Proof we're not bluffing

This video demonstrates Safe Links time-of-click protection in Microsoft Defender for Office 365—how it scans and rewrites URLs during mail flow, then re-checks them the moment a user clicks. It explains why that matters: attackers can send an email with a link that initially redirects to a safe site, wait until it lands in the inbox, then weaponize the redirect to a phishing page. Safe Links counters that by verifying the URL at click time—showing users a Safe Links block page if it’s malicious and generating alerts for SecOps in Microsoft 365 Defender. The demo also covers coverage beyond email: Safe Links can check links opened from documents and from Microsoft Teams. To enable it, you configure Safe Links policies under Policies & rules > Threat policies > Safe Links (there are no default policies), turn on protection for URLs in email and URLs in Teams, and ensure the global setting Use Safe Links for Office 365 apps is enabled for users covered by a Safe Links policy.

We produced this as a short, punchy feature proof: establish the attacker trick, show how Safe Links breaks it, then land on the exact policy knobs that make it real. The screen capture stays tight on the settings that matter (policy creation, URL protections, global app setting), and the edit keeps the cadence brisk so viewers come away with a simple mental model: rewrite in transit, validate at click, block when it turns bad. Final delivery includes closed captions, audio description, and thumbnails.

This demo shows how quarantine works in Microsoft Defender for Office 365—and how admins and security teams can review, release, or remove messages safely. It explains why email ends up quarantined (spam, phishing, malware, policy actions), then walks through finding quarantined items, inspecting message details, and making the right call: release a legitimate message, delete something malicious, or submit items to Microsoft when you need deeper analysis. The video also highlights guardrails like who can access quarantine, how release can be restricted/approved, and why reviewing quarantine is a daily habit that helps reduce false positives without weakening protection.

We produced this as a practical “operational hygiene” demo—focused on the decisions people actually have to make under time pressure. The screen flow stays tight on the quarantine list, item details, and action controls, with narration that keeps the viewer oriented and confident. Postproduction trims out menu wandering so the steps feel quick and repeatable. Final delivery includes closed captions, audio description, and thumbnails.

Priority accounts in Microsoft Defender for Office 365 are meant for the people attackers love most—executives, finance, admins—and this demo shows how to set them up so reporting and investigations can spotlight those users first. It walks through creating and managing the priority account list, then shows how that tag shows up across Defender experiences: reports that break out priority-account targeting, Explorer views that let you filter to high-value users, and investigation flows where you can quickly confirm whether a campaign hit your most sensitive identities. The takeaway is simple: if you know who’s most important, Defender can help you watch them more closely.

We produced this as a small-but-mighty admin walkthrough—focused on the steps that create ongoing visibility. The screen flow stays close on the setup and the “where it appears afterward” proof points, and the pacing is tuned so teams can implement the list quickly and immediately benefit from better prioritization. Final delivery includes closed captions, audio description, and thumbnails.

This tutorial introduces Microsoft Defender for Office 365 and what it does in plain terms: protect email and collaboration from phishing, malware, and other unwanted surprises. It walks through the core capabilities—Safe Links for real-time URL checks, Safe Attachments for detonation and analysis, and anti-phishing/anti-spam protections—then shows where admins and analysts work day-to-day in the Microsoft 365 Defender portal. The video highlights the investigation flow: tracking threats through alerts and incidents, reviewing message details and threat detections, and taking action to contain or remove malicious mail, with reporting views that help teams spot trends and tune protections over time.

We produced this as an onboarding-friendly overview that balances “what it is” with “where to click.” The pacing is built for first-time viewers, the visuals stay oriented around the main portal areas, and the edit keeps the story cohesive so the product feels approachable rather than overwhelming. Final delivery includes closed captions, audio description, and thumbnails.

