Skip to content

samikroy/ms-defender-scout

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

Microsoft Defender Scout

πŸ›‘οΈ Automated Security Assessment & KQL Query Generation for Microsoft Defender

βš™οΈ Features

Feature Description
πŸ€– GitHub Copilot Agent Custom agent for intelligent KQL query generation in VS Code & GitHub web
πŸ” Advanced Hunting Automation Runs customizable security checks via Microsoft Graph API
πŸ“‹ Real-Time Console Logs Easy-to-read PowerShell output with color-coded results
πŸ“„ Styled HTML Report Professional assessment report for sharing
πŸ” Secure Authentication Uses Azure Service Principal with Microsoft Graph API
🧰 Plug-and-Play Just configure secrets, add queries, and run

πŸ” Report Snapshot

image

πŸ” What This Tool Does

Generates comprehensive security assessment reports using Advanced Hunting queries across all Microsoft Defender products:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Defender XDR

οΏ½ Usage (GitHub Marketplace Action)

Add this to your workflow (.github/workflows/defender-scout.yml):

name: Defender Scout Report
 
on:
  workflow_dispatch:
  schedule:
    - cron: '0 6 * * 1'  # Weekly on Monday at 6 AM UTC
 
jobs:
  report:
    runs-on: ubuntu-latest
    steps:
      - name: πŸ›‘οΈ Run Microsoft Defender Scout
        uses: samikroy/ms-defender-scout@v1
        with:
          azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
          azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
          azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          # report_path: 'my-custom-report.html'  # optional, default: ms-defender-scout-report.html

Inputs

Input Required Default Description
azure_client_id βœ… β€” Service Principal Application (client) ID
azure_client_secret βœ… β€” Service Principal client secret
azure_tenant_id βœ… β€” Azure AD Tenant ID
report_path ❌ ms-defender-scout-report.html Output path for the HTML report

Outputs

Output Description
report_path Path to the generated HTML report

The report is also automatically uploaded as a build artifact (retained 90 days).

πŸ“ Repository Structure

.
β”œβ”€β”€ .github/
β”‚   β”œβ”€β”€ agents/
β”‚   β”‚   └── Defender Scout KQL agent.md  # πŸ€– GitHub Copilot Agent
β”‚   └── workflows/
β”‚       └── generate-report.yml          # GitHub Actions workflow
β”œβ”€β”€ scripts/
β”‚   β”œβ”€β”€ generate-ms-defender-scout-report.ps1  # Main report generator
β”‚   └── kql-queries.txt                        # Advanced Hunting queries library
β”œβ”€β”€ ms-defender-scout-report.html        # Sample generated report
β”œβ”€β”€ KQL-EXAMPLES.md                      # 20+ example KQL queries
β”œβ”€β”€ LICENSE                               # MIT License
└── README.md                             # You're reading it

πŸ€– GitHub Copilot Agent - Your KQL Assistant

The Defender Scout KQL Agent is a specialized GitHub Copilot Agent that works in both VS Code and GitHub web interface!

✨ Quick Start (No Setup Required!)

In VS Code:

  1. Open GitHub Copilot Chat: Ctrl+Shift+I (Windows/Linux) or Cmd+Shift+I (Mac)
  2. Start chatting with the agent:
@workspace Generate a KQL query to find devices with critical vulnerabilities

@workspace Create a threat hunting query for PowerShell downloads

@workspace Validate this query: DeviceInfo | where OSPlatform == "Windows"

@workspace Optimize my query for better performance

@workspace Show me devices that haven't updated in 30 days

On GitHub Web:

  • Comment on issues or pull requests
  • Use the same @workspace commands to get KQL queries generated instantly!

πŸ’‘ What the Agent Can Do

Capability Description
Generate KQL Queries Natural language β†’ Production-ready queries
Validate Syntax Check queries for errors and issues
Optimize Performance Improve query speed and efficiency
Explain Queries Get plain English explanations
Threat Hunting Security-focused query generation
Best Practices Built-in Microsoft Defender security patterns

🎯 Pre-loaded Conversation Starters

The agent comes with 8 quick-start prompts:

  • Generate Device Query
  • Threat Hunting
  • Vulnerability Check
  • Alert Analysis
  • Email Security
  • Query Optimization
  • Explain Query
  • Identity Attacks

πŸ“– Example Queries the Agent Generates

Find devices with outdated software:

DeviceInfo 
| where Timestamp > ago(1d)
| where OSPlatform == "Windows"
| where OSBuild < "19045"  // Windows 10 22H2
| project DeviceName, OSVersion, OSBuild, LastSeen
| order by LastSeen desc

Detect PowerShell download attempts:

