Production-ready KQL queries for Microsoft Defender XDR and Microsoft Sentinel. Focused on Threat Hunting, Detection Engineering, and MITRE ATT&CK mapping.

KQL queries for Microsoft Defender Advanced Hunting organized around the TTPs of the MITRE ATT&CK framework.

PowerShell tool for streamlined Microsoft Defender Advanced Hunting query management with GitHub Copilot integration

Defender XDR Advanced Hunting Queries (MDE, MDAV, Device Discovery)

Microsoft Defender XDR KQL detections for RedSun, BlueHammer, UnDefend, and CVE-2026-33825-related Defender abuse behaviors.

Defender for Identity Technical Items

Automated daily Microsoft Defender XDR security briefing delivered to Microsoft Teams using Azure Logic Apps, KQL Advanced Hunting, and Microsoft Graph.

✨ A linting tool for working with Microsoft Sentinel & Defender Advanced Hunting KQL

Collection of KQL queries for sentinel and defender for organization wide monitoring

Automated RBAC auditing for Microsoft Defender XDR - Maps roles, groups, workloads and generates interactive HTML report with KQL queries

Simulated SOC investigation detecting unauthorized Tor Browser installation and usage using Microsoft Defender for Endpoint and KQL Advanced Hunting queries.

End-to-end phishing investigation playbook covering email analysis, KQL hunting, identity compromise assessment, IOC extraction, threat hunting, detection opportunities, and remediation.