This demo introduces the unified Alerts queue in Microsoft 365 Defender and how it helps SecOps manage alerts from multiple detection sources—including Defender for Office 365, Defender for Endpoint, Defender for Identity, and more. It shows using the Detection source column, opening an alert’s details side pane (state, triggering policy, linked incident, automated investigation, impacted entities), and the unified alert page layout with asset cards and an alert story that updates as you select messages or activities. It also highlights pivoting into the new email entity page for richer email analysis (authentication, detection and override details, email/header preview) and detonation insights in Attachments and URL tabs (observed files, IPs, URLs, screenshots, behaviors). Finally, it urges teams to update alert status/classification/determination for tuning—and explains why incidents are the better starting point: Defender correlates alerts into incidents, shows why alerts are linked (message ID, URL, file, user), and makes assignment and resolution faster across all related alerts.

We produced this as a clarity-driven navigation demo: show the alerts experience, then show the smarter habit (start from incidents) and why it reduces alert fatigue. The flow is designed to make the UI feel consistent across sources, with crisp pivots to deeper evidence when needed and a clean wrap on best practices. Final delivery includes closed captions, audio description, and thumbnails.

This video explains alert correlation in Microsoft 365 Defender—how the platform connects multiple related alerts into a single incident so analysts can investigate the whole attack story at once. It shows how correlation works across domains (email, endpoint, identity, apps), why alerts get linked (shared entities like users, devices, message IDs, URLs, or files), and how incidents reduce triage noise by bundling what would otherwise be separate cases. The demo tours an incident view to show the consolidated scope: alerts, affected assets, evidence, investigation timeline, and response actions—all in one place instead of scattered across alert queues.

We produced this as a “why this matters in real life” explainer: we structured it around the pain of alert fatigue, then show the payoff of correlation—clearer context and faster decisions. The visuals stay tight on the incident experience and the correlation cues, with an edit that keeps the story moving without skipping the moments that make the concept click. Final delivery includes closed captions, audio description, and thumbnails.

This demo shows how Microsoft Defender for Identity surfaces lateral movement paths—helping analysts understand how an attacker could move from one identity or device to another inside an on-prem Active Directory environment. It walks through the lateral movement path view, where Defender for Identity maps relationships and permissions to reveal risky connections, choke points, and “if they get this account, they can reach that asset” scenarios. The emphasis is on prioritization: identify the most dangerous paths, focus on high-value targets, and use the insight to guide remediation—like tightening permissions, reducing unnecessary admin rights, and breaking easy traversal routes before an attacker uses them.

We produced this as a map-reading walkthrough built for clarity, not complexity. The screen flow stays close to the path visualization and the key risk signals, with narration that translates what you’re seeing into practical next steps. In post, we kept the pacing steady and the story linear—so viewers can follow the path logic on the first watch and remember how to use it during a real investigation. Final delivery includes closed captions, audio description, and thumbnails.

This demo shows how the Campaigns view in Microsoft Defender for Office 365 helps you spot coordinated email attacks that share the same infrastructure, themes, or tactics. It explains what makes something a “campaign,” then walks through reviewing campaign details—volume over time, targeted users, delivery locations, involved URLs and attachments, and the list of related messages. From there, it shows how analysts use Campaigns to prioritize response, identify who was impacted, and pivot into deeper investigation and remediation actions to contain the spread and clean up any delivered messages.

We produced this as a “see the pattern fast” demo: the structure focuses on how to read a campaign at a glance, then zoom in only where it matters. Clean screen capture and focused narration keep the workflow crisp, and postproduction keeps the momentum so viewers leave with a repeatable playbook: open campaign, assess impact, act. Final delivery includes closed captions, audio description, and thumbnails.

This demo explains Microsoft Sentinel’s streaming API and how it helps you ingest security data into Sentinel in near real time. It introduces the idea of streaming events directly into Sentinel (instead of waiting on periodic batch ingestion), then walks through the basic setup and usage pattern: authenticate, send data in the expected format, and validate that it’s arriving correctly so you can query it, create detections, and drive incidents from it. The emphasis is on reducing latency—getting signals into the SIEM faster so analysts can investigate and respond sooner.

