Home

Welcome to the Microsoft-365-Defender-Hunting-Queries wiki!

Advanced hunting in Microsoft Threat Protection—available in the Microsoft 365 security center with a valid license (Get Started) you can deep dive and hunt across data from various workspaces in your Microsoft 365 environment.

You can work with Kusto queries, plus you have the convenience of switching to richer views made possible by the various integrated solutions. For example, you can drilldown from a query to dedicated pages with comprehensive contextual information about specific alerts, devices, users, domains, IP addresses, and even software vulnerabilities.

The specialized data set is organized in a manageable schema covering security-sensitive event and entity information, such as device info, network configuration info, process events, registry events, logon events, file events, and email events. Microsoft will continually incorporate more information into this schema.