Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
Use advanced hunting in Microsoft 365 Defender to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Turn on Microsoft 365 Defender.
Learn more about how to move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender in Migrate advanced hunting queries from Microsoft Defender for Endpoint.
Get started with advanced hunting
Go through the following steps to ramp up your advanced hunting knowledge.
We recommend going through several steps to quickly get up and running with advanced hunting.
|Learn the language||Advanced hunting is based on Kusto query language, supporting the same syntax and operators. Start learning the query language by running your first query.||Query language overview|
|Learn how to use the query results||Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information.||Work with query results|
|Understand the schema||Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries.||Schema reference|
|Use predefined queries||Explore collections of predefined queries covering different threat hunting scenarios.||Shared queries|
|Optimize queries and handle errors||Understand how to create efficient and error-free queries.||Query best practicesHandle errors|
|Get the most complete coverage||Use audit settings to provide better data coverage for your organization.||Extend advanced hunting coverage|
|Run a quick investigation||Quickly run an advanced hunting query to investigate suspicious activity.||Quickly hunt for entity or event information with go hunt|
|Contain threats and address compromises||Respond to attacks by quarantining files, restricting app execution, and other actions||Take action on advanced hunting query results|
|Create custom detection rules||Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically.||Custom detections overviewCustom detection rules|
Data freshness and update frequency
Advanced hunting data can be categorized into two distinct types, each consolidated differently.
- Event or activity data: Populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint.
- Entity data: Populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
Time information in advanced hunting is currently in the UTC time zone.