Pivot Analyst Workbench: cross-source hunting without SQL
Subtitle: Pre-built pivots from any evidence object — browser session to identity to detection in three clicks.
Tier 2 analysts lose hours context-switching between EDR, Entra, PSA, and spreadsheet exports. The Pivot Analyst Workbench (public name in product wiki) is Dual-Strike XISEM’s structured hunting layer: start from any evidence object and follow platform-defined pivots without writing queries.
Route: Asset modal → Pivot · Threat Center → Investigate · Support wiki → Pivot analyst workbench
Entry points
Start fromCommon pivots Browser sessionUser, device, related detections, domain prevalence Entra sign-inDevice, location class, mailbox rules, COBRA hits DetectionAll contributing signals, affected assets, PSA ticket File hashOther assets with hash, TI feed match, process tree (EDR) CVEAffected assets, patch status, network exposure
Workbench vs. Investigations
Workbench — exploratory, ephemeral trail while analyst thinks
Investigations — persistent case with notes and assignee
Promote workbench trail to Investigation when you know you have a case.
MSP hunting playbooks (public)
Shadow AI hunt
Browsing Insights → filter AI category → open session
Pivot user → all AI domains 30d
Pivot detections → COBRA shadow AI rules
Create Investigation + PSA ticket
BEC hunt
Email integration → suspicious rule change
Pivot identity → sign-ins + mailbox
Pivot browsing → OAuth grants
Escalate Critical if dual control failed
Training new analysts
Workbench teaches correlation paths native to Dual-Strike XISEM — faster ramp than teaching five vendor consoles. Pair with COBRA² guide and Asset modal post for onboarding curriculum.
Limits (honest)
Pivots require infeed coverage — no Entra pivots without GDAP
Historical depth follows retention policy — long hunts may need exported reports
Workbench does not replace EDR process graph for deep malware analysis — pivot into vendor console when containment needed
Related: Investigations workflow · Browsing Insights · Threat intelligence feeds
Workbench pivot catalog expands per release — in-console menu is authoritative.

