—spiritual siblings of the one you just watched—as good or better than this video. Expect callbacks, new plot twists, and maybe even a scene-stealing cameo from a lower third.
