Training
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Advanced hunting allows you to view and query all the data sources available within the unified Microsoft Defender portal, which include Microsoft Defender XDR and various Microsoft security services. If you onboard Microsoft Sentinel to the Defender portal, you can also access and use all your existing Microsoft Sentinel workspace content, including queries and functions.
Querying from a single portal across different data sets makes hunting more efficient and removes the need for context-switching.
Important
Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
You can query data in any workload that you can currently access based on your roles and permissions.
To query across Microsoft Sentinel and Microsoft Defender XDR data in the unified advanced hunting page, you'll also need at least the Microsoft Sentinel Reader role. For more information, see Microsoft Sentinel-specific roles.
In Microsoft Defender, you can connect workspaces by selecting Connect a workspace in the top banner. This button appears if you're eligible to onboard a Microsoft Sentinel workspace onto the unified Microsoft Defender portal. Follow the steps in: Onboarding a workspace.
After connecting your Microsoft Sentinel workspace and Microsoft Defender XDR advanced hunting data, you can start querying Microsoft Sentinel data from the advanced hunting page. For an overview of advanced hunting features, read Proactively hunt for threats with advanced hunting.
adx()
operator. There might be cases where IntelliSense warns you that the operators in your query don't match the schema, however, you can still run the query and it should still be executed successfully.SourceSystem
and MachineGroup
columns for Defender XDR data that have been streamed from Microsoft Sentinel – Since the columns SourceSystem
and MachineGroup
are added to Defender XDR tables once they're streamed to Microsoft Sentinel, they also appear in results in advanced hunting in Defender. However, they remain blank for Defender XDR tables that weren't streamed (tables that follow the default 30-day data retention period).Note
Using the unified portal, where you can query Microsoft Sentinel data after connecting a Microsoft Sentinel workspace, does not automatically mean you can also query Defender XDR data while in Microsoft Sentinel. Raw data ingestion of Defender XDR should still be configured in Microsoft Sentinel for this to happen.
You can use advanced hunting KQL (Kusto Query Language) queries to hunt through Microsoft Defender XDR and Microsoft Sentinel data.
When you open the advanced hunting page for the first time after connecting a workspace, you can find many of that workspace's tables organized by solution after the Microsoft Defender XDR tables under the Schema tab.
Likewise, you can find the functions from Microsoft Sentinel in the Functions tab, and your shared and sample queries from Microsoft Sentinel can be found in the Queries tab inside folders marked Sentinel.
To learn more about a schema table, select the vertical ellipses ( ) to the right of any schema table name under the Schema tab, then select View schema.
In the unified portal, in addition to viewing the schema column names and descriptions, you can also view:
TableName | take 5
IdentityInfo table
from Microsoft Sentinel isn't available, as the IdentityInfo
table remains as is in Defender XDR. Microsoft Sentinel features like analytics rules that query this table aren't impacted as they're querying the Log Analytics workspace directly.SecurityAlert
table is replaced by AlertInfo
and AlertEvidence
tables, which both contain all the data on alerts. While SecurityAlert isn't available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made so as not to break existing queries from Microsoft Sentinel that use this table.Timestamp
and TimeGenerated
columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion to now()
. Therefore, to get the actual time the event happened, we recommend relying on the Timestamp
column.Training
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Documentation
Microsoft Security Copilot in advanced hunting - Microsoft Defender XDR
Learn how Microsoft Security Copilot advanced hunting (NL2KQL) plugin can generate a KQL query for you.
Study common hunting scenarios and sample queries that cover devices, emails, apps, and identities.
Overview - Advanced hunting - Microsoft Defender XDR
Learn about advanced hunting queries in Microsoft Defender and how to use them to proactively find threats and weaknesses in your network