Phill Moore

For the stock standard notebook though, it's "select * from scope LIMIT 50" the first thing i do as an analyst is basically get rid of that and very rarely...

Yeah I don't mind if it's gone offline during the flow - it'll report as running, but the host will be offline and that's explainable. Where it's problematic is when...

I dont mind if it's user initiated. Maybe you can select the flow, click a button that says "query the client" and it gives it a bit of a nudge.

I have a profile for a similar client. It's basically had nothing run on it successfully. It's had a bunch of new hunts queued up, but it is stuck. So...

Yep, will send it to you

https://github.com/RedByte1337/GraphSpy

https://github.com/evild3ad/Microsoft-Analyzer-Suite

https://github.com/PuravsPoint/DecipheringUAL

https://cyberdom.blog/2024/04/26/microsoft-365-cloud-investigation-via-unified-audit-log-insights-and-tips/