Proactively hunt for threats with advanced hunting

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.

Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.

You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.

Tip

Use advanced hunting in Microsoft Threat Protection to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. Turn on Microsoft Threat Protection

Get started with advanced hunting

Go through the following steps to ramp up your advanced hunting knowledge.

We recommend going through several steps to quickly get up and running with advanced hunting.

Learning goal Description Resource
Learn the language Advanced hunting is based on Kusto query language, supporting the same syntax and operators. Start learning the query language by running your first query. Query language overview
Learn how to use the query results Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. Work with query results
Understand the schema Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. Schema reference
Use predefined queries Explore collections of predefined queries covering different threat hunting scenarios. Shared queries
Optimize queries and handle errors Understand how to create efficient and error-free queries. - Query best practices
- Handle errors
Get the most complete coverage Use audit settings to provide better data coverage for your organization. - Extend advanced hunting coverage
Run a quick investigation Quickly run an advanced hunting query to investigate suspicious activity. - Quickly hunt for entity or event information with go hunt
Contain threats and address compromises Respond to attacks by quarantining files, restricting app execution, and other actions - Take action on advanced hunting query results
Create custom detection rules Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. - Custom detections overview
- Custom detection rules

Data freshness and update frequency

Advanced hunting data can be categorized into two distinct types, each consolidated differently.

  • Event or activity data—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
  • Entity data—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.

Time zone

Time information in advanced hunting is currently in the UTC time zone.