Proof we're not bluffing

This video lays out an operational rhythm for running Microsoft Defender for Office 365 like a well-tuned SOC machine: daily, weekly, monthly, and ad hoc tasks. Daily, it starts with monitoring the Incidents queue in Microsoft 365 Defender and triaging medium/high severity incidents—prioritizing potentially malicious URL clicks, restricted senders, suspicious sending patterns, user-reported phish/malware, messages removed after delivery, phish delivered via policy override, and cases where email wasn’t zapped because ZAP was disabled. It then covers daily hygiene: submit false positives/negatives to Microsoft, review admin submission results, use the tenant allow-block list for false negatives, release false positives from quarantine when confirmed, investigate delivered false negatives with Explorer, and review Campaigns targeting your org—especially anything that reached recipients. Weekly, it recommends reviewing detection trends in reports (Mailflow and Threat protection status), using Threat analytics to track emerging threats (IoCs, hunting queries, techniques, vulnerabilities), reviewing Top targeted users in Threat Explorer and considering priority account tagging, and checking top malware/phishing campaigns. Monthly, it suggests policy review, auditing detection overrides via the Threat protection status report, and tuning spoof/impersonation using Spoof Intelligence Insight and Impersonation Detection Insight. Ad hoc, it highlights investigating/removing bad email in Threat Explorer, proactive hunting with Threat Explorer and Advanced Hunting (including shared queries and custom detections), and keeping priority accounts current.

We produced this as an “ops playbook on rails”—structured so teams can adopt the cadence immediately, not just nod thoughtfully and forget by lunch. Preproduction focused on sequencing (what to do first, what to do routinely, what to do when needed), production captured the key Defender views with professional voiceover, and post kept it tight so the checklist feels doable rather than…aspirational. The payoff is a demo that helps organizations reduce reactive churn, spot patterns sooner, and keep Defender for Office 365 running with fewer surprises and more control—delivered with closed captions, audio description, and thumbnails.

This tutorial introduces Kusto Query Language (KQL) fundamentals for Advanced Hunting in Microsoft 365 Defender. It starts with the “shape” of a query—select a table, then refine results using the pipe operator—and demonstrates common building blocks like where filters, projecting specific columns, sorting with order by, limiting results with take, and using summarize to aggregate counts. It also covers practical hunting habits: starting broad to explore, then narrowing by time window and key fields to answer a specific investigation question.

We produced this as a friendly on-ramp—paced to teach the essentials without turning it into a syntax marathon. The screen capture stays focused on the query editor and results grid so viewers can connect each line of KQL to the data it produces, and the edit is structured as small wins that build confidence. Final delivery includes closed captions, audio description, and thumbnails.

This overview explains how Microsoft 365 Defender turns siloed, high-volume security signals into cross-domain incidents that are easier to prioritize and resolve. It walks through the Incidents queue, then opens an incident and tours the key tabs: Summary (alert counts, active vs resolved, MITRE ATT&CK mapping, originating products, affected assets like devices/users/mailboxes/apps, top impacted entities, evidence and remediation status, plus metadata like tags and user groups), Alerts (severity, status, and why each alert is linked—often auto-investigated and resolved), Devices (risk level and tags with drill-down), Users (including investigation priority from UEBA), Mailboxes (with pivots into Explorer), Apps (with pivots into Defender for Cloud Apps), Investigations (automation status and remediation actions), and Evidence and Response (counts by entity type—emails, files, URLs—plus drill-down to item details). It also demonstrates “Go hunt,” which launches an Advanced Hunting query from an evidence item to expand scope, and finishes with the incident graph—a visual map of related entities with options to view details, pin/hide alerts, and sometimes take actions directly—before resolving the incident via Manage incident and classifying it (true positive multistage attack in the example).

We produced this as a guided tour that keeps the experience coherent even though the incident itself is gloriously complex. The narration is structured to match the investigation flow and the edit keeps momentum while still letting each tab’s purpose register. The payoff is a video that helps teams feel confident in the incident workspace—and faster at turning context into action. Final delivery includes closed captions, audio description, and thumbnails.

