Matthias von Ehr — Cloud Security Architect

Security architecture that does not unravel.

The Microsoft Security stack, detection engineering, and the unglamorous discipline of SecOps — built to hold under load, not to fill a slide.

Defender XDR Microsoft Sentinel Entra ID KQL
MITRE KQL Explorer Get in touch
TriathTech mark — a Celtic knot enclosed in a circle, read as a shield.

Approach

Defense through architecture, not noise.

I design and operate security architectures on the Microsoft stack — Defender XDR, Microsoft Sentinel, Entra ID, and Intune. The work is detection engineering, identity governance, and endpoint security across multi-tenant enterprise environments.

Based in Saarland, working fully remote. Open to connections across the DACH region, in German or English.

Position
A detection that does not map to MITRE ATT&CK is just a log line with ambition.

Focus

Four areas, operated as one plane.

01

Detection Engineering

KQL detections mapped to MITRE ATT&CK, version-controlled, and maintained across tenants — not a folder of one-off queries.

KQLMITRE ATT&CKSentinel
02

Microsoft Security Stack

Defender XDR, Sentinel, Entra, and Intune operated as one coherent plane, not four products bought separately.

Defender XDRIntuneEntra
03

Identity & Access

Conditional Access, PIM, and Just-In-Time access — least privilege that survives an audit and a Monday morning alike.

Entra IDPIMConditional Access
04

SecOps

Triage, tuning, and the discipline of closing the findings that actually have consequences today.

SIEMTriageTuning

Pipeline

From telemetry to a decision.

01 · Signal
Telemetry in
Defender XDR, Entra, and Intune emit the raw events — identities, endpoints, sign-ins.
02 · Correlate
Sentinel + KQL
Detections mapped to ATT&CK turn streams of events into named, explainable behaviour.
03 · Triage
Noise removed
Tuning and suppression strip the background so the analyst sees only what carries consequence.
04 · Respond
Contained
A Logic App playbook isolates the host or revokes the session — before lateral movement begins.
Outcome
412 findings in. Three that matter out. The rest is background — and it stays there.

Work

Things built and shipped.

MITRE KQL Explorer

An open tool for mapping MITRE ATT&CK techniques to KQL detections for Microsoft Sentinel and Defender XDR. Built for practitioners who want coverage they can read.

KQLMITRE ATT&CKSentinel
in progress

More to come. Quietly, when it is ready to hold.

Writing

Notes for practitioners, not slideware.

Regular writing on LinkedIn — security architecture, detection engineering, SecOps. Concrete positions, defended with one technical reason at a time.

Follow on LinkedIn

Contact

Start a conversation.

Email
matthias@triath.xyz LinkedIn
in/matthias-von-ehr GitHub
triathIC