Proactively hunt for threats with advanced hunting in Microsoft Threat Protection

Applies to:

  • Microsoft Threat Protection


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.

You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.

In the Microsoft 365 security center, advanced hunting supports queries that look into data from various workspaces, including data about devices, emails, apps, and identities from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. To use advanced hunting, turn on Microsoft Threat Protection.

Get started with advanced hunting

We recommend going through several steps to quickly get up and running with advanced hunting.

Learning goal Description Resource
Get a feel for the language Advanced hunting is based on the Kusto query language, supporting the same syntax and operators. Start learning the query language by running your first query. Query language overview
Learn how to use the query results Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. Work with query results
Understand the schema Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. Schema reference
Leverage predefined queries Explore collections of predefined queries covering different threat hunting scenarios. - Use shared queries
- Go hunt
Optimize queries Understand how to create efficient queries and queries that combine data from emails and devices. - Query best practices
- Hunt across devices and emails
Create custom detection rules Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. - Custom detections overview
- Custom detection rules

Get access

To use advanced hunting or other Microsoft Threat Protection capabilities, you need to be assigned an appropriate role in Azure AD. Note that your access to endpoint data is influenced by role-based access control settings in Microsoft Defender ATP. Read about managing access to Microsoft Threat Protection