This demo shows Guided hunting in Microsoft 365 Defender—a visual query builder for Advanced hunting that doesn’t require KQL or schema knowledge. It compares the two modes (Query in editor vs Query in builder), then builds a phishing-focused hunt by filtering delivered messages using ThreatTypes (phish, malware, spam) and DeliveryLocation (inbox and junk). From there it expands the query by selecting a suspicious SenderMailfromDomain value directly from results, adding it as a filter, and layering in UrlCount > 0 to focus on messages containing links. The walkthrough also covers quality-of-life features: customizing displayed columns without KQL project, opening entity details via linked fields like NetworkMessageId, taking action on results from within Advanced hunting, and using Edit in KQL to reveal the generated query as a learning path.

We produced this as an approachable, confidence-building tutorial—built to make “advanced hunting” feel accessible to any analyst. We choreographed the on-screen steps to match how people actually explore data (filter, inspect, refine), kept the visuals uncluttered, and tuned the pacing so viewers can follow along live. Final delivery includes closed captions, audio description, and thumbnails.

This tutorial demonstrates how to join tables in KQL for Advanced Hunting so you can enrich one dataset with context from another. It explains why joins matter (threat signals are spread across different tables), then walks through join types and patterns—matching on shared keys, choosing inner vs leftouter depending on whether you want to keep unmatched rows, and reducing performance cost by filtering early. The demo shows how to use join to connect related events (like device activity with URL clicks, file activity, or identity context), then clean up the output with project to keep only the columns you need.

We produced this as a hands-on KQL technique lesson: the visuals stay close on the query edits and results so viewers can see enrichment happen in real time, and the pacing slows at the “this join type changes your result set” moments so the concept sticks. Final delivery includes closed captions, audio description, and thumbnails.

This video explains why incident classification is a core SOC habit in Microsoft 365 Defender—and how to do it quickly while triaging the incident queue. It breaks down true positives vs false positives and highlights a third option: informational/expected activity (like security testing), which helps avoid tuning detections the wrong way. The demo then shows the exact workflow: from the incident queue, open an incident side pane, select Manage incident, choose a determination (true-positive, informational, or false-positive), and add a comment to document the decision. It also covers how incident classification flows down to unclassified alerts automatically, and how to classify alerts individually via the alerts queue using Manage alert when you need more granularity.

We produced this as a workflow-first explainer—the kind that helps teams adopt a repeatable habit, not just understand a concept. We shaped the narrative around real triage pressure, captured the precise UI steps with clear callouts, and polished the edit so the process feels fast and doable. Final delivery includes closed captions, audio description, and thumbnails.

This video shows how feedback loops make a SOC smarter in Microsoft 365 Defender—specifically, how analysts can teach the system by classifying incidents and alerts, submitting false positives/negatives, and adding context that improves future decisions. It walks through where to leave feedback during triage (manage incident/manage alert), how comments and determinations create a useful trail for other analysts, and why consistent classification helps reduce noise and improve reporting accuracy. The emphasis is on turning daily triage work into long-term tuning—less “same alert forever,” more continuous improvement.

We produced this as a habit-building micro-demo: concise steps, clear on-screen cues, and an edit that keeps the workflow feeling lightweight—because if feedback feels like paperwork, nobody does it. The result is a practical walkthrough that helps teams build better signal quality over time, with final delivery including closed captions, audio description, and thumbnails.

This demo builds an Advanced hunting query in Microsoft 365 Defender to find URL clicks that result in file downloads. It starts with browser navigation in DeviceEvents, connects it to downloaded file activity in DeviceFileEvents, then brings in UrlClickEvents so you can tell when a downloaded file traces back to a link clicked from an email (including the network message ID). The walkthrough turns the query into a reusable pattern—defining variables with let, joining tables on DeviceId and RemoteUrl, pulling in SmartScreen URL warnings with a leftouter join, and projecting the key columns (timestamp, file name, remote URL, warning signals, email-click context). It also addresses common attacker behavior like chained redirects by extending the logic to consider referral URLs, so you can catch “clicked A, downloaded B” paths that would otherwise slip by.

