Explore advanced hunting
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings. The advanced hunting capability supports queries that check a broader data set from:
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Cloud Apps
Microsoft Defender for Identity
To use advanced hunting, turn on Microsoft Defender XDR.
Data freshness and update frequency
Advanced hunting data can be categorized into two distinct types, each consolidated differently.
Event or activity data—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they're available on Microsoft Defender for Endpoint and Microsoft Defender for Identity.
Entity data—populates tables with information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
Time zone
Time information in advanced hunting is in the UTC zone.
Data schema
The advanced hunting schema is made up of multiple tables that provide either event information or information about devices, alerts, identities, and other entity types. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
Get schema information
While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
Table description—type of data contained in the table and the source of that data.
Columns—all the columns in the table.
Action types—possible values in the ActionType column representing the event types supported by the table. This information is provided only for tables that contain event information.
Sample query—example queries that feature how the table can be utilized.
Access the schema reference
To quickly access the schema reference, select the View reference action next to the table name in the schema representation. You can also select Schema reference to search for a table.
Learn the schema tables
The following reference lists all the tables in the schema. Each table name links to a page describing the column names for that table. Table and column names are also listed in the security center as part of the schema representation on the advanced hunting screen.
| Table name | Description |
|---|---|
| AlertEvidence | Files, IP addresses, URLs, users, or devices associated with alerts |
| AlertInfo | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization |
| CloudAppEvents | Events involving accounts and objects in Office 365 and other cloud apps and services |
| DeviceEvents | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints |
| DeviceFileEvents | File creation, modification, and other file system events |
| DeviceImageLoadEvents | DLL loading events |
| DeviceInfo | Machine information, including OS information |
| DeviceLogonEvents | Sign-ins and other authentication events on devices |
| DeviceNetworkEvents | Network connection and related events |
| DeviceNetworkInfo | Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains |
| DeviceProcessEvents | Process creation and related events |
| DeviceRegistryEvents | Creation and modification of registry entries |
| DeviceTvmSecureConfigurationAssessment | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
| DeviceTvmSecureConfigurationAssessmentKB | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
| DeviceTvmSoftwareInventory | Inventory of software installed on devices, including their version information and end-of-support status |
| DeviceTvmSoftwareVulnerabilities | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability |
| DeviceTvmSoftwareVulnerabilitiesKB | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| EmailAttachmentInfo | Information about files attached to emails |
| EmailEvents | Microsoft 365 email events, including email delivery and blocking events |
| EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox |
| EmailUrlInfo | Information about URLs on emails |
| IdentityDirectoryEvents | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. |
| IdentityInfo | Account information from various sources, including Microsoft Entra ID |
| IdentityLogonEvents | Authentication events on Active Directory and Microsoft online services |
| IdentityQueryEvents | Queries for Active Directory objects, such as users, groups, devices, and domains |
Custom detections
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured endpoints. This is made possible by customizable detection rules that automatically trigger alerts and response actions.
Custom detections work with advanced hunting, which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
Alerts for rule-based detections built from advanced hunting queries
Automatic response actions that apply to files and devices
Create detection rules
To create detection rules:
1. Prepare the query.
In Microsoft Defender Security Center, go to Advanced hunting and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
Important
To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
To use a query for a custom detection rule, the query must return the following columns:
Timestamp
DeviceId
ReportId
Simple queries, such as those that don't use the project or summarize operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by DeviceId, you can still return Timestamp and ReportId by getting them from the most recent event involving each device.
The sample query below counts the number of unique devices (DeviceId) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest Timestamp and the corresponding ReportId, it uses the summarize operator with the arg_max function.
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AntivirusDetection"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| where count_ > 5
2. Create a new rule and provide alert details.
With the query in the query editor, select Create detection rule and specify the following alert details:
Detection name—name of the detection rule
Frequency—interval for running the query and taking action. See additional guidance below
Alert title—title displayed with alerts triggered by the rule
Severity—potential risk of the component or activity identified by the rule.
Category—type of threat component or activity, if any.
MITRE ATT&CK techniques—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section isn't available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
Description—more information about the component or activity identified by the rule
Recommended actions—additional actions that responders might take in response to an alert
3. Rule frequency
When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
Every 24 hours—runs every 24 hours, checking data from the past 30 days
Every 12 hours—runs every 12 hours, checking data from the past 48 hours
Every 3 hours—runs every 3 hours, checking data from the past 12 hours
Every hour—runs hourly, checking data from the past 4 hours
Continuous (NRT)—runs continuously, checking data from events as they are collected and processed in near real-time (NRT)
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
Note
Setting a custom detection to run in Continuous (NRT) frequency allows you to increase your organization's ability to identify threats faster.
4. Choose the impacted entities.
Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represents the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
You can select only one column for each entity type. Columns that aren't returned by your query can't be selected.
5. Specify actions.
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
Actions on devices
These actions are applied to devices in the DeviceId column of the query results:
Isolate device—applies full network isolation, preventing the device from connecting to any application or service, except for the Defender for Endpoint service.
Collect investigation package—collects device information in a ZIP file.
Run antivirus scan—performs a full Microsoft Defender Antivirus scan on the device
Initiate investigation—starts an automated investigation on the device
Actions on files
These actions are applied to files in the SHA1 or the InitiatingProcessSHA1 column of the query results:
Allow/Block—automatically adds the file to your custom indicator list so that it's always allowed to run or blocked from running. You can set the scope of this action so that it's taken only on selected device groups. This scope is independent of the scope of the rule.
Quarantine file—deletes the file from its current location and places a copy in quarantine
6. Set the rule scope.
Set the scope to specify which devices are covered by the rule:
All devices
Specific device groups
Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
7. Review and turn on the rule.
After reviewing the rule, select Create to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.