Kostas

We consolidated the EDR Telemetry methodology into a single page. No more digging through scores, eligibility, contribute, and blog posts to piece together how we evaluate telemetry. Evidence standards, status taxonomy, direct vs inferred rules, the vendor-assisted workflow, and the 75% governance threshold are all in one place now. Live at https://t.co/55CY2VFBjv

I really like seeing posts like this. It’s great to see this kind of recognition from CEOs towards their teams. Good results don’t just happen on their own and definitely don’t come from marketing. They come from engineers fixing gaps, product teams prioritizing the right things, field teams bringing real feedback, and customers pushing for better visibility. When that work shows up in the results, it deserves to be highlighted, and we are happy to do do that. The EDR Telemetry Project is not here to point out what is bad and bash vendors. We highlight the good, too. The difference is that we do it independently, with an open methodology, and with information that is actually useful to the people using these products. Not just C-suite reports, magic quadrants, or high-level summaries that do not help much when you are trying to investigate an incident or hunt through the logs. This is the kind of evaluation Gartner will never come remotely close to doing. We offer open results, open methodology, and practical value for practitioners. Hard work pays off, and we’re glad to see teams getting the recognition they deserve 💙

Business email compromise is among the most costly attacks for companies. In this case, we look at a Microsoft 365 intrusion where a mailbox was compromised. This case provides logs that are rarely available on training platforms, since the data contains real-world noise and traces of malicious infrastructure. • Sign-in logs • Microsoft 365 audit logs • Exchange message trace • mail events • Graph activity • mailbox audit evidence Available now in THL 👇

📢 𝗡𝗲𝘄 𝗰𝗹𝗼𝘂𝗱 𝗶𝗻𝘁𝗿𝘂𝘀𝗶𝗼𝗻 𝗷𝘂𝘀𝘁 𝗹𝗮𝗻𝗱𝗲𝗱, 𝗿𝗲𝗹𝗮𝘁𝗲𝗱 𝘁𝗼 𝗮 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝟯𝟲𝟱 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗘𝗺𝗮𝗶𝗹 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲 (𝗕𝗘𝗖) We responded to a business email compromise and preserved the telemetry for hands-on investigation. The case spans Entra sign-ins, Microsoft 365 audit logs, Exchange audit activity, Graph activity, mailbox access evidence, alert records, and message trace. We are releasing the same intrusion across three disciplines: - Threat Hunting: follow the access patterns, cloud activity, and investigation pivots. - Incident Response: reconstruct the timeline, scope the compromise, and determine what the evidence proves. - Detection Engineering: turn the observed behavior into practical detection logic. One intrusion. Three ways to work the evidence. https://t.co/U3Qdb9iz9F Available now on Threat Hunting Labs for Pro subscribers.