title | description | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | search.appverid | ms.date | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Choose between guided and advanced modes for hunting in Microsoft Defender XDR |
Guided hunting in Microsoft Defender XDR does not require KQL knowledge while advanced hunting allows you to write a query from scratch. |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
how-to |
met150 |
10/18/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
You can find the advanced hunting page by going to the left navigation bar in the Microsoft Defender portal and selecting Hunting > Advanced hunting. If the navigation bar is collapsed, select the hunting icon .
In the advanced hunting page, two modes are supported:
- Guided mode – to query using the query builder
- Advanced mode – to query using the query editor using Kusto Query Language (KQL)
The main difference between the two modes is that the guided mode does not require the hunter to know KQL to query the database, while advanced mode requires KQL knowledge.
Guided mode features a query builder that has an easy-to-use, visual, building-block style of constructing queries through dropdown menus containing available filters and conditions. To use guided mode, see Get started with guided hunting mode.
Advanced mode features a query editor area where users can create queries from scratch. To use advanced mode, see Get started with advanced hunting mode.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
When you open the advanced hunting page for the first time after guided hunting is made available to you, you are invited to take the tour to learn more about the different parts of the page like the tabs and query areas.
To take the tour, select Take tour when this banner appears:
Follow the blue teaching bubbles that appear throughout the page and select Next to move from one step to the next.
You can take the tour again at any time by going to Help resources > Learn more and selecting Take the tour.
You can then start building your query to hunt for threats. The following articles can help you get the most out of hunting in guided mode:
Learning goal | Description | Resource |
---|---|---|
Craft your first query | Learn the basics of the query builder like specifying the data domain and adding conditions and filters to help you create a meaningful query. Learn further by running sample queries. | Build hunting queries using guided mode |
Learn the different query builder capabilities | Get to know the different supported data types and guided mode capabilities to help you fine-tune your query according to your needs. | Refine your query in guided mode |
Learn what you can do with query results | Get familiar with the Results view and what you can do with generated results like how to take action on them or link them to an incident. | - Work with query results in guided mode - Take action on query results - Link query results to an incident |
Create custom detection rules | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - Custom detections overview - Custom detection rules |
We recommend going through these steps to quickly get started with advanced hunting:
Learning goal | Description | Resource |
---|---|---|
Learn the language | Advanced hunting is based on Kusto query language, supporting the same syntax and operators. Start learning the query language by running your first query. | Query language overview |
Learn how to use the query results | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries, drill down to get richer information, and take response actions. | - Work with query results in advanced mode - Take action on query results - Link query results to an incident |
Understand the schema | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | - Schema reference - Transition from Microsoft Defender for Endpoint |
Get expert tips and examples | Train for free with guides from Microsoft experts. Explore collections of predefined queries covering different threat hunting scenarios. | - Get expert training - Use shared queries - Go hunt - Hunt for threats across devices, emails, apps, and identities |
Optimize queries and handle errors | Understand how to create efficient and error-free queries. | - Query best practices - Handle errors |
Create custom detection rules | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - Custom detections overview - Custom detection rules |