You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: unified-secops-platform/mto-advanced-hunting.md
+12-3Lines changed: 12 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,6 +32,8 @@ Multiple workspaces per tenant are supported in multitenant Advanced hunting as
32
32
33
33
Advanced hunting in multitenant organizations returns up to 50,000 records in total. For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters).
34
34
35
+
36
+
35
37
## Run cross-tenant queries
36
38
37
39
You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -72,8 +74,6 @@ You can run any query that you already have access to in the multitenant managem
72
74
To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
73
75
74
76
75
-
76
-
77
77
## Run cross-workspace queries (Preview)
78
78
79
79
To run queries across multiple workspaces in the same tenant, use the [workspace( ) expression](/azure/azure-monitor/logs/cross-workspace-query#query-across-log-analytics-workspaces-using-workspace), with the workspace identifier as the argument in your query to refer to a table in a different workspace.
@@ -98,8 +98,17 @@ For more information, see [Query multiple workspaces](/azure/sentinel/extend-sen
98
98
> [!NOTE]
99
99
> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
100
100
101
+
## View schema tables
102
+
103
+
You can view the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab.
104
+
105
+
The schema list is a unified view of all tables from all your tenants regardless of the tenant selected in the upper right tenant selector.
106
+
107
+
This could mean that some tables that appear here might only be available for query in some tenants, like custom Microsoft Sentinel tables.
108
+
109
+
110
+
## View and manage custom detection rules
101
111
102
-
## Custom detection rules
103
112
104
113
You can also manage custom detection rules from multiple tenants in the custom detection rules page.
0 commit comments