Hunting hypotheses, schema, KQL, time scope, performance, entity pivots, evidence, incidents, actions, detections, and governance

Microsoft Defender XDR Advanced Hunting Starter Guide

Start Microsoft Defender XDR Advanced Hunting with a safe, reproducible workflow. Translate a security question into a time-bounded hypothesis, choose the correct endpoint, identity, email, cloud-app, alert, or Sentinel tables, write efficient KQL, validate schema and data coverage, inspect entities and chronology, preserve query evidence, link relevant results to incidents, authorize response actions, and promote only proven hunts into governed custom detections.

Guided and advanced modes, schema discovery, UTC, 30-day Defender data, quotas, and resource reportingwhere, project, summarize, join, let, parse, entity/time normalization, baselines, and result validationIncident linkage, response actions, custom detections, unified RBAC, evidence, peer review, and metrics
Advanced threat-hunting query observatory for Microsoft Defender XDR
A defensible hunt filters broad telemetry into a time-bounded, entity-aware, reproducible set of evidence that can enrich an incident or become a governed detection.

Operating objective

Ask a precise security question, then produce evidence another analyst can reproduce

Advanced Hunting in the Microsoft Defender portal is a query-based capability for proactively inspecting raw security telemetry. It spans supported Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, Defender XDR alert/evidence, Microsoft Sentinel, and other connected data. It supports guided mode for analysts who prefer a query builder and advanced mode for Kusto Query Language (KQL). A successful hunt is not “run a query and export rows.” It begins with a hypothesis, known entities and time, expected benign behavior, telemetry assumptions, and a decision the results will support.

Microsoft currently documents up to 30 days of Defender XDR data per query unless data is streamed through Microsoft Sentinel for longer retention. Current service parameters include up to 100,000 result rows, a 10-minute query timeout, a 64 MB overall results-size limit, and CPU allocation measured over 15-minute cycles. These limits shape safe hunting: narrow time early, filter known columns, project only needed data, size a new query with count/take, and avoid broad joins or full-column searches until the hypothesis is validated.

Every material hunt should preserve query text, version, author/reviewer, UTC time window, tables/workspace, tenant, parameters, result count, execution/resource use, selected evidence, exclusions, limitations, interpretation, and incident/detection outcome. Hunting can lead to device, file, email, URL, or other response actions, but action permissions and business authorization are separate from query permission. Evidence discovery does not automatically authorize containment or deletion.

Control statement: Every hunt must have an owner, hypothesis, business/security purpose, exact UTC time and entity scope, schema/data-coverage assumption, performance guardrail, saved query version, reproducible evidence, peer review for material conclusions, incident/action decision, retention/custody location, and follow-up.

Mode and access selection

Use guided mode to learn structure and advanced mode to control the investigation

Guided mode

Guided mode uses a visual query builder with supported data types, filters, conditions, and sample-size controls. It is useful for new analysts, schema discovery, quick filtering, and peer review with non-KQL specialists. Preserve the generated result definition and verify how builder concepts map to table columns and ActionType/EventType values.

Advanced KQL mode

Advanced mode provides full KQL editing, multiple queries, schema/reference, samples, functions, joins, parsing, aggregations, time-series analysis, and custom-detection development. Use it when the hunt needs exact semantics and reproducibility. Begin from a small known-good query and add one transformation at a time.

Permission boundary

Analysts need appropriate Defender XDR unified RBAC, workload, device/resource, and Sentinel workspace permissions. Query visibility may be scoped. Linking results to incidents requires custom-detection-equivalent permissions, and taking actions requires the relevant endpoint/email or other response permissions. Test each persona with expected and excluded data/actions.

Data availability

A table returning no rows can mean no suspicious activity, no onboarded source, sensor/connector delay, missing license, scoped RBAC, different schema/column, incorrect time/entity, retention expiration, Sentinel workspace selection, or unsupported data. Validate telemetry health and a known benign event before interpreting absence.

UTC and presentation time

Advanced Hunting queries use UTC. The results interface can display your configured time zone. Store UTC in the query and evidence, then add local/business time as a labeled presentation field. Normalize incident, email, identity, device, cloud, and external log timestamps before sequence conclusions.

