Skip to Content
SecurityThreat IntelligenceAdvanced Hunting

Advanced Hunting

Proactively search for threats across your Microsoft 365 environment using advanced hunting queries. Use Kusto Query Language (KQL) to explore security data, identify attack patterns, and uncover hidden threats that evade automated detection.

Note: Advanced hunting requires Microsoft 365 Defender or Microsoft Defender for Endpoint Plan 2. Data retention is 30 days by default, extendable to 180 days.

Data Schema

Query across multiple data tables containing security telemetry:

Identity and Access

  • IdentityLogonEvents — Sign-ins and authentication
  • IdentityQueryEvents — LDAP/directory queries
  • IdentityDirectoryEvents — AD object changes
  • AADSignInEventsBeta — Azure AD sign-ins

Device Events

  • DeviceEvents — General device activity
  • DeviceProcessEvents — Process creation
  • DeviceNetworkEvents — Network connections
  • DeviceFileEvents — File operations
  • DeviceRegistryEvents — Registry changes

Email and Collaboration

  • EmailEvents — Email delivery and filtering
  • EmailAttachmentInfo — Attachment details
  • EmailUrlInfo — URLs in emails
  • EmailPostDeliveryEvents — Post-delivery actions

Cloud Apps

  • CloudAppEvents — SaaS app activity
  • AppFileEvents — Files in cloud apps
  • OAuthAppAuditLogs — OAuth app changes

Query Editor

Query Interface

  • Full KQL (Kusto Query Language) support
  • IntelliSense for schema and function autocomplete
  • Syntax highlighting and error detection
  • Query formatting and optimization suggestions
  • Time range selector with preset options

Results View

  • Tabular results with sorting and filtering
  • Column selection and reordering
  • Export to CSV for further analysis
  • Pivot to related entities (user, device, file)
  • Direct action buttons (isolate device, block user)

Sample Queries

Failed Sign-ins by Location

Identify unusual geographic patterns in failed authentication:

AADSignInEventsBeta
| where Timestamp > ago(7d)
| where ErrorCode != 0
| summarize FailedCount = count() by Country
| sort by FailedCount desc
| take 10

PowerShell Download Cradles

Detect common malicious PowerShell download techniques:

DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any (
    "DownloadString",
    "DownloadFile",
    "Invoke-WebRequest",
    "wget",
    "curl"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Phishing Email Recipients

Find users who received emails with malicious URLs:

EmailEvents
| where Timestamp > ago(24h)
| where ThreatTypes has "Phish"
| join EmailUrlInfo on NetworkMessageId
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, Url

Lateral Movement via PsExec

Detect potential lateral movement using PsExec:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "psexec.exe" or FileName =~ "psexec64.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| summarize count() by DeviceName, InitiatingProcessAccountName

Saved Queries

My Queries

Save frequently used queries for quick access. Organize into folders. Queries are private to your account.

Shared Queries

Share queries with your security team. Useful for standardizing investigation procedures and onboarding new analysts.

Community Queries

Access community-contributed queries from Microsoft and the security community. Updated regularly with new threat detection patterns.

Custom Detection Rules

Convert hunting queries into automated detection rules that run continuously:

  1. Develop Query — Create and test your hunting query.
  2. Create Detection Rule — Define alert title, severity, and MITRE ATT&CK mapping.
  3. Set Schedule — Configure how frequently the query runs (1 hour to 24 hours).
  4. Define Actions — Configure automated response actions when rule triggers.

KQL Reference

Common Operators

  • where — Filter rows
  • project — Select columns
  • summarize — Aggregate data
  • join — Combine tables
  • extend — Add calculated columns
  • sort by — Order results
  • take — Limit results

String Operators

  • has — Contains word
  • contains — Contains substring
  • startswith — Starts with
  • endswith — Ends with
  • matches regex — Regex match
  • =~ — Case-insensitive equals

Time Functions

  • ago(7d) — 7 days ago
  • now() — Current time
  • datetime() — Specific time
  • bin() — Time bucketing

Aggregation Functions

  • count() — Count rows
  • dcount() — Distinct count
  • sum() — Sum values
  • avg() — Average
  • make_set() — Unique values list

Best Practices

  • Filter early in queries — Use time filters and specific criteria early to improve performance.
  • Use has instead of contains — The has operator is faster because it uses word indexes.
  • Project only needed columns — Selecting fewer columns improves query speed and readability.
  • Test queries before scheduling — Run queries manually first to verify results before creating detection rules.

API Reference

  • POST /api/security/hunting/query — Execute a hunting query
  • GET /api/security/hunting/saved — List saved queries
  • POST /api/security/hunting/saved — Save a new query
  • GET /api/security/hunting/schema — Get available data schema
  • POST /api/security/hunting/detection-rules — Create custom detection rule
Last updated on
Security RecommendationsCustom Detections