KustoHawk is a tool designed for incident triage and response within Microsoft Defender XDR and Sentinel environments. It gathers indicators of compromise to provide a comprehensive overview of activities related to a specific device or account. Utilizing the Graph API, KustoHawk executes hunting queries that are outlined in the Resources folder. The script can display results directly in the terminal or export them to CSV files when verbose or export modes are activated. The core of KustoHawk is a PowerShell script, KustoHawk.ps1, which connects to the Graph API to run these queries. It supports various authentication methods, including User and ServicePrincipalSecret. Users can modify the data collection timeframe with the [-TimeFrame] parameter, defaulting to the last seven days. Permissions required include ThreatHunting.Read.All and the Microsoft.Graph.Security module to run the necessary Graph API queries. The script's functionality hinges on several data sources, including Unified Security Platform Alerts, Defender For Endpoint, and Azure Activity logs. While it’s beneficial to have all tables, having fewer won’t completely hinder results. Contributors are encouraged to add new queries in JSON format, specifying the query name, source, and expected results. The article also provides a method for formatting KQL queries as single-line strings for use in the JSON files, ensuring compatibility with the PowerShell script.