Defender versus Sentinel history

Defender XDR raw-data hunting is currently bounded to 30 days per query. Longer history can be available when data is streamed/ingested into Microsoft Sentinel. Document table/workspace, ingestion transformation, retention tier, schema differences, cost, and cross-workspace scope; never imply a long lookback when only 30 days was queried.

Schema and table selection

Choose the table whose event semantics match the hypothesis

Hunt domainCommon table familiesUseful pivotsValidation question
Alerts and incidentsAlertInfo, AlertEvidence, SecurityAlert, SecurityIncident where available for the selected Defender/Sentinel context.AlertId, IncidentId, ServiceSource, DetectionSource, Severity, Category, entity fields, Title, Timestamp.Does the row describe a detection/incident or the underlying activity? Pivot to raw-event tables before causal conclusions.
Endpoint process and fileDeviceProcessEvents, DeviceFileEvents, DeviceEvents, DeviceImageLoadEvents.DeviceId/DeviceName, SHA256, FileName, ProcessCommandLine, initiating process, AccountSid/ObjectId, FolderPath.Is the device onboarded and the event/action supported? Are hash, process tree, signer, and user context complete?
Endpoint network and logonDeviceNetworkEvents, DeviceLogonEvents, DeviceNetworkInfo, DeviceInfo.RemoteIP/RemoteUrl/RemotePort, Protocol, LogonType, AccountSid/UPN, InitiatingProcess, device tags/groups, exposure.Is the network row a connection, DNS/proxy-derived value, or enrichment? Normalize IP/URL and account/device identity.
IdentityIdentityLogonEvents, IdentityDirectoryEvents, IdentityQueryEvents, IdentityInfo.AccountObjectId/Sid/UPN, Application, Protocol, IPAddress, DeviceName, ActionType, privileged role and risk context.Are cloud and on-premises identities linked? Could service accounts, shared devices, NAT, sync delay, or normal admin work explain it?
Email and collaborationEmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents, UrlClickEvents.NetworkMessageId, InternetMessageId, sender/recipient, Subject, DeliveryAction, ThreatTypes, SHA256, Url, click action.Are message IDs/URLs normalized, recipients expanded, post-delivery actions considered, and Defender for Office telemetry licensed/available?
Cloud apps and SaaSCloudAppEvents and supported app-governance/cloud-app data.AccountObjectId/DisplayName, Application, IPAddress, ActionType, object/resource, user agent, device/session context.Is the app connected and audited? Are API, actor, proxy, admin, and user actions distinguishable?
Data security and PurviewSupported DataSecurity* tables, DLP/Insider Risk signals, sensitivity and data-classification context where configured.User, data source, policy/rule, sensitivity label, activity, application, device, exfiltration channel, alert/incident.Has the organization enabled the integration and authorized sensitive employee/data use? Are privacy and least-access rules applied?
Exposure and vulnerabilityDeviceTvm* and supported exposure-management tables.DeviceId, software/CVE, recommendation, exposure level, internet-facing/critical asset context, remediation status.Is the data a current inventory/snapshot or an event? Join only after narrowing device/software scope and effective date.

Service limits and query safety

Design within current quotas and prove when results are complete or partial

30-day Defender date range

Each query can currently look up Defender XDR data for up to the past 30 days. A custom time range outside available data does not create history. For incidents with longer dwell time, preserve exported/streamed data and use Microsoft Sentinel or another approved long-term repository with documented ingestion and retention.

100,000-row result limit

Microsoft currently documents up to 100,000 returned rows. A hunt can match more. Use summarize/count by time/entity, partition the hunt, export appropriately, or query the API/Sentinel where justified. Do not report “100,000 events total” when the interface may have capped output.

64 MB result-size limit

Large strings, dynamic columns, many projected fields, and verbose evidence can reach 64 MB before the row limit. The portal indicates partial results. Project only the fields needed for analysis/evidence and preserve a separate broad count so the analyst knows whether detailed rows are complete.

10-minute timeout

A query that times out is not evidence of absence. Reduce time and entities, filter early, project selectively, replace expensive substring/regex operations, parse after filtering, optimize joins, and split stages with let statements. Preserve the failed query and error while developing the corrected version.

