Building a Sentinel Detection Lab, Part 2: Suspicious PowerShell, and Why Some Detections Need No Threshold

Part 2 of a series on building a detection engineering lab in Microsoft Sentinel. This post: hunting malicious PowerShell with Sysmon, and the difference between volume detections and signature detect