Use shared queries in advanced hunting
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Advanced hunting queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
Save, modify, and share a query
You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
Type a new query or load an existing one from under Shared queries or My queries.
Select Save or Save as from the save options. To avoid overwriting an existing query, choose Save as.
Enter a name for the query.
Select the folder where you'd like to save the query.
- Shared queries — shared to all users in the your organization
- My queries — accessible only to you
Delete or rename a query
Right-click on a query you want to rename or delete.
Select Delete and confirm deletion. Or select Rename and provide a new name for the query.
Create a direct link to a query
To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select Share link.
Access queries in the GitHub repository
Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the threat analytics reports in Microsoft Defender Security Center.