Tenant CPU allocation

CPU resources depend on tenant size and refresh every 15 minutes. Microsoft warns when a query uses more than 10% of allocation and can block queries at 100% until refresh. Coordinate heavy hunts/detections, review resource use, and avoid starving incident response.

Query resources report

The current query resources report covers hunting CPU consumption over the prior 30 days and helps identify expensive queries across portal, API, and custom-detection activity subject to permissions. Review top consumers, authors, intent, duration, frequency, failures, and optimization actions.

Completeness rule: Every material conclusion must state the queried time range, data sources, scope, row/result-size/timeout status, resource constraints, and known telemetry gaps. A result set is not automatically the complete population.

KQL building blocks

Filter early, project deliberately, aggregate for context, and join only narrowed data

Start with time and count

Confirm the table, time, and expected magnitude before adding complex logic. The first query below sizes process activity and returns a manageable summary.

DeviceProcessEvents
| where Timestamp > ago(24h)
| summarize Events=count(),
            Devices=dcount(DeviceId)
  by FileName
| top 20 by Events desc

Validate the table has known benign events, then narrow to the process names, devices, users, hashes, or commands relevant to the hypothesis.

Filter and project the evidence

Use indexed/specific operators where possible: exact equality and case-sensitive operators can be faster; has is usually more efficient than substring contains. Filter before parsing and project only the evidence fields.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ (
  "powershell.exe",
  "pwsh.exe")
| where ProcessCommandLine
  has_any ("DownloadString",
           "WebRequest")
| project Timestamp, DeviceId,
  DeviceName, AccountUpn,
  FileName, ProcessCommandLine,
  InitiatingProcessFileName
| top 200 by Timestamp desc

Use let for clear stages

Define parameters and narrowed intermediate results so peer reviewers can understand and test each stage. Keep entity/time normalization explicit.

let StartTime = ago(48h);
let TargetAccounts =
  dynamic(["user1@contoso.com"]);
IdentityLogonEvents
| where Timestamp > StartTime
| where AccountUpn
  in~ (TargetAccounts)
| summarize Attempts=count(),
            IPs=dcount(IPAddress)
  by AccountUpn, Application
| order by Attempts desc

Syntax is not a verdict: Example queries teach structure; they are not production detections and do not prove malicious activity. Validate schema, ActionType values, tenant data, baselines, business context, false positives, and current Microsoft documentation before operational use.

Twelve-step hunting runbook

Define, scope, query, pivot, validate, preserve, escalate, and improve

Write the hypothesis

State the suspected behavior, threat/technique, business impact, known entity or indicator, expected time, supporting evidence, alternative benign explanation, and decision the hunt will inform.

Confirm authorization and privacy

Verify incident/campaign authority, permitted data and employee monitoring, legal/privacy constraints, least-privileged RBAC, sensitive-data handling, export/custody rules, and response-action approval.

Validate telemetry coverage

Identify expected Defender/Sentinel sources, onboarding, licensing, connector/sensor health, schema/table availability, RBAC scope, delay, retention, and a known benign event. Record missing coverage.

Set UTC time and entity scope

Choose start/end before and after known activity. Normalize user/object/SID, device ID/name, message ID, URL/domain/IP, file hash, app/resource, incident/alert ID, and tenant/workspace.

Size the data

Begin with count/summarize and a small sample. Inspect schema, ActionType distribution, nulls, duplicates, result size, execution time, and resource use. Do not begin with broad wildcard text search or multi-table joins.

Build the smallest confirming query

Filter time and strong predicates early, project evidence columns, preserve stable identifiers, and return representative rows. Add one transformation at a time and test both positive and negative controls.

Establish the baseline

Compare the entity, peer group, application, device group, location, time, and organization. Measure normal frequency, rare-but-authorized behavior, maintenance windows, service accounts, automation, and change tickets.

Pivot across domains

Use stable identifiers to connect endpoint, identity, email, cloud app, alert, data, and Sentinel evidence. Apply time filters to every side of joins, narrow the smaller table, and validate one-to-many relationships and duplicates.

Test competing hypotheses

Write queries that should confirm or refute malicious, authorized, misconfigured, and data-quality explanations. Record absent evidence only after validating coverage, time, identity mapping, and service health.

