You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-overview.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,13 @@
1
1
---
2
2
title: Overview - Advanced hunting
3
-
description: Learn about advanced hunting queries in Microsoft Defender and how to use them to proactively find threats and weaknesses in your network
3
+
description: Learn about advanced hunting queries in Microsoft Defender and how to use them to proactively find threats and weaknesses in your network.
4
4
ms.service: defender-xdr
5
5
f1.keywords:
6
6
- NOCSH
7
-
ms.author: maccruz
8
-
author: schmurky
7
+
ms.author: pauloliveria
8
+
author: poliveria
9
9
ms.localizationpriority: medium
10
-
manager: dansimp
10
+
manager: orspodek
11
11
audience: ITPro
12
12
ms.collection:
13
13
- m365-security
@@ -22,7 +22,7 @@ appliesto:
22
22
- Microsoft Defender XDR
23
23
- Microsoft Sentinel in the Microsoft Defender portal
24
24
search.appverid: met150
25
-
ms.date: 06/03/2025
25
+
ms.date: 09/09/2025
26
26
27
27
---
28
28
@@ -33,7 +33,7 @@ ms.date: 06/03/2025
33
33
34
34
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
35
35
36
-
Advanced hunting supports two modes, guided and advanced. Use [guided mode](advanced-hunting-query-builder.md) if you are not yet familiar with Kusto Query Language (KQL) or prefer the convenience of a query builder. Use [advanced mode](advanced-hunting-query-language.md) if you are comfortable using KQL to create queries from scratch.
36
+
Advanced hunting supports two modes, guided and advanced. Use [guided mode](advanced-hunting-query-builder.md) if you aren't yet familiar with Kusto Query Language (KQL) or prefer the convenience of a query builder. Use [advanced mode](advanced-hunting-query-language.md) if you're comfortable using KQL to create queries from scratch.
37
37
38
38
**To start hunting, read [Choose between guided and advanced modes to hunt in the Microsoft Defender portal](advanced-hunting-modes.md).**
39
39
@@ -66,13 +66,13 @@ Advanced hunting data can be categorized into two distinct types, each consolida
66
66
67
67
### **Event or activity data**
68
68
69
-
Event or activity data populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they are available on Microsoft Defender for Endpoint and Microsoft Defender for Identity.
69
+
Event or activity data populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they're available on Microsoft Defender for Endpoint and Microsoft Defender for Identity.
70
70
71
71
To collect even more event properties, you have the option of turning on [aggregated reporting](/defender-endpoint/aggregated-reporting).
72
72
73
73
### **Entity data**
74
74
75
-
Entity data populates tables with information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
75
+
Entity data populates tables with information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated every hour to insert a record that contains the latest, most comprehensive data set about each entity, including other useful information such as health status and tags.
76
76
77
77
78
78
## Time zone
@@ -96,7 +96,7 @@ In order to extend the 30 days retention for Advanced Hunting, see the following
96
96
- Microsoft Defender for Endpoint [Raw Data Streaming API](/defender-endpoint/api/raw-data-export)
97
97
98
98
> [!NOTE]
99
-
> The data retained is from the first (1st) day that you implement and enable the streaming api.
99
+
> The data retained is from the first day that you implement and enable the streaming API.
0 commit comments