You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: unified-secops-platform/mto-advanced-hunting.md
+12-18Lines changed: 12 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,18 +3,18 @@ title: Advanced hunting in Microsoft Defender multitenant management
3
3
description: Learn about advanced hunting in Microsoft Defender multitenant management
4
4
search.appverid: met150
5
5
ms.service: unified-secops-platform
6
-
ms.author: deniseb
7
-
author: denisebmsft
6
+
ms.author: bagol
7
+
author: batamig
8
8
ms.localizationpriority: medium
9
-
manager: dansimp
9
+
manager: orspodek
10
10
audience: ITPro
11
11
ms.collection:
12
12
- m365-security
13
13
- highpri
14
14
- tier1
15
15
- usx-security
16
16
ms.topic: article
17
-
ms.date: 05/02/2025
17
+
ms.date: 07/07/2025
18
18
appliesto:
19
19
- Microsoft Defender XDR
20
20
- Microsoft Sentinel in the Microsoft Defender portal
@@ -23,18 +23,15 @@ appliesto:
23
23
# Advanced hunting in Microsoft Defender multitenant management
24
24
25
25
Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
26
-
27
26
28
27
Multiple workspaces per tenant are supported in multitenant Advanced hunting as preview.
29
28
30
-
31
29
## Quotas
32
30
33
31
In multitenant environments, advanced hunting queries can return a maximum of 50,000 records in total. The result set from each individual tenant is capped at 50,000 divided by the number of tenants queried.
34
32
35
33
For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters).
36
34
37
-
38
35
## Run cross-tenant queries
39
36
40
37
You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -68,11 +65,15 @@ You can run any query that you already have access to in the multitenant managem
68
65
| take 10
69
66
```
70
67
68
+
To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
71
69
72
-
> [!NOTE]
73
-
> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
70
+
### Use adx(x) operator for Azure Data Explorer queries carefully
74
71
75
-
To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
72
+
Consider carefully before using the `adx(x)` operator for queries on multiple tenants. Advanced hunting in the multitenant portal sends each query to each of the selected tenants in parallel. The tenants returns the results, which are then aggregated and sent back to the portal. Using the `adx(x)` operator in your queries effectively queries ADX multiple times, once for each tenant, and the returned and aggregated data might include duplicate information.
73
+
74
+
We recommend using the `adx(x)` operator with multiple tenants only when you want to join results from each tenant with ADX data.
75
+
76
+
For more information, see [Use Microsoft Sentinel functions, saved queries, and custom rules](/defender-xdr/advanced-hunting-defender-use-custom-rules#use-adx-operator-for-azure-data-explorer-queries).
76
77
77
78
## Run cross-workspace queries
78
79
@@ -100,16 +101,14 @@ For more information, see [Query multiple workspaces](/azure/sentinel/extend-sen
100
101
101
102
## View schema tables
102
103
103
-
You can view the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab.
104
+
View the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab.
104
105
105
106
The schema list is a unified view of all tables from all your tenants regardless of the tenant selected in the upper right tenant selector.
106
107
107
108
This could mean that some tables that appear here might only be available for query in some tenants, like custom Microsoft Sentinel tables.
108
109
109
-
110
110
## View and manage custom detection rules
111
111
112
-
113
112
You can also manage custom detection rules from multiple tenants in the custom detection rules page.
114
113
115
114
### View custom detection rules by tenant
@@ -138,11 +137,6 @@ To manage detection rules:
138
137
139
138
1. Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](/defender-xdr/custom-detection-rules).
140
139
141
-
142
-
143
-
144
-
145
-
146
140
## Related content
147
141
148
142
-[Set up Microsoft Defender multitenant management](mto-requirements.md)
0 commit comments