title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | appliesto | ms.date | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Advanced hunting with Microsoft Sentinel data in Microsoft Defender |
Learn how to use advanced hunting in the portal unifying Defender XDR and Sentinel data |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
conceptual |
|
10/18/2024 |
Advanced hunting allows you to view and query all the data sources available within the unified Microsoft Defender portal. The data sources might include Microsoft Defender XDR and various Microsoft security services. If you onboard Microsoft Sentinel to the Defender portal, access and use all your existing Microsoft Sentinel workspace content, including queries and functions.
Querying from a single portal across different data sets makes hunting more efficient and removes the need for context-switching.
[!INCLUDE unified-soc-preview]
You can query data in any workload that you can currently access based on your roles and permissions.
To query across Microsoft Sentinel and Microsoft Defender XDR data in the unified advanced hunting page, you'll also need at least the Microsoft Sentinel Reader role. For more information, see Microsoft Sentinel-specific roles.
In Microsoft Defender, you can connect workspaces by selecting Connect a workspace in the top banner. This button appears if you're eligible to onboard a Microsoft Sentinel workspace onto the unified Microsoft Defender portal. Follow the steps in: Onboarding a workspace.
After connecting your Microsoft Sentinel workspace and Microsoft Defender XDR advanced hunting data, you can start querying Microsoft Sentinel data from the advanced hunting page. For an overview of advanced hunting features, read Proactively hunt for threats with advanced hunting.
- Use tables with longer data retention period in queries – Advanced hunting follows the maximum data retention period configured for the Defender XDR tables (see Understand quotas). If you stream Defender XDR tables to Microsoft Sentinel and have a data retention period longer than 30 days for said tables, you can query for the longer period in advanced hunting.
- Use Kusto operators you've used in Microsoft Sentinel – In general, queries from Microsoft Sentinel work in advanced hunting, including queries that use the
adx()
operator. There might be cases where IntelliSense warns you that the operators in your query don't match the schema, however, you can still run the query and it should still be executed successfully. - Use the time filter dropdown instead of setting the time span in the query – If you're filtering ingestion of Defender XDR tables to Sentinel instead of streaming the tables as is, don't filter the time in the query as this might generate incomplete results. If you set the time in the query, the streamed, filtered data from Sentinel is used because it usually has the longer data retention period. If you would like to make sure you're querying all Defender XDR data for up to 30 days, use the time filter dropdown provided in the query editor instead.
- View
SourceSystem
andMachineGroup
columns for Defender XDR data that have been streamed from Microsoft Sentinel – Since the columnsSourceSystem
andMachineGroup
are added to Defender XDR tables once they're streamed to Microsoft Sentinel, they also appear in results in advanced hunting in Defender. However, they remain blank for Defender XDR tables that weren't streamed (tables that follow the default 30-day data retention period).
Note
Using the unified portal, where you can query Microsoft Sentinel data after connecting a Microsoft Sentinel workspace, does not automatically mean you can also query Defender XDR data while in Microsoft Sentinel. Raw data ingestion of Defender XDR should still be configured in Microsoft Sentinel for this to happen.
You can use advanced hunting KQL (Kusto Query Language) queries to hunt through Microsoft Defender XDR and Microsoft Sentinel data.
When you open the advanced hunting page for the first time after connecting a workspace, you can find many of that workspace's tables organized by solution after the Microsoft Defender XDR tables under the Schema tab.
:::image type="content" source="/defender/media/advanced-hunting-unified-sentinel-data.png" alt-text="Screenshot of advanced hunting schema tab in the Microsoft Defender portal highlighting location of Sentinel tables" lightbox="/defender/media/advanced-hunting-unified-sentinel-data.png":::
Likewise, you can find the functions from Microsoft Sentinel in the Functions tab, and your shared and sample queries from Microsoft Sentinel can be found in the Queries tab inside folders marked Sentinel.
To learn more about a schema table, select the vertical ellipses ( ) to the right of any schema table name under the Schema tab, then select View schema.
In the unified portal, in addition to viewing the schema column names and descriptions, you can also view:
- Sample data – select See preview data, which loads a simple query like
TableName | take 5
- Schema type – whether the table supports full query capabilities (advanced table) or not (basic logs table)
- Data retention period – how long the data is set to be kept
- Tags – available for Sentinel data tables
:::image type="content" source="/defender/media/advanced-hunting-unified-view-schema.png" alt-text="Screenshot of the schema information pane in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-view-schema.png":::
- The
IdentityInfo table
from Microsoft Sentinel isn't available, as theIdentityInfo
table remains as is in Defender XDR. Microsoft Sentinel features like analytics rules that query this table aren't impacted as they're querying the Log Analytics workspace directly. - The Microsoft Sentinel
SecurityAlert
table is replaced byAlertInfo
andAlertEvidence
tables, which both contain all the data on alerts. While SecurityAlert isn't available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made so as not to break existing queries from Microsoft Sentinel that use this table. - Guided hunting mode and take actions capabilities are supported for Defender XDR data only.
- Custom detections have the following limitations:
- Custom detections are not available for KQL queries that do not include Defender XDR data.
- Near real-time detection frequency is not available for detections that include Microsoft Sentinel data.
- Custom functions that were created and saved in Microsoft Sentinel are not supported.
- Defining entities from Sentinel data is not yet supported in custom detections.
- Bookmarks aren't supported in the advanced hunting experience. They're supported in the Microsoft Sentinel > Threat management > Hunting feature. Alternatively, you can use the Link to incident feature to link query results to new or existing incidents.
- If you're streaming Defender XDR tables to Log Analytics, there might be a difference between the
Timestamp
andTimeGenerated
columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion tonow()
. Therefore, to get the actual time the event happened, we recommend relying on theTimestamp
column. - When prompting Security Copilot for advanced hunting queries, you might find that not all Microsoft Sentinel tables are currently supported. However, support for these tables can be expected in the future.