The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior
An automation framework for deploying Microsoft Sentinel environments using pipelines. This project combines infrastructure-as-code (Bicep) with PowerShell automation to streamline the deployment of Sentinel solutions, analytics rules, and workbooks.
Detection rules and threat hunting queries in Defender XDR and Azure Sentinel
Defender XDR Advanced Hunting Queries (MDE, MDAV, Device Discovery)
Microsoft Defender XDR KQL detections for RedSun, BlueHammer, UnDefend, and CVE-2026-33825-related Defender abuse behaviors.
A PowerShell MVP who is passionate about helping others succeed with Active Directory, Entra ID, Defender XDR, and Microsoft 365. Always learning! ✝️👨👩👧👦☕
A concise, practical look at strengthening email security with Defender for Office 365 and effective phishing response.
TUI for Defender XDR using PwshSpectreConsole
Major rewrite of `mcp-defender` to add Interactive auth and support for modern defender xdr + sentinel APIs. Claude skill included. Full GH security enabled on repo (Dependabot, CodeQL, etc)
Detection-as-code for Microsoft Sentinel and Defender XDR. 12 analytic rules, 10 hunting queries, 4 SOAR playbooks, ATT&CK Navigator coverage, CI validation, and full L3 SOC workflow documentation.
Automated daily Microsoft Defender XDR security briefing delivered to Microsoft Teams using Azure Logic Apps, KQL Advanced Hunting, and Microsoft Graph.
Analyst-friendly SOC triage assistant with structured incident briefs, recommended actions, and exportable reports.
A collection of Mitre ATT&CK aligned KQL detection, hunting, and audit queries for Defender XDR.
SOC PowerShell Notebooks for Defender XDR
Automated RBAC auditing for Microsoft Defender XDR - Maps roles, groups, workloads and generates interactive HTML report with KQL queries
Overview of all pre-defined table definitions within a Sentinel enabled Azure Log Analytics workspace
Private, policy-enforced reference pattern for governed Microsoft Sentinel automation using Azure Logic Apps Agent Loop, Azure Function PEP, Entra ID, managed identity, and Private Endpoints.
KQL queries for threat hunting in Microsoft Sentinel and Defender XDR
Hybrid enterprise security lab using Defender XDR, Sentinel, Security Copilot, and Azure Policy
Microsoft Entra device code phishing detection lab for Sentinel and Defender XDR
Add a description, image, and links to the defender-xdr topic page so that developers can more easily learn about it.
To associate your repository with the defender-xdr topic, visit your repo's landing page and select "manage topics."