SOC Dashboard

Security Operations Center
Threat Hunter
Certifications
• CompTIA Security+
• CompTIA CySA+
• CompTIA IT Operations Specialist
• GIAC GSEC
• CEH
Jonathan Pemberton
Available
View ProfileAdmin Access

Jonathan Pemberton

Cyber Security Analyst | Incident Response & SIEM Specialist | Threat Intelligence

Welcome to My Security Operations Center

I'm Jonathan Pemberton, a cybersecurity professional specializing in threat intelligence, incident response, and offensive security operations. This interactive dashboard showcases my expertise through a simulated SOC environment, demonstrating capabilities in threat hunting, purple team operations, and security automation.

Threat IntelligencePurple Team OperationsPenetration TestingIncident ResponseSecurity Automation

Career TimelineProfessional Experience

Senior SOC Analyst

Health New Zealand / Te Whatu Ora (via Expert360)

April 2025 – Present

Contracted through Expert360 to advance national cyber-defence capabilities for New Zealand's healthcare system, architecting Microsoft Sentinel detections and automating threat response workflows.

Microsoft Sentinel ArchitectureKQL Detection EngineeringSOC Automation & PlaybooksThreat Hunting & Analysis

Senior IT Security Analyst

Panasonic North America

November 2021 – April 2025

Led enterprise security operations for Panasonic's Kansas Gigafactory, managing threat detection, incident response, vulnerability management, and security automation across critical manufacturing infrastructure.

Threat Detection & ResponseSecurity Automation & SOARVulnerability ManagementIncident Response Leadership

Software Engineer & Security Specialist

Snow Commerce

2017 – 2021

Architected secure backend systems for global e-commerce platforms, implementing security controls, conducting threat modeling, and performing security assessments for brands like HBO, AMC, and Wayfair.

Application SecurityThreat ModelingSecurity ArchitecturePCI DSS Compliance

Education & Certifications

Academic & Professional Development

2017 – 2024

Comprehensive cybersecurity education with specialized focus on offensive security, penetration testing, threat analysis, and security operations.

B.S. Cybersecurity & Information AssuranceCompTIA Security StackPenetration Testing CertifiedCySA+ Certified

Core CompetenciesTechnical Skills & Projects

CORE EXPERTISE

Specialized in threat intelligence, offensive security operations, and detection engineering. Experienced in penetration testing, purple team operations, and proactive threat hunting. Click on any competency below to explore detailed implementations and outcomes.

Threat Intelligence & OSINT

Featured Expertise

Overview

Advanced threat intelligence gathering, analysis, and operationalization using OSINT techniques and threat intelligence platforms.

My Role

Conducted comprehensive threat intelligence operations including adversary tracking, IOC enrichment, and threat actor profiling. Developed automated OSINT collection workflows and integrated threat feeds into SIEM platforms for proactive threat hunting.

Business Impact

Built threat intelligence program that identified 15+ active threat campaigns targeting the organization, reduced false positive alerts by 60%, and enabled proactive defense against emerging threats.

Technologies & Tools

MITRE ATT&CK FrameworkThreatConnectOSINT Tools (Maltego, Shodan, etc.)Threat Intelligence PlatformsIOC EnrichmentAdversary TrackingThreat Actor ProfilingIntelligence Sharing (ISAC)

Penetration Testing & Red Team

Featured Expertise

Offensive security operations including penetration testing, red team exercises, and vulnerability exploitation across networks, applications, and cloud environments.

Purple Team Operations

Collaborative security testing combining offensive and defensive techniques to improve detection capabilities and validate security controls.

Threat Hunting & Detection Engineering

Proactive threat hunting operations and custom detection rule development to identify advanced threats and improve security monitoring.

Malware Analysis & Reverse Engineering

Static and dynamic malware analysis, reverse engineering of malicious code, and development of detection signatures.

Security Automation & SOAR

Advanced security automation using SOAR platforms, custom scripting, and orchestration to improve incident response efficiency.

Automation PortfolioCode Samples & Solutions

Advanced Threat Hunting Framework

Comprehensive threat hunting framework using KQL and Python for proactive threat detection across Microsoft Sentinel and Splunk environments.

PythonKQLMicrosoft Sentinel+2 more

Automated Penetration Testing Framework

Comprehensive automated penetration testing framework for continuous security validation and vulnerability discovery.

PythonMetasploitNmap+2 more

OSINT Automation & Threat Intelligence

Automated OSINT collection and threat intelligence gathering framework for proactive threat identification.

PythonShodan APIMaltego+2 more

Purple Team Automation Platform

Automated purple team testing platform that executes attack scenarios and validates detection capabilities.

Atomic Red TeamCalderaPython+2 more

Advanced Threat Hunting Framework

Challenge

Manual threat hunting was time-consuming and inconsistent, with analysts spending hours crafting queries and correlating data across multiple security tools.

Solution

Developed automated threat hunting framework with pre-built hunt queries, automated IOC enrichment, and machine learning-based anomaly detection.

Business Impact

Reduced threat hunting time by 85%, discovered 8 previously undetected incidents, and enabled continuous automated hunting across the environment.

