You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-query-builder-details.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,58 +38,58 @@ ms.date: 03/28/2025
38
38
Advanced hunting in guided mode supports several data types that you can use to fine-tune your query.
39
39
40
40
- Numbers<br>
41
-
41
+
42
42
43
43
- Strings<br>
44
-
44
+
45
45
46
46
In the free text box, type the value and press **Enter** to add it. Note that the delimiter between values is **Enter**.<br>
47
47
48
-
48
+
49
49
50
50
- Boolean<br>
51
-
51
+
52
52
53
53
54
54
- Datetime<br>
55
-
55
+
56
56
57
57
58
58
- Closed list - You don't need to remember the exact value you're looking for. You can easily choose from a suggested closed list that supports multi-selection.<br>
59
-
59
+
60
60
61
61
62
62
## Use subgroups
63
63
You can create groups of conditions by clicking **Add subgroup**:
67
+
68
68
69
69
## Use smart auto-complete for search
70
70
Smart auto-complete for searching devices and user accounts is supported.
71
71
You don't need to remember the device ID, full device name, or user account name. You can start typing the first few characters of the device or user you're looking for and a suggested list appears from which you can choose what you need:
You can even look for specific event types like all failed logons, file modification events, or successful network connections by using the **EventType** filter in any section where it is applicable.
77
77
78
78
For instance, if you want to add a condition that looks for registry value deletions, you can go to the **Registry Events** section and select **EventType**.
79
79
80
-
80
+
81
81
82
82
Selecting EventType under Registry Events allows you to choose from different registry events, including the one you're hunting for, **RegistryValueDeleted**.
83
83
84
-
84
+
85
85
86
86
> [!NOTE]
87
87
>`EventType` is the equivalent of `ActionType` in the data schema, which users of advanced mode might be more familiar with.
88
88
89
89
## Test your query with a smaller sample size
90
90
If you're still working on your query and would like to see its performance and some sample results quickly, adjust the number of records to return by picking a smaller set through the **Sample size** dropdown menu.
91
91
92
-
92
+
93
93
94
94
The sample size is set to 10,000 results by default, which is the maximum number of records that can be returned in hunting. However, we highly recommend lowering the sample size to 10 or 100 to quickly test your query, as doing so consumes less resources while you're still working on improving the query.
95
95
@@ -98,15 +98,15 @@ Then, once you finalize your query and are ready to use it to get all the releva
98
98
## Switch to advanced mode after building a query
99
99
You can click on **Edit in KQL** to view the KQL query generated by your selected conditions. Editing in KQL opens a new tab in advanced mode, with the corresponding KQL query:
100
100
101
-
101
+
102
102
103
-
103
+
104
104
105
105
In the above example, the selected view is All, therefore you can see that the KQL query searches all tables that have file properties of name and SHA256, and in all the relevant columns covering these properties.
106
106
107
107
If you change the view to **Emails & collaboration**, the query is narrowed down to:
108
108
109
-
109
+
110
110
111
111
## See also
112
112
-[Advanced hunting quotas and usage parameters](advanced-hunting-limits.md)
0 commit comments