DeviceProcessEvents 
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("DownloadString", "WebClient", "IEX")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc
| take 100

πŸ“Š Automated Security Reports

βš™οΈ How it Works

Define KQL Queries β†’ Authenticate via Graph API β†’ Run Advanced Hunting β†’ Generate HTML Report

The report generator:

  1. Authenticates using Service Principal credentials
  2. Reads KQL queries from scripts/kql-queries.txt
  3. Executes each query against Microsoft Graph Advanced Hunting API
  4. Formats results into a styled HTML report
  5. Displays summary in console with color-coded status

πŸ” Prerequisites

Service Principal Setup:

The solution requires a Service Principal with SecurityEvents.Read.All or ThreatHunting.Read.All permissions in Microsoft Graph API.

  1. Register an Azure AD application:

    az ad app create --display-name "MS Defender Scout"

  2. Create a service principal:

    az ad sp create --id <app-id>

  3. Assign Microsoft Graph API permissions:

    • Go to Azure Portal β†’ Azure Active Directory β†’ App registrations
    • Select your app β†’ API permissions β†’ Add permission
    • Choose Microsoft Graph β†’ Application permissions
    • Add: SecurityEvents.Read.All or ThreatHunting.Read.All
    • Grant admin consent

  4. Create a client secret:

    • Go to Certificates & secrets β†’ New client secret
    • Save the secret value securely

βš™οΈ How to Run

Option 1: GitHub Actions (Recommended)

  1. Clone this repository

    git clone https://github.com/samikroy/ms-defender-scout.git
cd ms-defender-scout

  2. Configure Repository Secrets

    Go to: Settings β†’ Secrets and variables β†’ Actions β†’ New repository secret

    Add these secrets:

    • AZURE_CLIENT_ID - Your Service Principal Application (client) ID
    • AZURE_CLIENT_SECRET - Your Service Principal client secret
    • AZURE_TENANT_ID - Your Azure AD Tenant ID

  3. Review the Workflow Schedule

    Check: .github/workflows/generate-report.yml

    Default schedule: Runs weekly on Monday at 6 AM UTC

    Modify the cron expression to change frequency:

    schedule:
  - cron: '0 6 * * 1'  # Every Monday at 6 AM UTC

  4. Run the Workflow

    • Go to Actions tab
    • Select "Generate MS Defender Scout Report"
    • Click "Run workflow"
    • Download the HTML report from artifacts

Option 2: Run Locally

  1. Set environment variables:

    $env:AZURE_CLIENT_ID = "your-client-id"
$env:AZURE_CLIENT_SECRET = "your-client-secret"
$env:AZURE_TENANT_ID = "your-tenant-id"

  2. Run the script:

    .\scripts\generate-ms-defender-scout-report.ps1

  3. View the report:

    .\ms-defender-scout-report.html

πŸ“ Customizing Queries

Edit scripts/kql-queries.txt to add your own Advanced Hunting queries.

Format: Query Title >> KQL Query

Example:

Device Inventory >> DeviceInfo | summarize Count=count() by DeviceName, OSPlatform | sort by Count desc

Available Microsoft Defender Tables

Advanced Hunting supports these tables:

  • Device tables: DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceEvents
  • Email tables: EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents
  • Identity tables: IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents
  • Alert tables: AlertInfo, AlertEvidence
  • Cloud App tables: CloudAppEvents
  • Vulnerability tables: DeviceTvmSoftwareVulnerabilities, DeviceTvmSecureConfigurationAssessment

See Advanced Hunting schema documentation for complete details.

πŸ“š Documentation & Resources

Learning Resources

πŸ”’ Security Best Practices

  • Never commit secrets to the repository
  • Use GitHub Secrets or Azure Key Vault for credentials
  • Rotate Service Principal secrets regularly
  • Apply principle of least privilege for API permissions
  • Review and audit query results regularly

🧰 Troubleshooting

Issue Solution
Authentication fails Verify Service Principal credentials and API permissions
Query returns no data Check if your tenant has data in the queried tables
Permission denied Ensure admin consent is granted for Graph API permissions
Workflow fails Check GitHub Actions logs for detailed error messages
Agent not responding Ensure GitHub Copilot extension is installed and enabled in VS Code

🀝 Contributing

Have ideas for improvements? Contributions are welcome!

πŸ“œ License

MIT License - Β© 2026 Samik Roy

See LICENSE for details.

⭐ Star this repo if you find it useful!

About

PowerShell tool for streamlined Microsoft Defender Advanced Hunting query management with GitHub Copilot integration

Topics

security powershell kql microsoft-defender github-copilot advanced-hunting

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

17 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases 2

MS Defender Scout v1.0.1 - Marketplace Availability Latest
Mar 19, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages