A comprehensive reference for detection engineers and threat hunters working with Microsoft Sentinel and M365 Defender. This repo combines field guide material (style, optimization, pivoting) with a curated Hunter’s Toolbox of queries, detections, and dashboards.
flowchart TD
A[README.md] --> B[FieldGuide]
A --> C[HuntersToolbox]
A --> D[Detections]
A --> E[Dashboards]
A --> F[Watchlists]
A --> G[References]
C --> C1[2025 Threat Playbook]
C --> C2[Persistence_LOLBAS]
D --> D1[Persistence Rules]
D --> D2[Identity & Cloud]
- Style Guide – naming, commenting, readability
- Optimization Patterns – performance tuning,
materialize(), summarization - Pivoting Guide – entity pivots across identity, device, process, and network
- MFA Fatigue / Prompt Bombing
- Password Spray
- Impossible Travel
- OAuth Consent / App Role Abuse
- Defender Tamper Events
- Kerberoasting
- DCSync
- RDP Lateral Movement
- BEC – Inbox Rules / Exfil
- Scheduled Tasks (T1053.005)
- WMI Event Consumers (T1546.003)
- Registry Run Keys (T1060)
- New Accounts & Group Adds (T1098)
- Service Install Startup (T1543)
- AAD Role Assignment Drift (T1098.004)
- Certutil Download (LOLBAS)
- Rundll32 Script Exec
- MSHTA Script Exec
- Regsvr32 Scripted COM
- Powershell Encoded Commands
- Bitsadmin Download
- Persistence & Evasion Seed – scheduled tasks, service installs, LOLBAS counts
- (More dashboards coming soon)
- Microsoft Sentinel Documentation
- M365 Defender Advanced Hunting Schema
- MITRE ATT&CK Matrix
- Kusto Detective Agency
- Fork → branch → PR
- Add queries with:
letparams for time/thresholds- Clear comments (intent, schema, expected output)
- Performance notes & FP tuning guidance
MIT