Proactively hunt for threats with advanced hunting in Microsoft Threat Protection
- Microsoft Threat Protection
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
In the Microsoft 365 security center, advanced hunting supports queries that look into data from various workspaces, including data about devices, emails, apps, and identities from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. To use advanced hunting, turn on Microsoft Threat Protection.
Get started with advanced hunting
We recommend going through several steps to quickly get up and running with advanced hunting.
|Get a feel for the language||Advanced hunting is based on the Kusto query language, supporting the same syntax and operators. Start learning the query language by running your first query.||Query language overview|
|Learn how to use the query results||Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information.||Work with query results|
|Understand the schema||Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries.||Schema reference|
|Leverage predefined queries||Explore collections of predefined queries covering different threat hunting scenarios.||Use shared queries|
|Optimize queries||Understand how to create efficient queries and queries that combine data from emails and devices.||- Query best practices
- Hunt across devices and emails
|Create custom detection rules||Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically.||- Custom detections overview
- Custom detection rules
To use advanced hunting or other Microsoft Threat Protection capabilities, you need to be assigned an appropriate role in Azure AD. Note that your access to endpoint data is influenced by role-based access control settings in Microsoft Defender ATP. Read about managing access to Microsoft Threat Protection
Get help as you write queries
Take advantage of the following functionality to write queries faster:
- Autosuggest — as you write queries, advanced hunting provides suggestions from IntelliSense.
- Schema reference — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.