Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Defender XDR advanced hunting workshop

How to use Defender XDR advanced hunting effectively — tables, common queries, and threat-hunting patterns.

Defender XDR advanced hunting is the KQL-driven surface for proactive threat hunting across Microsoft Defender data — endpoint events, email events, identity events, cloud-app events. Where alerts are reactive ("something tripped a rule"), advanced hunting is proactive ("let's look for X").

The hunting surface

Access at security.microsoft.com → Hunting → Advanced hunting. Features:

  • Query editor with KQL syntax highlighting and IntelliSense.
  • Schema reference showing all tables and columns.
  • Saved queries — your library and Microsoft's pre-built shared queries.
  • Results explorer with filtering, sorting, drill-down on entities.
  • Bulk action — directly take action from results (isolate device, revoke session).
  • Query analyzer to test queries against historical data.

Key tables

Each Defender product contributes tables:

Defender for Endpoint

  • DeviceProcessEvents — every process launch.
  • DeviceNetworkEvents — outbound network connections.
  • DeviceFileEvents — file create / modify / delete.
  • DeviceLogonEvents — endpoint sign-ins.
  • DeviceImageLoadEvents — DLL loads.
  • DeviceRegistryEvents — registry changes.
  • DeviceEvents — general endpoint events.
  • DeviceInfo — device metadata.
  • DeviceTvmSoftwareInventory — installed software with vulnerability tags.

Defender for Office 365

  • EmailEvents — message metadata.
  • EmailUrlInfo — URLs in emails.
  • EmailAttachmentInfo — attachment metadata.
  • EmailPostDeliveryEvents — post-delivery actions (clicks, ZAP).

Defender for Identity

  • IdentityLogonEvents — sign-in events from AD / Entra.
  • IdentityDirectoryEvents — directory changes.
  • IdentityQueryEvents — directory query patterns.

Defender for Cloud Apps

  • CloudAppEvents — SaaS app activity.

Defender XDR

  • AlertInfo and AlertEvidence — alerts and their associated entities.
  • IdentityInfo — user metadata.

Common hunting patterns

Find processes spawned by Office apps

A common attacker technique — macros launching command shells:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| where FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine

Find PowerShell launching unusual scripts

DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("DownloadString", "FromBase64", "IEX", "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Find unusual sign-in patterns

IdentityLogonEvents
| where Timestamp > ago(7d)
| where ActionType == "LogonSuccess"
| summarize Sources = make_set(IPAddress), LogonCount = count() by AccountName, bin(Timestamp, 1d)
| where array_length(Sources) > 5  // 5+ distinct IPs in a day
| order by LogonCount desc

Find email URLs that were clicked

EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "phish"
| join kind=inner (EmailUrlInfo) on NetworkMessageId
| join kind=inner (EmailPostDeliveryEvents | where Action == "Click") on NetworkMessageId
| project Timestamp, Recipient, Subject, Url, ClickedUrl = Url

Critical — finds phishing where the user actually clicked, prioritising real incidents over filtered noise.

Find first-time-seen processes

DeviceProcessEvents
| where Timestamp > ago(1d)
| join kind=leftanti (
    DeviceProcessEvents
    | where Timestamp between (ago(30d) .. ago(1d))
    | distinct FileName, SHA256
) on FileName, SHA256
| where FileName endswith ".exe"
| project Timestamp, DeviceName, FileName, SHA256, FolderPath

Files never seen in the environment before — strong signal for hunting.

Hunting methodology

Effective hunting isn't ad-hoc; it follows patterns:

Hypothesis-driven

Start with a hypothesis: "Attackers are using technique X." Write queries to test it.

MITRE ATT&CK-mapped

Map hunts to specific ATT&CK techniques. Microsoft publishes ATT&CK-mapped hunting queries.

Indicator-driven

Specific IOCs (file hashes, IPs, domains) — hunt for any historical occurrence.

Anomaly-driven

Patterns that deviate from baseline — first-time-seen processes, unusual sign-in volumes, novel network destinations.

Operational discipline

  • Save useful queries — build a library over time.
  • Schedule the best hunting queries as analytic rules — proactive becomes ongoing detection.
  • Share with the team — successful hunts inform others.
  • Document findings even if no incident — pattern recognition compounds.

For SOC teams using Defender XDR seriously, advanced hunting is one of the most valuable capabilities. KQL is learnable in days; mastery takes longer; the payback is continuous.