Preserve and peer review

Save exact KQL/version, execution metadata, results/export, hashes where appropriate, screenshots only as presentation aids, analyst interpretation, limitations, and reviewer challenge before a material conclusion or destructive action.

Link, respond, or detect

Link selected hunting rows to an existing/new incident when relevant. Obtain authorization for endpoint/email/URL/file actions. Promote a query to custom detection only after testing entity mapping, threshold, frequency, alert behavior, response, and false-positive controls.

Close the loop

Record outcome, incident/control remediation, detection/tuning change, telemetry gap, lessons, saved query owner, expiry/review, performance metric, and follow-up. Convert useful hunts into reviewed libraries or recurring campaigns.

Joins, identity, and chronology

Normalize keys and time before correlating cross-domain evidence

Join the smaller data set on the left

Microsoft recommends narrowing the left side of a join and applying time filters to both sides. Choose the join flavor deliberately. Default innerunique deduplicates the left by key, which can hide repeated left-side events if the analyst expects a full many-to-many population. Test row counts before and after.

Use stable identifiers

Prefer DeviceId over display name, AccountObjectId/SID over mutable UPN where supported, SHA256 over file name, NetworkMessageId/InternetMessageId with documented semantics, application/object IDs over display names, and normalized URL/domain/IP fields. Preserve original values alongside normalized keys.

Time-bound relationships

A matching account or URL across 30 days does not prove one attack. Require a plausible sequence/window and annotate ingestion delay. Apply UTC filters to every joined table, compare event time rather than only alert time, and calculate deltas between related activity.

One-to-many and duplicates

One message can have many recipients/URLs/attachments; one identity many devices/sessions; one hash many file paths; one IP many users behind NAT/proxy; one alert many evidence rows. Summarize or deduplicate only after preserving the question each row represents.

Dynamic fields and parsing

Filter first, then parse AdditionalFields or other dynamic content with parse_json/parse when needed. Validate keys/types/nulls and schema versions. Avoid expensive regex unless simpler parsing and indexed predicates cannot answer the question. Project parsed fields with clear names and source columns.

Entity enrichment

Join criticality, device groups/tags, exposure, identity role, sensitivity, site/mailbox/business ownership, and incident context only from approved sources and effective dates. Enrichment should explain risk; stale or broad enrichment can bias severity and scope.

Results, evidence, and response

Distinguish query output, analyst interpretation, incident evidence, and authorized action

Result outcomeAnalyst actionEvidence requirementEscalation boundary
No rowsValidate time, table, source health, schema, RBAC, entity mapping, known benign test, and retention before accepting no evidence.Exact query/time, coverage checks, data-health result, known-event test, and limitations.Critical hypothesis remains plausible but telemetry cannot confirm/refute it.
Expected baselineCompare frequency, peers, change/ticket, service account, automation, location, and business owner; retain negative-control result.Baseline method, cohort, time, counts, representative samples, authorization, and reviewer.Behavior is authorized but insecure, overprivileged, or violates policy.
Suspicious rows need contextPivot entities/time, raw events, alerts/incidents, reputation, device/user/app history, sensitivity, exposure, and alternative hypotheses.Stable IDs, chronology, query versions, positive/negative samples, and confidence.Active threat, privileged/critical entity, sensitive data, or widening scope.
Incident-relevant evidenceSelect only material rows, link to an existing/new incident where supported, and update attack story, entities, severity, owner, and next action.Incident/alert IDs, linked record IDs, query/time, source, interpretation, and custody.Linking can generate alerts per impacted-entity combination; review resulting noise and correlation.
Response candidateValidate target and business impact, preserve evidence, obtain approval, then take supported device/file/email/URL or other action using least privilege.Requester/approver, target IDs, action, time, result, failure, rollback, and validation.Destructive, high-impact, privileged, production, shared, legal/privacy, or customer-facing action.
Custom-detection candidateProve reliable entity mapping, time logic, frequency, threshold, severity, title/description, incident correlation, false-positive rate, response, and resource use.Test corpus, query version, owner, MITRE mapping, sample alerts/actions, approval, monitoring, and rollback.Automated response, broad scope, sensitive employee/data monitoring, or high resource consumption.