We produced this as a clean technical explainer—structured to keep the concept simple, show the workflow clearly, and avoid drowning viewers in unnecessary jargon. In post, we focused the pacing on what implementers need to remember: what streaming is, what it unlocks, and how to confirm it’s working. Final delivery includes closed captions, audio description, and thumbnails.

This demo shows how to automate a Microsoft Sentinel workflow using Power Automate—so routine security responses can happen consistently without an analyst manually clicking the same buttons forever. It starts in Microsoft Sentinel and opens Automation, then creates a new automation rule. From there, it walks through the rule setup: name and conditions (what kinds of incidents/alerts should trigger), and the action to run a playbook. The playbook is built in Power Automate, where you choose the Sentinel connector, pass incident details into the flow, and add the steps you want—like notifying a channel, creating a ticket, enriching the incident, or updating status—then save and test. The result is a repeatable response pattern that fires automatically whenever the rule conditions are met.

We produced this as a practical, follow-along automation demo: preproduction locked the “why this matters” story (reduce toil, standardize response) and the exact click path, production captured clean screens with professional voiceover and pacing, and post trimmed it to the essential steps so viewers can replicate it quickly. Final delivery includes closed captions, audio description, and thumbnails.

This demo shows Microsoft Defender for Identity settings now living inside the Microsoft 365 Defender portal—so you can configure identity protection where you already investigate. It walks through Settings > Identities and tours the key tabs: Sensors (install on on-prem domain controllers or ADFS servers and check sensor health/details), Directory services accounts (service accounts for connecting to on-prem AD), VPN (configure RADIUS Accounting shared secret to enrich detections for abnormal VPN activity), and Entity tags. For tagging, it covers Sensitive tags for high-value assets (used in detections like riskiest lateral movement paths) and Honeytoken tags as trap accounts that trigger alerts on authentication. It finishes with Notifications—adding recipients for health issue notifications and configuring Syslog notifications by enabling the Syslog service, choosing a sensor, setting the endpoint, and saving—plus pointers to Microsoft Docs for deeper guidance.

We produced this as a settings walkthrough that’s structured like a checklist you can actually use: we organized the flow by “what you configure” (sensors, accounts, enrichment, tags, notifications), kept the visuals tight on each tab’s purpose, and smoothed the edit so admins can follow the sequence without backtracking. Final delivery includes closed captions, audio description, and thumbnails—ready for rollout, training, or handoff to the team that owns identity.

This demo shows how to use advanced hunting in Microsoft 365 Defender to dig deeper into incidents using Microsoft Cloud App Security data. It starts with a real incident workflow: review the incident’s alerts to capture the timeframe (May 4 in the example), then check the Users tab to identify the impacted user (Megan Bowen) and her elevated investigation priority. From the user profile, it notes risky activity and, crucially, the sign-in locations tied to the timeline—primarily the United States, Belgium, and Israel, plus locations like Singapore, Ireland, and Albania—then uses that context to aim hunting queries. The video explains why you don’t just “look in the activity log”: it’s detailed, but it’s easy to miss things and hard to filter deeply. In advanced hunting, it demonstrates a practical query pattern—use the Cloud app events table, map the user’s UPN to an account object ID via the identity info table, then review accessed emails by filtering to the target locations and time window. From there it pulls structured details out of raw event JSON (folders accessed and “folder items” mail arrays) using mv-expand and extend, cleans up results with project, and finally joins to the email events table using internet message IDs to add the human-meaningful context—subject, sender, recipient, and other message details.

We produced this as a developer- and analyst-friendly walkthrough: preproduction locked the narrative (incident context → hunting strategy → query mechanics → richer results) and the exact sequence of steps, production captured clean screens with confident voiceover and steady pacing, and post trimmed away the noise so the key technique lands—extract, expand, and enrich. The benefit is a repeatable investigation approach your SOC can apply immediately: fewer blind spots, more context per incident, and a clearer path from “something happened” to “here’s exactly what was accessed, when, and why it matters.” Final delivery includes closed captions, audio description, and thumbnails.