|
| 1 | +--- |
| 2 | +title: Hunting graph in advanced hunting |
| 3 | +description: Learn about the hunting graph in Microsoft Defender and how to use it to rendering threat scenarios as interactive graphs |
| 4 | +ms.service: defender-xdr |
| 5 | +f1.keywords: |
| 6 | + - NOCSH |
| 7 | +ms.author: pauloliveria |
| 8 | +author: poliveria |
| 9 | +ms.localizationpriority: medium |
| 10 | +manager: orspodek |
| 11 | +audience: ITPro |
| 12 | +ms.collection: |
| 13 | + - m365-security |
| 14 | + - m365initiative-m365-defender |
| 15 | + - tier1 |
| 16 | +ms.custom: |
| 17 | +- cx-ti |
| 18 | +- cx-ah |
| 19 | +- seo-marvel-apr2020 |
| 20 | +ms.topic: overview |
| 21 | +appliesto: |
| 22 | + - Microsoft Defender XDR |
| 23 | + - Microsoft Sentinel in the Microsoft Defender portal |
| 24 | +search.appverid: met150 |
| 25 | +ms.date: 09/30/2025 |
| 26 | + |
| 27 | +--- |
| 28 | +# Hunt for threats using the hunting graph (Preview) |
| 29 | + |
| 30 | +> [!IMPORTANT] |
| 31 | +> Some information relates to prereleased product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. |
| 32 | +
|
| 33 | +The **hunting graph** provides visualization capabilities in [advanced hunting](advanced-hunting-overview.md) by rendering threat scenarios as interactive graphs. This feature allows security operations center (SOC) analysts, threat hunters, and security researchers conduct threat hunting and incident response easily and more intuitively, improving their efficiency and ability to assess possible security issues. |
| 34 | + |
| 35 | +Analysts often rely on [Kusto Query Language](/azure/kusto/query/) (KQL) queries to uncover relationships between entities—an approach that could be both time-consuming and prone to oversights. Hunting graph makes exploration of security data simpler and faster by visualizing these relationships, letting you trace paths and possible choke points, as well as surface insights and take various actions based on the results that tabular queries might miss. |
| 36 | + |
| 37 | +## Get access |
| 38 | + |
| 39 | +To use hunting graph, advanced hunting, or other [Microsoft Defender XDR](microsoft-365-defender.md) capabilities, you need an appropriate role in Microsoft Entra ID. [Read about required roles and permissions for advanced hunting](custom-roles.md). |
| 40 | + |
| 41 | +You must also have the following access or permissions: |
| 42 | + |
| 43 | +- [Microsoft Sentinel data lake](/azure/sentinel/datalake/sentinel-lake-overview) |
| 44 | +- At least [read-only](/security-exposure-management/prerequisites) access in Microsoft Security Exposure Management |
| 45 | + |
| 46 | +## Where to find hunting graph |
| 47 | + |
| 48 | +You can find the **hunting graph** page by going to the left navigation bar in the Microsoft Defender portal and selecting **Investigation & response** > **Hunting** > **Advanced hunting**. |
| 49 | + |
| 50 | +In the advanced hunting page, select the hunting graph icon  at the top of the page or select the **Create new** icon  and choose **Hunting graph**. |
| 51 | + |
| 52 | +:::image type="content" source="/defender-xdr/media/ah-hunting-graph/hunting-graph-new.png" alt-text="Screenshot of the Create new Hunting graph option in the advanced hunting page." lightbox="/defender-xdr/media/ah-hunting-graph/hunting-graph-new.png"::: |
| 53 | + |
| 54 | +A new hunting graph page appears as tab labeled **New hunt** in the advanced hunting page. |
| 55 | + |
| 56 | +## Hunting graph features |
| 57 | + |
| 58 | +The interactive graphs generated in the hunting graph are composed of **nodes** and **edges** to represent entities in your environment (for example, a device, user account, or IP address, among others) and their relationships or connection properties, respectively. [Learn more about graphs and visualizations in Microsoft Defender](understand-graph-icons.md) |
| 59 | + |
| 60 | +The lower right-hand corner of the graph also has control buttons that let you **Zoom in** and **Zoom out**, and view the graph's **Layers**. |
| 61 | + |
