The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior

An automation framework for deploying Microsoft Sentinel environments using pipelines. This project combines infrastructure-as-code (Bicep) with PowerShell automation to streamline the deployment of Sentinel solutions, analytics rules, and workbooks.

Detection rules and threat hunting queries in Defender XDR and Azure Sentinel

Defender XDR Advanced Hunting Queries (MDE, MDAV, Device Discovery)

A PowerShell MVP who is passionate about helping others succeed with Active Directory, Entra ID, Defender XDR, and Microsoft 365. Always learning! ✝️👨‍👩‍👧‍👦☕

A concise, practical look at strengthening email security with Defender for Office 365 and effective phishing response.

TUI for Defender XDR using PwshSpectreConsole

Major rewrite of `mcp-defender` to add Interactive auth and support for modern defender xdr + sentinel APIs. Claude skill included.

Microsoft Defender XDR KQL detections for RedSun, BlueHammer, UnDefend, and CVE-2026-33825-related Defender abuse behaviors.

Analyst-friendly SOC triage assistant with structured incident briefs, recommended actions, and exportable reports.

A collection of Mitre ATT&CK aligned KQL detection, hunting, and audit queries for Defender XDR.

SOC PowerShell Notebooks for Defender XDR

Automated RBAC auditing for Microsoft Defender XDR - Maps roles, groups, workloads and generates interactive HTML report with KQL queries

Overview of all pre-defined table definitions within a Sentinel enabled Azure Log Analytics workspace

Production KQL detection rules for Microsoft Defender XDR — AiTM, password spray, brute force, phishing, and identity-based attacks. MITRE ATT&CK mapped.

KQL queries for threat hunting in Microsoft Sentinel and Defender XDR

Kusto Query Language queries for Microsoft Sentinel and Defender XDR threat hunting

Sam's notes about enterprise IT with a focus on automation, design, and security. Frequent topics will include Microsoft Active Directory, Microsoft Defender XDR, Entra ID, Intune, Microsoft 365, PowerShell, and Windows Server.