Custom detection engineering

Promote only stable, efficient, entity-aware hunts into automated detection

Detection contract

Define threat behavior, data source, query owner, schedule/frequency, lookback, required columns, impacted and related entity mappings, alert title/description, severity/category/MITRE techniques, incident correlation, threshold, suppression, response actions, expected volume, and business owner.

Entity mapping

Custom detections need supported entity identifiers for useful alert context and actions. Validate DeviceId, AccountObjectId/SID/UPN, IP, URL, file hash, mailbox/message, app/resource, and other required columns. Wrong or unstable mapping creates misleading incidents or unsafe actions.

Time and schedule logic

Align the query Timestamp window with rule frequency and ingestion delay. Prevent duplicate detection of the same event across overlapping runs or missed late events. Test daylight-saving presentation separately while keeping KQL UTC. Document lookback, deduplication key, and late-arrival behavior.

Positive/negative testing

Use known attack simulations or approved synthetic events, benign business samples, high-volume periods, missing fields, service accounts, shared devices, NAT/proxy, common tools, and historical incidents. Measure precision, recall where possible, alert latency, duplicates, and analyst effort.

Response-action gate

Start alert-only for high-impact detections. Add automated containment only after target accuracy, business safety, rollback, Action Center workflow, owner availability, and emergency disablement are proven. Monitor every triggered action and reconcile it with the incident.

Operational lifecycle

Track enabled/disabled/failed state, execution and resource use, triggered alerts/actions, classifications, false positives, missed incidents, schema/product changes, owner, review date, expiry, query version, tuning, and rollback. Retire obsolete rules and preserve history.

RBAC, privacy, and evidence governance

Give hunters enough cross-domain visibility without uncontrolled data or response access

Hunting reader versus responder

Separate query, incident-linking, custom-detection management, evidence export, and device/email/file/URL response permissions. A hunter may need broad read visibility but not authority to quarantine, isolate, purge, block, or change detections. Require explicit role testing and approval paths.

Unified RBAC and resource scope

Microsoft Defender unified RBAC can centralize permissions across supported workloads, while Sentinel workspaces and other products can retain parallel role models. Document workload activation, device/resource groups, workspace, tenant, data sources, and any visibility differences. Global Administrator is not a routine hunting role.

Sensitive employee and data signals

Identity, cloud app, DLP, Insider Risk, communication, and data-security hunts can expose employee behavior and regulated content. Require lawful purpose, privacy/HR/legal governance, minimum necessary scope, named investigators, secure evidence, retention/disposal, recusal, and prohibition of curiosity searches.

Export and custody

Use case/hunt IDs, source query, UTC collection time, tenant/workspace, row count, export format, hash where appropriate, collector, secure location, access log, transfer record, retention/hold, and deletion authority. Excel/CSV exports can expose sensitive evidence; protect them outside the portal.

Shared query governance

A useful library needs owner, description, parameters, data dependencies, expected output, sample, performance class, incident/detection use, privacy classification, version/change history, review/expiry, and test date. Do not run copied community queries with response actions before review.

Peer review and challenge

For material incidents, destructive actions, regulatory conclusions, or new detections, require another qualified analyst to rerun the query, inspect schema/time/entity assumptions, verify result completeness, test alternatives, and approve the interpretation. Preserve disagreements and resolution.

Recurring hunting program

Move from one-off queries to prioritized campaigns, libraries, and measurable control improvement

Program activityInputsDeliverableSuccess measure
Incident-driven huntKnown entities/indicators, incident timeline, alerts/evidence, attacker technique, scope gaps, and telemetry health.Expanded affected inventory, linked evidence, containment/remediation tasks, and documented no-result limits.Material related activity found/ruled out faster with reproducible evidence.
Threat-intelligence campaignActor/TTP/advisory, relevant industry, known infrastructure/artifacts, telemetry mapping, and exposure.Versioned hypotheses and queries, results, affected assets, control gaps, and detection candidates.Useful detection/assurance outcome—not merely zero matches.
Control-assurance huntCritical control design, expected events/blocks, configuration inventory, change/exception list, and business scope.Evidence the control detects/blocks as intended, bypass/coverage gaps, remediation, and regression query.Coverage and effectiveness improve; exceptions are reduced or governed.
Baseline/anomaly huntEntity peer groups, business calendar, service accounts, approved tools, locations, applications, and historical distributions.Documented baseline, rare/outlier events, false-positive analysis, and investigation candidates.Anomalies are explainable and useful without excessive broad monitoring.
Detection validationCustom rule/query, test events, past incidents, benign corpus, alerts/actions, classifications, latency, and resources.Pass/fail evidence, tuning, rollback, owner, and production approval.Reliable entity-rich alerts with acceptable volume, latency, and analyst cost.
Monthly hunting governanceCampaign backlog, saved queries, detections, resource report, schema/product changes, incidents, telemetry/RBAC gaps, and metrics.Prioritized next hunts, optimized/retired queries, overdue reviews, investment and risk decisions.Hunts close meaningful gaps and do not degrade portal performance or privacy.

