Write your awesome label here.
30-day access

Case 001 (Incident Response & Investigation)

Uncover a stealthy attack by responding to an initial alert or proactively hunting for a TTP!

This hands-on challenge puts you in the shoes of a SOC analyst; either triaging an alert in Incident Response mode or hypothesis-driven hunting in Threat Hunting mode. Both paths lead to the same sophisticated attack, testing your ability to investigate logs, connect the dots, and expose the full kill chain.

Will you stop the attacker after the first alert, or will you find them before the damage is done?

*This standalone challenge is also part of our paid KQL courses.
30-day access

Threat Hunting and Incident Response:
Case #001

Uncover a stealthy attack by responding to an initial alert or proactively hunting for a TTP!

This hands-on challenge puts you in the shoes of a SOC analyst; either triaging an alert in Incident Response mode or hypothesis-driven hunting in Threat Hunting mode. Both paths lead to the same sophisticated attack, testing your ability to investigate logs, connect the dots, and expose the full kill chain.

Will you stop the attacker after the first alert, or will you find them before the damage is done?

*This standalone challenge is also part of our paid KQL courses.
Write your awesome label here.

Questions

TTPs

To Complete (avg.)

What You Will Do

This lab offers two distinct investigation modes, allowing you to approach the same attack scenario from different angles:

1. Incident Response Mode
  • Start with a single security alert.
  • Investigate logs to triage the incident, determine impact, and uncover the full attack chain.
  • Follow attacker activity across systems by analyzing EDR, identity, and server logs.

2. Threat Hunting Mode
  • Receive a TTP (Tactic, Technique, or Procedure) used by the attacker.
  • Proactively hunt for malicious activity matching the TTP without an initial alert.
  • Once found, expand the investigation to reveal the entire attack.

Both modes lead to the same underlying attack, testing either your reactive response skills or proactive hunting abilities.

What Is Included

Real-world telemetry from:
  • Microsoft Defender for Endpoint (all devices)
  • Microsoft Defender for Identity
  • Windows Security Event Logs (Servers)
Empty space, drag to resize
  • Starter prompts (alert for IR mode, TTP for hunting mode).
  • A multi-stage attack covering Initial Access, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Command & Control 
 Note: Walkthrough is not provided—this challenge is designed for self-paced learning and skill validation.

Challenge Overview

Frequently asked questions

Who should take the course?

This course is ideal for:
  • SOC Analysts and Incident Responders who want to improve their investigation skills
  • Cybersecurity professionals seeking to deepen their data analysis skills.
  • IT professionals and analysts interested in specializing in security data analysis using KQL.
  • Beginners who are keen to learn KQL in the context of cybersecurity.

Are there any prerequisites?

A basic understanding of databases and a keen interest in cybersecurity data analysis are recommended, but the course begins with foundational concepts, making it accessible to all enthusiastic learners.

Does the course contain video content?

No. While the course is text-based, the content is supported by screenshots with explanations. This approach makes it easy to follow and understand the content. You may check the free "Introduction to KQL for Security Analysis" course to see how it looks.

Are there any prerequisites or lab requirements?

No additional software and hardware is required. You will access the lab environment via a web browser. The lab environment is an Azure Data Explorer instance where you will analyze the logs of a simulated organization.

Can I get a certificate of completion?

Yes, you will receive a certificate of completion.

What is Lemon Squeezy?

Lemon Squeezy is a Merchant of Record that processes payments and handles taxes. You may see its name on your card statements. 

What our learners say

It's been a long time since I've had fun in a CTF, being in DFIR, there's not a lot of these around. Even less, ones that are centered around the Microsoft Defender XDR stack. The way this CTF goes, you need to do your investigation, take notes and follow leads. Like in a real-life incident, you need to identify everything relevant to make sure that you properly contain the threat and from there, find out what happened.

I recommend it to everyone who wants a taste of IR through MDE and MDI.

Yoan Schinck, Cyber Response Manager | DFIR & Threat Hunting at KPMG-Egyde

This was a very realistic investigation scenario and was quite challenging. I really liked the feature of hiding questions that may disclose answers to other questions. I can't wait to see how my team stacks up in this!



K.C. Yerrid, loanDepot

Test Your Skills

Created by

Mehmet Ergene

Mehmet brings over 15 years of experience in cybersecurity, with a unique blend of expertise in KQL, threat hunting, detection engineering, and data science to his courses to help others advance their skills. Recognized four times as a Microsoft Security MVP, he is renowned for adapting the RITA beacon analyzer to KQL and for his insightful presentations at key conferences like the SANS DFIR Summit.