We produced this as a power-user tutorial that stays practical—less theory, more “here’s the exact query shape you’ll reuse.” Preproduction focused on the story arc, production captured clean UI and readable code with narration that calls out why each join matters, and post kept the pacing tight while still letting viewers absorb the structure. Delivered with closed captions, audio description, and thumbnails.

This demo explains automated investigation and response “healing” in Microsoft 365 Defender—how the platform can take remediation actions after detecting threats, then track whether those actions succeeded. It shows where to review investigation results and remediation status, what “pending,” “completed,” or “failed” outcomes mean, and how to follow up when remediation doesn’t fully stick. The emphasis is on reducing manual toil: Defender can contain, clean up, and close the loop faster, while still keeping analysts in control of what happens next.

We produced this as a clarity-first explainer with a practical edge. The narration focuses on what teams actually need to know—what happened, what Defender did, and what still needs a human—while the edit keeps attention on status signals and next-step pivots instead of wandering through every menu. Final delivery includes closed captions, audio description, and thumbnails.

This demo explains the Attack story experience in Microsoft 365 Defender—an investigation view that assembles an end-to-end narrative of an attack across identities, endpoints, email, and apps. It shows how Attack story lays out key events in sequence, highlights involved entities (users, devices, mailboxes, IPs, URLs), and helps analysts understand scope, entry point, and blast radius without manually stitching together timelines from multiple blades. The walkthrough emphasizes how you can pivot from the story into deeper entity pages, validate what happened, and move toward containment and remediation with a clearer picture of attacker behavior.

We produced this as a “make the complex feel readable” demo: we structured the walkthrough like a story itself, captured clean screens with calm narration, and edited it to keep the investigation flow intuitive—so viewers feel how Attack story reduces time-to-understanding and supports faster response. Final delivery includes closed captions, audio description, and thumbnails.

An email link gets clicked. Malware shows up. Microsoft 365 Defender detects it and creates an incident—but the hard part still follows: figuring out what happened, responding fast, and preventing a repeat. This animation introduces Microsoft Defender Experts for XDR as a managed extended detection and response service that gives your SOC time back, with a global team of security experts using AI-powered threat intelligence across Microsoft 365 Defender XDR (endpoints, identities, email, and cloud apps). It highlights end-to-end triage, investigation, and remediation on your behalf to cut noise and improve resolution time, plus expert guidance to strengthen your security posture. It also calls out a dedicated service delivery manager to help get your SOC up and running quickly, one-click execution of remediation tasks (or Microsoft can run them), 24/7 Experts on Demand via live chat, and a clear CTA to aka.ms/DefenderExpertsForXDR.

We produced this as a scenario-led explainer that starts with a relatable “oh no” moment and resolves it with calm, credible clarity. We shaped the narrative so each promise builds logically—from detection to investigation to containment to remediation—then supported it with visuals and pacing that keep the technical detail easy to absorb. Professional voiceover, music that stays focused, and crisp sound finishing help the message land cleanly without feeling heavy. As always, we delivered the full package with closed captions, audio description, and thumbnails—ready to deploy wherever your audience needs it.

At Honeycutt Inc., we turn brand visuals into something that moves, pops, and occasionally dances on its own. You bring the vision; we bring pixels that behave… mostly. We start by diving into your brand—colors, fonts, icons, and personality quirks. From there, we craft a creative concept and design system that feels unmistakably you—a toolkit ready for video, social, and anywhere else your story lives. Once the concept is approved, we build the full graphics package: motion graphics, transitions, overlays, lower thirds, and any custom assets your team needs. Every element is designed to be flexible, polished, and playful, so your brand can shine without breaking a sweat. We walk you through a near-final review, tweak based on notes, and deliver the complete package—ready to drop into projects, presentations, and campaigns.

‍