GitPedia

MDE DFIR Resources

A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.

From cyb3rmik3·Updated June 10, 2026·View on GitHub·

Hey, thank you stopping by! Well, being here means that you are either familiar with the discipline of Digital Forensics & Incident Reponse (DFIR) or you are interested in beginning to explore DFIR tools and techniques. The common denominator, no matter what your sense is around DFIR, is that you are using Microsoft Defender for Endpoint (MDE) and the wider Microsoft Azure and Microsoft Defender environments. I hope you will enjoy the following resources which come from my notes and relevant res... The project is distributed under the MIT License license, first published in 2023. Key topics include: curated-collections, curated-list, dfir, digital-forensics, digital-forensics-incident-response.

Microsoft Defender for Endpoint curated list of resources for DFIR

<p align="center"> <img src="https://images2.imgbox.com/94/d2/6Jd7QaSP_o.jpg"> </p>

Hey, thank you stopping by! Well, being here means that you are either familiar with the discipline of Digital Forensics & Incident Reponse (DFIR) or you are interested in beginning to explore DFIR tools and techniques. The common denominator, no matter what your sense is around DFIR, is that you are using Microsoft Defender for Endpoint (MDE) and the wider Microsoft Azure and Microsoft Defender environments. I hope you will enjoy the following resources which come from my notes and relevant research and testing I have done. Do you have any other resources that fit here? Drop me a line at any of my mediums here or pull the repo and push your request to review it.

If you find this repo useful, don't forget to ⭐ it!

Table of Contents

Bonus content

Mitigate threats using Microsoft Defender for Endpoint

What better way to begin the resource list other than Microsoft Learn itself? MDE supports a lot of functionalities including artifact collection, containment, live response, advanced hunting and others which help analysts and investigators unfold alerts and incidents.

Introducing library management in Microsoft Defender

Recognizing the need for better readiness and control, Defender introduced a more proactive and efficient way to manage these assets: library management. The new library management experience in Defender brings powerful enhancements to how security teams manage scripts and files used in live response.

Remote collection of Windows Forensic Artifacts using KAPE and MDE

KAPE (Kroll Artifact Parser and Extractor) is a powerful DFIR tool by Eric Zimmerman that primarily collects and processes collected files. @DFIRanjith and Krzysztof Miodoński have built and published guides on how to deploy KAPE through MDE live response and collect forensic artefacts.

@BertJanCyber Incident Response guide

Bert-Jan (@BertJanCyber), a fellow community contributor has prepared a detailed and comprehensive guide on how to accommodate Microsoft technologies available including KQL queries and Live Response in order to practice the DFIR discipline.

THOR-Cloud forensic scanning through MDE

THOR-Cloud allows live compromise assessment scans for YARA, Sigma and IOCs on endpoints through MDE. THOR-Cloud Lite comes with a free plan as well.

HUNTERS Human-Friendly Guide for Incident Response and Threat Hunting

HUNTERS, an advanced platform that leverages SIEM to help SOC teams, provides highly technical blogs around Microsoft Security. They started unfolding a series of blogs about IR and Threat hunting that really go deep into platform, differentiating sources, user's permissions etc.

Microsoft Defender For Endpoint Live Response Script Sources

Repositories hosting Powershell script samples for "Live Response" that can be leveraged in your Microsoft Defender For Endpoint Environment.

Ginsu A tool for repackaging large collections to traverse Windows Defender Live Response

This script uses 7zip (7za.exe) to compress a specified folder and then splits the resulting archive into sections of 3GB or less. It will work (and was designed for) files larger than 3GB. Windows Defender Live Response currently only supports pulling back files of 3GB or less via the console.

Run Remote Triage Collections using Magnet Forensics

Using the Live Response console, you can push Magnet RESPONSE (a free IR data collection tool for members of the forensic community – download the latest version here) to a Windows endpoint, run a triage collection, and pull that collection back for analysis via the console.

Run Recursive Collections using Cyber Triage

The Defender Live Response feature can be used to deploy the (Cyber Triage Collector to endpoints. The Collector is unique in that it parses and resolves artifacts on the endpoint so that all executable files and documents are collected for in-depth analysis. Cyber Triage can then analyze and score them to identify malicious activity.

You can use both the free and paid version of Cyber Triage for this. Results can be saved to file, S3/Azure, or a Cyber Triage server.

Using Live Response in MDE for IR and forensics

The following blog elaborates many aspects and capabilities from MDE's Live Response, including EDGE browser forensics that could be collected remotely.

How to troubleshoot Live Response in Defender for Endpoint

In this blog, Jeffrey explains the troubleshooting capabilities more in-depth with a strong focus on situations where Live Response is not working as expected.

Exposing Incognito Mode with Defender for Endpoint

This blog elaborates a forensics investigation about a malware download, using Chrome's incognito mode.

macOS Forensics -Remote collection and Analysis using Microsoft Defender for Endpoint and Aftermath

This blog demonstrates how you can remotely collect and Analyze macOS forensic artifacts/triage image using Microsoft Defender for Endpoint and Aftermath.

PowerShell Collector

A simple, straightforward PowerShell script developed by Marcus Edmondson which allows collecting Event logs, LNK/Jump list files, Prefetch Files and Registry hives all saved in Collector_.zip file in C:.

Selective Isolation in Defender for Endpoint by Combining tools like Velociraptor for DFIR

In this blog, an elaboration of how Selective Isolation works, what Microsoft Defender for Endpoint (MDE) can offer natively, how it can be extended with Velociraptor, and what a modern DFIR process looks like when combining containment with full investigative access.

KustoHawk

KustoHawk is a incident triage and response tool for Microsoft Defender XDR and Sentinel environments. The script collects common indicators of compromise and returns a complete picture of the activities performed by an device of account. The tool leverages Graph API to run the hunting queries across your unified XDR environment.

Contributors

Showing top 3 contributors by commit count.

cyb3rmik3

cyb3rmik3

54 commits

Bert-JanP

Bert-JanP

1 commits

bcarrier

bcarrier

1 commits

View all contributors on GitHub →

This article is auto-generated from cyb3rmik3/MDE-DFIR-Resources via the GitHub API.Last fetched: 6/14/2026