Merge pull request #5424 from MicrosoftDocs/main

[AutoPublish] main to live - 10/31 01:34 PDT | 10/31 14:04 IST

Author: m365-skilling-repo-management[bot]

defender-xdr/defender-experts-report.md

@@ -1,15 +1,15 @@
 ---
-title: Understand the Defender Experts for Hunting report in Microsoft Defender XDR
+title: Understand the Defender Experts for Hunting report in Microsoft Defender
 ms.reviewer: 
 description: The Defender Experts for Hunting service publishes reports to help you understand all the threats the hunting service surfaced in your environment
 search.appverid: met150
 ms.service: defender-experts-for-hunting
 f1.keywords:
 - NOCSH
-ms.author: vpattnaik
-author: vpattnai
+ms.author: pauloliveria
+author: poliveria
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.custom: 
 - cx-ti
@@ -19,65 +19,95 @@ ms.collection:
 - tier1
 - essentials-manage
 ms.topic: concept-article
-ms.date: 02/07/2025
+ms.date: 10/31/2025
 ---
 
-# Understand the Defender Experts for Hunting report in Microsoft Defender XDR
+# Understand the Defender Experts for Hunting report in Microsoft Defender
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 **Applies to:**
 
 - [Microsoft Defender XDR](microsoft-365-defender.md)
 
-Microsoft Defender Experts for Hunting layers human intelligence and expert-trained technology to help Microsoft Defender XDR customers understand the significant threats they face. It highlights how Defender Expert's threat hunting skills, thorough understanding of the threat landscape, and knowledge of emerging threats can help you identify, prioritize, and address those threats in your environment.
+Microsoft Defender Experts for Hunting combines human intelligence with expert-trained technology to help Microsoft Defender XDR customers understand the significant threats they face. It highlights how Defender Experts' threat hunting skills, thorough understanding of the threat landscape, and knowledge of emerging threats can help you identify, prioritize, and address those threats in your environment.
 
 The Defender Experts for Hunting service generates reports to help you understand all the threats the hunting service surfaced in your environment, alongside the alerts generated by your Microsoft Defender XDR products. You can view the report in the current (running) month, or in one-, three-, or six-month periods.
 
-To view the report in your Microsoft Defender portal, go to **Reports**, select **Defender Experts** > **Defender Experts for Hunting report**. Each section of the report is designed to provide more insights into the threats and suspicious activities our Defender Experts found in your environment. 
+To view the report in your Microsoft Defender portal, go to **Reports**, select **Defender Experts** > **Hunting report**. Each section of the report is designed to provide more insights into the threats and suspicious activities our Defender Experts found in your environment. 
 
 Refer to the following screenshot of a sample report:
 
 :::image type="content" source="media/defender-experts-hunting-report.png" alt-text="Screenshot of Defender Experts for hunting report." lightbox="media/defender-experts-hunting-report.png":::
 
 ## Identify prevalent threats and other potential attack entry points
 
-Signals from Microsoft Defender XDR and investigations by Defender Experts for Hunting help identify suspicious activities in your environment. Significant threat activities will have corresponding [Defender Experts Notifications](onboarding-defender-experts-for-hunting.md#receive-defender-experts-notifications), which also provide recommendations to remediate and defend your organization. 
+Signals from Microsoft Defender XDR and investigations by Defender Experts for Hunting help identify suspicious activities in your environment. Significant threat activities have corresponding [Defender Experts Notifications](onboarding-defender-experts-for-hunting.md#receive-defender-experts-notifications), which also provide recommendations to remediate and defend your organization. 
 
-The report provides you with the total number of Defender Experts Notifications our experts have sent for your chosen period: 
+The top section of the report provides you with the total number of hunts, suspicious threats investigated, and Defender Experts Notifications our experts sent for your chosen period: 
 
 :::image type="content" source="media/report-top-section-dens.png" alt-text="Screenshot of the top section of the report showing the number of threats identified." lightbox="media/report-top-section-dens.png":::
 
-To view these notifications, select **View Defender Experts Notifications**. This button redirects you to the Microsoft Defender XDR incidents page. Defender Expert for Hunting alerts or Defender Experts Notifications are labeled with **Defender Experts**.
+To view these notifications, select **View Defender Experts Notifications**. This action redirects you to the Microsoft Defender portal **Incidents** page. Defender Experts for Hunting alerts or Defender Experts Notifications have the **Defender Experts** tag.
 
 > [!NOTE]
 > The **View Defender Experts Notifications** button only appears if the number of threats identified is at least 1.
 
