You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: unified-secops-platform/mto-advanced-hunting.md
+7-17Lines changed: 7 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,18 +3,18 @@ title: Advanced hunting in Microsoft Defender multitenant management
3
3
description: Learn about advanced hunting in Microsoft Defender multitenant management
4
4
search.appverid: met150
5
5
ms.service: unified-secops-platform
6
-
ms.author: deniseb
7
-
author: denisebmsft
6
+
ms.author: bagol
7
+
author: batamig
8
8
ms.localizationpriority: medium
9
-
manager: dansimp
9
+
manager: orspodek
10
10
audience: ITPro
11
11
ms.collection:
12
12
- m365-security
13
13
- highpri
14
14
- tier1
15
15
- usx-security
16
16
ms.topic: article
17
-
ms.date: 05/02/2025
17
+
ms.date: 07/07/2025
18
18
appliesto:
19
19
- Microsoft Defender XDR
20
20
- Microsoft Sentinel in the Microsoft Defender portal
@@ -23,18 +23,15 @@ appliesto:
23
23
# Advanced hunting in Microsoft Defender multitenant management
24
24
25
25
Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
26
-
27
26
28
27
Multiple workspaces per tenant are supported in multitenant Advanced hunting as preview.
29
28
30
-
31
29
## Quotas
32
30
33
31
In multitenant environments, advanced hunting queries can return a maximum of 50,000 records in total. The result set from each individual tenant is capped at 50,000 divided by the number of tenants queried.
34
32
35
33
For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters).
36
34
37
-
38
35
## Run cross-tenant queries
39
36
40
37
You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -70,8 +67,8 @@ You can run any query that you already have access to in the multitenant managem
70
67
| take 10
71
68
```
72
69
73
-
>[!NOTE]
74
-
> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
70
+
>[!IMPORTANT]
71
+
> Running queries across multiple tenants using the `adx(x)` operator will run separate ADX queries per tenant and aggregate them, which might return duplicate results. Use the `adx(x)` operator with multiple tenants only if you need to join tenant results with ADX data. For more information about ADX in Advanced hunting, see [Use Microsoft Sentinel functions, saved queries, and custom rules](/defender-xdr/advanced-hunting-defender-use-custom-rules#use-adx-operator-for-azure-data-explorer-queries).
75
72
76
73
To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
77
74
@@ -101,16 +98,14 @@ For more information, see [Query multiple workspaces](/azure/sentinel/extend-sen
101
98
102
99
## View schema tables
103
100
104
-
You can view the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab.
101
+
View the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab.
105
102
106
103
The schema list is a unified view of all tables from all your tenants regardless of the tenant selected in the upper right tenant selector.
107
104
108
105
This could mean that some tables that appear here might only be available for query in some tenants, like custom Microsoft Sentinel tables.
109
106
110
-
111
107
## View and manage custom detection rules
112
108
113
-
114
109
You can also manage custom detection rules from multiple tenants in the custom detection rules page.
115
110
116
111
### View custom detection rules by tenant
@@ -139,11 +134,6 @@ To manage detection rules:
139
134
140
135
1. Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](/defender-xdr/custom-detection-rules).
141
136
142
-
143
-
144
-
145
-
146
-
147
137
## Related content
148
138
149
139
-[Set up Microsoft Defender multitenant management](mto-requirements.md)
0 commit comments