| 62 | +:::image type="content" source="/defender-xdr/media/ah-hunting-graph/hunting-graph-render.png" alt-text="Screenshot of a rendered graph in the hunting graph page." lightbox="/defender-xdr/media/ah-hunting-graph/hunting-graph-render.png"::: |
| 63 | + |
| 64 | +## Get started with hunting graph |
| 65 | + |
| 66 | +### Use predefined scenarios in the hunting graph |
| 67 | + |
| 68 | +The hunting graph lets you search with predefined scenarios, which are prebuilt advanced hunting queries that could help you answer specific and common questions for specific use cases. |
| 69 | + |
| 70 | +To start hunting using a predefined scenario, on a new hunting graph page, select **Search with Predefined scenarios**. A side panel appears where you can then perform the following steps: |
| 71 | + |
| 72 | +1. [Select a scenario and enter the required inputs](#step-1-select-a-scenario-and-enter-scenario-inputs) |
| 73 | +1. [Apply filters on the graph](#step-2-apply-filters) |
| 74 | +1. [Render the graph](#step-3-render-the-graph) |
| 75 | + |
| 76 | +:::image type="content" source="/defender-xdr/media/ah-hunting-graph/hunting-graph-predefined-scenarios.png" alt-text="Screenshot of the hunting graph page highlighting the Search with Predefined scenarios button." lightbox="/defender-xdr/media/ah-hunting-graph/hunting-graph-predefined-scenarios.png"::: |
| 77 | + |
| 78 | +#### Step 1: Select a scenario and enter scenario inputs |
| 79 | + |
| 80 | +The following table describes the predefined scenarios in the hunting graph and their respective required scenario inputs, if applicable. For scenarios that require inputs, you can type or search and select for them in the search boxes provided. |
| 81 | + |
| 82 | +| **Scenario** | **Description** | **Inputs** | |
| 83 | +|---|---|---| |
| 84 | +| **Paths between two entities** | Provide two entities (nodes) to view the paths between them.<br><br>Use this scenario if you want to discover if there’s a path leading from one entity to another. |<ul><li>Start Entity<li>End Entity</ul>**Note:** Make sure to identify and input the correct start and end entities, as the generated graph will be directional. | |
| 85 | +| **Entities that have access to a key vault** | Provide a specific key vault to view paths from various entities (devices, virtual machines, containers, servers, and others) that have direct or indirect access to it.<br><br>Use this scenario in case of a breach, maintenance work, or assessment of the impact of entities that might have access to a sensitive asset like a key vault. | Target key vault | |
| 86 | +| **Users with access to sensitive data** | Provide any sensitive data storage of interest to view users that have access to it.<br><br>Use this scenario if you want to know which entities have access to sensitive data, especially in cases when an incident indicates unusual access to confidential files. | Target storage account | |
| 87 | +| **Critical users with access to storage accounts containing sensitive data** | This scenario identifies critical users with access to storage resources containing sensitive data.<br><br>Use this scenario to prevent, assess, and monitor unauthorized access, exposure risk, and breach impact based on the privileged users. | (None) | |
| 88 | +| **Data exfiltration by a device** | Provide a device ID to view paths to storage accounts it has access to; for instance, to check what storage accounts a certain device can access in a bring your own device (BYOD) environment.<br><br>Use this scenario when investigating suspicious or unauthorized data transfer from corporate devices and to external sources. | Source device | |
| 89 | +| **Paths to a highly critical Kubernetes cluster** | Provide a Kubernetes cluster with high criticality to view users, virtual machines, and containers that have access to it.<br><br>Use this scenario to assess, analyze and prioritize handling of attack paths leading to highly critical Kubernetes cluster. | Target Kubernetes cluster | |
| 90 | +| **Identities with access to Azure DevOps repositories** | Provide an Azure DevOps (ADO) repository name to view users that have read and/or write access to said repository.<br><br>Use this scenario to identify entities with access to ADO repositories, which often contain sensitive assets and therefore valuable targets for threat actors. This scenario gives you visibility and lets you plan your response in case of a breach. | Target ADO repository | |