Technologies Used

PythonKQLMicrosoft SentinelThreat IntelligenceMachine Learning
Code Implementation
# Advanced Threat Hunting Framework
import asyncio
from datetime import datetime, timedelta
from typing import Dict, List, Optional
import pandas as pd
from azure.monitor.query import LogsQueryClient

class ThreatHuntingEngine:
    """Automated threat hunting across SIEM platforms"""
    
    def __init__(self, config: Dict[str, str]):
        self.sentinel_client = LogsQueryClient(config['sentinel_credential'])
        self.workspace_id = config['workspace_id']
        self.hunt_results = []
        
    async def hunt_lateral_movement(self, timespan: int = 24) -> List[Dict]:
        """Hunt for lateral movement indicators"""
        
        kql_query = """
        SecurityEvent
        | where TimeGenerated > ago(24h)
        | where EventID in (4624, 4625, 4648, 4672)
        | where LogonType in (3, 10)
        | summarize 
            LoginCount = count(),
            UniqueDestinations = dcount(Computer),
            FailedAttempts = countif(EventID == 4625),
            PrivilegedLogins = countif(EventID == 4672)
            by Account, IpAddress
        | where UniqueDestinations > 5 or FailedAttempts > 3
        | extend ThreatScore = (UniqueDestinations * 10) + (FailedAttempts * 5)
        | where ThreatScore > 50
        | order by ThreatScore desc
        """
        
        results = await self.execute_hunt_query(kql_query)
        
        # Enrich with threat intelligence
        enriched_results = []
        for result in results:
            enrichment = await self.enrich_with_threat_intel(result['IpAddress'])
            result['ThreatIntel'] = enrichment
            
            if enrichment['is_malicious']:
                result['Priority'] = 'CRITICAL'
                await self.create_incident(result)
            
            enriched_results.append(result)
            
        return enriched_results
        
    async def hunt_data_exfiltration(self) -> List[Dict]:
        """Detect potential data exfiltration attempts"""
        
        kql_query = """
        let baseline = 
            NetworkCommunicationEvents
            | where TimeGenerated between (ago(30d) .. ago(7d))
            | summarize AvgBytes = avg(BytesSent) by SourceIP, DestinationIP;
        NetworkCommunicationEvents
        | where TimeGenerated > ago(24h)
        | join kind=leftouter baseline on SourceIP, DestinationIP
        | extend BytesDeviation = (BytesSent - AvgBytes) / AvgBytes
        | where BytesDeviation > 3.0  // 3 standard deviations
        | where BytesSent > 100000000  // > 100MB
        | project 
            TimeGenerated,
            SourceIP,
            DestinationIP,
            BytesSent,
            AvgBytes,
            DeviationPercent = BytesDeviation * 100
        | order by BytesSent desc
        """
        
        results = await self.execute_hunt_query(kql_query)
        
        # Analyze file access patterns
        for result in results:
            file_access = await self.analyze_file_access(
                result['SourceIP'],
                timespan=1
            )
            result['SensitiveFilesAccessed'] = file_access
            
        return results
        
    async def hunt_persistence_mechanisms(self) -> List[Dict]:
        """Hunt for persistence techniques (MITRE ATT&CK T1547)"""
        
        kql_query = """
        union
        (
            // Registry Run Keys
            RegistryEvents
            | where RegistryKey has_any (
                "\\Run", "\\RunOnce", "\\RunServices",
                "\\RunServicesOnce", "\\Winlogon"
            )
            | extend Technique = "Registry Run Keys"
        ),
        (
            // Scheduled Tasks
            SecurityEvent
            | where EventID == 4698  // Scheduled task created
            | extend Technique = "Scheduled Task"
        ),
        (
            // Service Creation
            SecurityEvent
            | where EventID == 4697  // Service installed
            | extend Technique = "Service Creation"
        ),
        (
            // WMI Event Subscription
            WmiEventSubscription
            | extend Technique = "WMI Event Subscription"
        )
        | where TimeGenerated > ago(24h)
        | project 
            TimeGenerated,
            Computer,
            Account,
            Technique,
            Details = pack_all()
        """
        
        results = await self.execute_hunt_query(kql_query)
        
        # Score based on suspiciousness
        for result in results:
            result['SuspicionScore'] = await self.calculate_persistence_score(result)
            
        return [r for r in results if r['SuspicionScore'] > 70]
        
    async def automated_hunt_campaign(self) -> Dict:
        """Execute comprehensive automated hunt campaign"""
        
        hunt_results = {
            'campaign_id': f"HUNT-{datetime.now().strftime('%Y%m%d%H%M')}",
            'start_time': datetime.now().isoformat(),
            'hunts': []
        }
        
        # Execute multiple hunt queries in parallel
        hunts = await asyncio.gather(
            self.hunt_lateral_movement(),
            self.hunt_data_exfiltration(),
            self.hunt_persistence_mechanisms(),
            self.hunt_credential_access(),
            self.hunt_command_and_control()
        )
        
        hunt_results['hunts'] = hunts
        hunt_results['total_findings'] = sum(len(h) for h in hunts)
        hunt_results['critical_findings'] = sum(
            1 for h in hunts for r in h if r.get('Priority') == 'CRITICAL'
        )
        
        # Generate hunt report
        await self.generate_hunt_report(hunt_results)
        
        return hunt_results

Security InsightsMy Latest Articles

Get In TouchContact & Resume

Get In Touch

Contact Information

Phone

+1 (859) 300-1627 | +64 022 034 2123

Security Operations Live Feed