Last Updated on February 19, 2024 by Michael Morten Sonne
In Public Preview as this post is written
This blog post covers a few of the latest features available in Advanced Hunting.
I recently encountered a scenario where a feature suggestion I provided was promptly developed. It’s incredibly rewarding to contribute valuable insights to the Microsoft Security team’s product group. I’m delighted to assist in shaping better products for all users!
I have more content in draft, currently in the reviewing stage – stay tuned, it involves other new security features that I’ve also contributed to! 🙈
What is Advnaced Hunting
Advanced hunting serves as a query-based threat hunting tool, offering the capability to explore up to 30 days of raw data. It facilitates proactive examination of network events, pinpointing threat indicators and entities. Its adaptable data access permits unrestricted hunting for known threats and potential risks.
The tool encompasses two modes: guided and advanced. Opt for guided mode if you’re unfamiliar with Kusto Query Language (KQL) or prefer a query builder’s convenience. Alternatively, choose advanced mode for creating queries from scratch using KQL.
To initiate hunting, refer to the Choose between guided and advanced modes to hunt in Microsoft Defender XDR guide.
Moreover, the same threat hunting queries can be utilized to construct custom detection rules. These rules operate automatically, identifying suspected breach activities, misconfigured machines, and other issues. You deside! 😎
Advanced hunting supports queries that scan a broader dataset sourced from:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Identity
How to access
To use advanced hunting or other Microsoft Defender XDR capabilities, you need an appropriate role in Microsoft Entra ID. Read about required roles and permissions for advanced hunting.
The link to it is: Advanced hunting – Microsoft Defender
Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. Read about managing access to Microsoft Defender XDR.
A good reminder: Advanced hunting results are converted to the timezone you have set in your Microsoft Defender XDR portal!
Each use case within the Advanced Hunting page should reap the benefits of these improvements, enhancing both the query execution and result exploration phases.
Some new features there is comming to Advanced Hunting
Microsoft is now introducing several enhancements to elevate the user experience in Advanced Hunting, empowering users to investigate incidents and proactively search for threats with greater efficiency. Specifically, the following additions will be included:
- Query history
- Results grid
- Side panes containing details
- General UI improvements
Your previous queries are displayed within the Query History tab, located in the lower half of the Advanced Hunting page. The Query History pane can load up to 30 queries from the past 28 days. We hope more in the future! 😉
This feature enables you to reuse or rerun your queries that you have previously generated, even if you have already closed the query tab in which they were originally created. That´s nice, and now we can stop using multiple tabs in Advanced Hunting to save some og the last used queries!
Here you can see your querie history, their runtime and status, and run/edit them easily right in the portal!
Upon providing direct feedback to Noa Nutkevitch, the developer she promptly initiated the work on implementing my ideas. It was gratifying to hear, and just a few days later, it was deployed in my tenant! 🥳
During its private preview phase, the Query History tab displayed queries in black text only, lacking syntax highlighting. Upon I noticing this, I shared my observations with Noa Nutkevitch, a SENIOR PRODUCT MANAGER at Microsoft there is working on this feature.
In response, I received a message expressing the teams gratitude:
“thanks a lot! this is supper valuable, and we love to share your feedback with engineers as well. Just shared your feedback about the colors with the engineer who developed it and solved the issue there, she was very happy”
I’m thrilled to have contributed positively to the enhancement of the Query History tab! It’s wonderful to see how valuable feedback can directly impact improvements right away.
Knowing that my input was appreciated and swiftly acted upon by the development team is truly encouraging. I’m excited to witness the continuous improvement of the features and remain eager to offer further insights whenever possible! 😎
I got accept from Noa Nutkevitch to shere this on my blog
You can further explore the results using the following in-line features:
- For results in JSON and array formats, where applicable, expand details by selecting the dropdown arrow next to relevant column names to enhance readability.
- You can expand a result by selecting the dropdown arrow on the left side of each result too.
- Open the side pane to view a record’s details, concurrently with expanded rows.
You can also right-click on any value within a row to add additional filters to the existing query or copy the value for further investigation.
To inspect a record within your query results, select the corresponding row to open the ‘Inspect Record’ panel. This panel furnishes the following information based on the selected record:
- Assets: A summarized view of the primary assets (mailboxes, devices, and users) identified in the record, enriched with available details such as risk and exposure levels.
- All Details: Comprehensive access to all the values from the columns within the record.
Open the details pane from the context menu for functions or queries. The details pane contains pertinent actions, as shown in the screenshots, along with the function/query code. For functions, it also includes descriptions and parameters if available.
- Decrease white spaces and enable easier and more efficient investigation. These changes span the entire page but stand out in results grid – where results are smaller and more compressed.
Some tweak to your queries from the results
Select the three dots to the right of any column in the Inspect record panel. You can use the options to:
- Explicitly look for the selected value (
- Exclude the selected value from the query (
- Get more advanced operators for adding the value to your query, such as
starts with, and
In conclusion, the new features introduced in Advanced Hunting provide an enhanced user experience, offering valuable tools for threat hunting and incident investigation. Sharing feedback directly with the Microsoft Security team has proven to be a rewarding experience, with rapid implementation of suggestions leading to immediate improvements.
Contributing to the evolution of these security tools is both fulfilling and a testament to Microsoft’s commitment to creating better products for users worldwide.
In 2023, within the Microsoft Customer Connection Program (CCP), I achieved a top contributor status for the year, despite joining only in the summer of 2023. It’s quite remarkable!! 🙈🎉😎
See Kristina Quick (Principal Manager – Microsoft Security Engineering) post and video shared here: Feed on LinkedIn
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Stay tuned for the new post about something cool! 🥳