| 91 | +| **Identify nodes in the highest number of paths to SQL data stores** | This scenario identifies the nodes that appear in the highest number of paths leading to SQL data stores. The scenario discovers paths in the graph where users have roles or permissions to access the SQL data stores.<br><br>Use this scenario to gain visibility to stores that might contain sensitive information, assess the impact in case of a breach, and prepare your mitigation and response. | (None) | |
| 92 | + |
| 93 | +:::image type="content" source="/defender-xdr/media/ah-hunting-graph/hunting-graph-select-scenario.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the available options." lightbox="/defender-xdr/media/ah-hunting-graph/hunting-graph-select-scenario.png"::: |
| 94 | + |
| 95 | +:::image type="content" source="/defender-xdr/media/ah-hunting-graph/hunting-graph-input.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the required scenario inputs." lightbox="/defender-xdr/media/ah-hunting-graph/hunting-graph-input.png"::: |
| 96 | + |
| 97 | +#### Step 2: Apply filters |
| 98 | + |
| 99 | +You can add relevant filters to make the map view of your selected scenario more precise. For example, if you want to **Show only the shortest paths**, tick this option. |
| 100 | + |
| 101 | +:::image type="content" source="/defender-xdr/media/ah-hunting-graph/hunting-graph-filter.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the Show only the shortest paths filter." lightbox="/defender-xdr/media/ah-hunting-graph/hunting-graph-filter.png"::: |
| 102 | + |
| 103 | +##### Advanced filters |
| 104 | + |
| 105 | +By default, the predefined scenarios automatically apply certain filters, which you can view in the **Advanced Filters** section of the side panel. You can remove these filters or add new ones to further refine the graph you want to generate. |
| 106 | + |
| 107 | +To remove filters, select the **Remove filter** icon  beside each filter or select **Clear all** to remove them all at once. |
| 108 | + |
| 109 | +To add a filter, select **Add filter** then the select any of the supported node or edge filters. The following table lists these supported operators and filters. Depending on your chosen scenario, some of these filters might not be available as options. |
| 110 | + |
| 111 | +| **Filter type** | **Operator** | **Filters** | |
| 112 | +|---|---|---| |
| 113 | +| **Source Node** | equals |<ul><li>Is critical<li>Is vulnerable<li>Is exposed to the internet</ul> | |
| 114 | +| **Target Node** | equals |<ul><li>Has sensitive data<li>Has risk score<li>Is vulnerable</ul> | |
| 115 | +| **Edge Type** | equals |<ul><li>has permissions to<li>routes traffic to<li>affecting<li>member of<li>defines<li>can impersonate as<li>contains<li>can authenticate as<li>runs on<li>has role on<li>is running<li>used to create<li>maintains<li>frequently logged in by<li>has credentials of<li>defined in<li>can authenticate to<li>pushes<li>provisions</ul>| |
| 116 | + |
| 117 | +:::image type="content" source="/defender-xdr/media/ah-hunting-graph/hunting-graph-advanced-filters.png" alt-text="Screenshot of the predefined scenarios side panel highlighting the advanced filter section." lightbox="/defender-xdr/media/ah-hunting-graph/hunting-graph-advanced-filters.png"::: |
| 118 | + |
| 119 | +#### Step 3: Render the graph |
| 120 | + |
| 121 | +After selecting a scenario and applying the necessary filters, select **Run** to render the graph. Once the graph is rendered, you can then explore it further by selecting nodes and edges to view more information about entities and relationships, or expand or focus on certain entities. |
| 122 | + |
| 123 | +## See also |
| 124 | +- [Proactively hunt for threats with advanced hunting in Microsoft Defender](advanced-hunting-overview.md) |
| 125 | +- [Choose between guided and advanced modes to hunt in Microsoft Defender XDR](advanced-hunting-modes.md) |
0 commit comments