ml58158 / defender-xdr-advanced-hunting

Public

A schema-aware dataset and Claude AI skill for Microsoft Defender XDR Advanced Hunting.

100% credibility

Found May 07, 2026 at 17 stars -- GitGems finds repos before they trend. Get early access to the next one.

AI Analysis

PowerShell

AI Summary

This repository provides a complete schema dataset for Microsoft Defender XDR Advanced Hunting tables, including undocumented ActionType enumerations and sample queries extracted from internal portal APIs and supplemented by public documentation.

How It Works

🔍 Discover the schema guide

While searching for complete details on Microsoft Defender security tables, you find this helpful project that fills in the missing pieces.

📖 Learn the full story

You read how it uncovers hidden action types and full field lists that Microsoft doesn't share publicly, making threat hunting easier.

🖥️ Prep your login session

Log into your Defender dashboard, open the browser tools, and copy the full session details that prove you're actively signed in.

▶️ Launch the data grabber

Paste your session details and team ID into the simple extraction tool and run it to pull everything from the portal.

💾 Receive your complete dataset

Get ready-to-use files with every field, action type, sample searches, and retention info for all 61 tables.

🎉 Supercharge your hunting

Now craft precise security queries, guide AI helpers accurately, or train teams without guessing or hallucinations.

Sign up to see the full architecture

4 more

Star Growth

See how this repo grew from 17 to 17 stars Sign Up Free

Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose

AI-Generated Review

What is defender-xdr-advanced-hunting?

This PowerShell project delivers a schema-aware dataset for Microsoft Defender XDR Advanced Hunting, pulling the full table schemas—including the undocumented ActionType enumerations—from the portal's internal API. It solves the pain of incomplete public docs by generating JSON files for all 61 tables, complete with fields, types, descriptions, retention info, and sample KQL queries, plus human-readable Markdown references. Developers get a local copy to reference defender xdr advanced hunting tables without constant portal dives, and a ready-to-use Claude skill for generating accurate defender xdr advanced hunting queries.

Why is it gaining traction?

It stands out by exposing the complete ActionTypes (like ProcessCreated or DnsQueryResponse) that Microsoft hides outside the UI, enabling reliable defender xdr advanced hunting api integration and preventing AI hallucinations in tools like Claude. The schema-aware dataset powers optimized KQL without manual schema browsing, and public doc syncing keeps it fresh. Low barrier: grab cookies from DevTools, run a PowerShell command with your tenant ID, and export everything.

Who should use this?

Detection engineers crafting defender xdr advanced hunting queries for DeviceProcessEvents or EmailEvents. SecOps teams building training labs or programmatic hunters needing ActionType lists. Claude users prompting for Microsoft Defender XDR investigations, tired of vague schema refs.

Verdict

Grab it if you live in Advanced Hunting—docs are thorough, extraction works reliably despite cookie hassles, and the Claude skill is a smart hook. At 17 stars and 1.0% credibility, it's early and niche, but the schema output alone justifies forking for your workflow.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.

Stars

Forks

Followers

Base stars: 17 stars

Penalty: Very new repo (1d): -70%

Bonus: AI verified quality (100%)

Account age: 4,091 days

Repo age: 1 days

Updated: May 07, 2026