Overview of advanced hunting

Applies to:

Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center.

With advanced hunting, you can take advantage of the following capabilities:

  • Powerful query language with IntelliSense - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
  • Query the stored telemetry - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
  • Links to portal - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
  • Query examples - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.

In this section

Topic Description
Query data using Advanced hunting Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization.
Custom detections With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.