-All other identified activities are summarized in a table in the **Threat categories** section of the report. The columns represent the different threat attack tactics and categories to help you visualize what an activity is trying to achieve in each attack phase so you can plan the corresponding containment and remediation actions.
+All other identified activities are visualized or summarized in the following sections: 
+- [Hunt trend](#hunt-trend)
+- [Emerging threats](#emerging-threats)
+- [Hunts by threat category](#hunts-by-threat-category)
+
+### Hunt trend 
+
+The **Hunt trend** section displays a trendline chart of the number of hunting activities Defender Experts conducted in your environment for your chosen time period. This chart gives you visibility of the continuous monitoring and investigation our experts are doing even if they don't find any active threats or suspicious activities. 
+
+
+:::image type="content" source="media/hunting-report-hunt-trend.png" alt-text="Screenshot of the Hunt trend section of the Defender Experts for Hunting report." lightbox="media/hunting-report-hunt-trend.png":::
+
+
+### Emerging threats
+
+The **Emerging threats** section details the proactive, hypothesis-based hunts we conducted in your environment. These hunts focus on tactics that threat actors are just beginning to adopt and other threat intelligence. By surfacing these hunts, we give you visibility into how we're anticipating attacker behavior, validating your defenses against new and notable techniques, and identifying relevant suspicious activity before significant exploitation.
+
+This section is a table that shows the threat title, whether we identified impact in your environment, the threat's severity, and threat category. It aggregates our hunts for emerging threats based on their severity. You can filter this section by the hunts' severity and threat category. 
+
+:::image type="content" source="media/hunting-report-emerging-threats.png" alt-text="Screenshot of the Emerging threats section of the Defender Experts for Hunting report." lightbox="media/hunting-report-emerging-threats.png":::
+
+Selecting one of the threat titles opens a side panel with its [hunting summary](#hunting-summaries), which summarizes our findings about the threat. Hunting summaries give you insight into our investigations and keep you updated with the threat landscape.
+
+### Hunts by threat category
+
+The **Hunts by threat category** section displays hunting activity tiles that are sorted according to their threat categories. This sorting helps you visualize what an activity is trying to achieve in each attack phase so you can plan the corresponding containment and remediation actions.
+
+:::image type="content" source="/defender/media/defender-experts/threat-categories-filter.png" alt-text="Screenshot of the Hunts by threat category section of the Defender Experts for Hunting report showing the dropdown menu." lightbox="/defender/media/defender-experts/threat-categories-filter.png":::
 
 You can filter the activities displayed in the table by choosing any of the following options in the dropdown menu:
 
-- **Suspicious activities** (default) – Displays identified true positive and benign true positive activities in your environment. Note that not all suspicious activities will have corresponding Defender Expert Notifications.
-- **DEX notified** – Displays activities with corresponding Defender Expert Notifications only.
-- **All activities** – Displays all true positive, benign true positive, and false positive activities.  
+- **All** – Displays all true positive, benign true positive, and false positive activities.  
+- **Suspicious activities** – Displays identified true positive and benign true positive activities in your environment. Not all suspicious activities have corresponding Defender Expert Notifications.
+- **Defender Experts Notified** – Displays activities with corresponding Defender Expert Notifications only.
+
+You can also toggle **Show all categories** if you want to display or hide categories that don't have related activities.
 
-:::image type="content" source="/defender/media/defender-experts/threat-categories-filter.png" alt-text="Screenshot of the top section of the Threat categories section showing the dropdown menu." lightbox="/defender/media/defender-experts/threat-categories-filter.png":::
+Each activity tile shows the number of hunts Defender Experts conducted related to it. It might also display any of the three icons corresponding to related hunts, [hunting summaries](#hunting-summaries), and Defender Experts Notifications.
 
-If an activity has a related Defender Expert Notification, its corresponding icon also appears under the activity name.
+### Hunting summaries
 
-Selecting an identified suspicious activity opens a flyout panel detailing the impacted devices and users:
+Each hunt that Defender Experts conduct tells a story, even when they don't find an active threat. In nearly every hunt that Defender Experts conduct in your environment, there's a corresponding investigation summary that goes along with it, regardless of whether they identified a confirmed threat.
 
-:::image type="content" source="media/suspicious-activity-detail-panel.png" alt-text="Screenshot of a flyout panel displaying a list of devices impacted by a detected suspicious activity." lightbox="media/suspicious-activity-detail-panel.png":::
+When you select one of the threat titles in the **Emerging threats** section or one of the activity tiles with the scroll icon in the **Hunts by threat category** section, a side panel opens that displays the **hunting summary**, or summary of the investigation related to the threat or activity: what the Defender Experts hunted for, why they hunted for it, and how they reached their final determination. The summary also provides the dates and times the hunt started and concluded, the hunt classification, and impacted assets. If applicable, it also provides links to view related Defender Experts Notifications.
 
-If applicable, the page also provides links to view related Defender Expert Notifications.
+:::image type="content" source="media/hunting-report-hunt-summary.png" alt-text="Screenshot of a hunting summary in the Defender Experts for Hunting report." lightbox="media/hunting-report-hunt-summary.png":::
 
 ## Know and understand the security weak spots in your environment
 
-The **Top trending suspicious activities** section of the report identifies up to 20 suspicious activities that were consistently observed in your environment in the last three months, sorted based on their severity rating and frequency of occurrence:
+The **Top trending suspicious activities** section of the report identifies up to 20 suspicious activities that Defender Experts consistently observed in your environment in the last three months, sorted based on their severity rating and frequency of occurrence:
 
 :::image type="content" source="/defender/media/defender-experts/top-trending-suspicious-activities.png" alt-text="Screenshot of the Top trending suspicious activities section of the report." lightbox="/defender/media/defender-experts/top-trending-suspicious-activities.png":::
 
-By showing the most critical and frequently observed activities, you can assess and evaluate their impact and develop strategies to prevent or mitigate potential threats to your environment
+By showing the most critical and frequently observed activities, you can assess and evaluate their impact and develop strategies to prevent or mitigate potential threats to your environment.
+
+Select **View details** in each card to open a flyout panel that details the impacted devices and users. If applicable, the page also provides links to view related Defender Expert Notifications.
 
-Select **View details** in each card to open a flyout panel detailing the impacted devices and users. If applicable, the page also provides links to view related Defender Expert Notifications.
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]