A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.

Random Powershell scripts

A browser-based Microsoft Defender for Endpoint audit tracker for MSSP security engineers, mapping ~270 tasks across multiple frameworks including — NIST CSF 2.0, Cyber Essentials, SOC 2, and NIST 800-53. Features per-task status, notes, live progress metrics, framework switching, dark/light mode, and CSV, HTML, and JSON export.

A collection of Threat Hunting & Alert queries I've written for 365 Defender's 'Advanced Threat Hunting'

Jamf Pro Extension Attributes and shell scripts for macOS fleet management — MDE health monitoring, app lifecycle, user permissions, LDAP lookups, system configuration, and more.

A collection of hands‑on labs demonstrating real-world threat hunting with Microsoft Defender for Endpoint (MDE)

A browser-based Microsoft Defender for Endpoint deployment tracker for MSSP security engineers, mapping 57 actionable tasks across all 6 NIST CSF 2.0 functions. Features per-task status tracking, notes, live progress metrics, dark/light mode, and full export support in CSV, HTML report, and JSON config formats.

Detection queries, OAuth permission risk matrix, and AI tool risk assessment checklist for measuring shadow AI and approved-software risk in enterprise environments. Validated on Microsoft Defender for Endpoint (KQL) and Rapid7 InsightIDR (LEQL). Released alongside DEF CON 34 talk "The Software Request Trap."

Public branch of Atea Ansible module, soon to be available from the Atea GitHub organization

A parser for Microsoft Defender for Endpoint (MDE) Investigation Packages.

End-to-end Azure security projects implementing VPN, Microsoft Defender, Conditional Access, and Zero Trust best practices.

Find potential local privilege escalation on windows with KQL