Top hunting risks and misconfigurations

Failures that create false confidence, incomplete evidence, noisy detections, or unsafe response

No hypothesis

A broad search produces interesting rows but no defined question, baseline, decision, or stopping condition.

No-result interpreted as no threat

Time, onboarding, sensor, connector, RBAC, schema, retention, workspace, or entity mapping was never validated.

30-day boundary ignored

The hunt claims to rule out long-dwell activity even though only current Defender XDR history was available.

Partial results reported as total

Row, 64 MB, timeout, or resource constraints truncate the population without an explicit completeness statement.

Time filters missing from joins

Broad tables are joined across unnecessary history, consuming CPU, timing out, and creating irrelevant matches.

Display names used as identity

Renames, duplicate users/devices/apps, aliases, shared accounts, and normalization errors corrupt correlation.

Query copied without schema review

A community/sample query uses unavailable tables, changed fields, wrong semantics, or assumptions that do not fit the tenant.

Result rows treated as malicious

No baseline, business context, positive/negative control, competing hypothesis, or source validation supports the verdict.

Response action taken before custody

A device, file, email, URL, account, or app is changed before volatile evidence and decision authority are preserved.

Hunt promoted directly to auto-response

Entity mapping, schedule, duplicates, false positives, business impact, approval, and rollback are untested.

Sensitive employee data overexposed

Hunters query/export behavioral or regulated content without lawful purpose, minimum scope, or secure custody.

Expensive queries starve the tenant

Unoptimized joins, regex, wide projections, and repeated executions consume CPU needed for incidents and detections.

Evidence, metrics, and recurring governance

Measure hunting usefulness, reproducibility, coverage, performance, detection value, and control remediation

Hypothesis completion

Planned, active, completed, blocked, confirmed, refuted, inconclusive, and converted-to-incident/detection hunts by owner and priority.

Coverage confidence

Expected versus available sources/tables/entities/time, sensor/connector health, RBAC scope, retention, and unresolved telemetry gaps.

Time to useful evidence

Hunt start to first validated result and to incident/action decision, separated from time spent fixing data/query issues.

Reproducibility rate

Material hunts another analyst can rerun with the same version, parameters, scope, result population, and defensible interpretation.

Query performance

Execution time, CPU class/use, timeouts, row/size limits, partial results, expensive authors/queries, and optimization completion.

Detection conversion quality

Hunts promoted to rules; triggered alerts/actions; true/benign/false classification; latency; duplicates; rollback; and analyst effort.

Incident/control outcomes

Affected entities found, incidents enriched/created, containment/remediation, vulnerabilities/configuration gaps, and validated closure.

Library health

Owned, reviewed, tested, current, expired, duplicated, broken, high-resource, privacy-sensitive, and retired saved/shared queries.

Per-hunt review

Confirm authorization, hypothesis, time/entities, data coverage, performance, positive/negative controls, results, evidence, incident/action, peer review, and follow-up.

Weekly hunt and detection review

Prioritize campaigns, incident pivots, detection candidates, false positives, telemetry gaps, response actions, shared queries, and overdue remediation.

Monthly governance

Review resource report, program metrics, RBAC/privacy, library lifecycle, schema/product changes, Sentinel retention, detections, incidents, investment, and residual risk.

Related architecture and authoritative references

Connect Advanced Hunting to incident operations, response, detections, endpoint/email controls, and current Microsoft guidance

Frequently asked questions

Microsoft Defender XDR Advanced Hunting FAQ

How much Defender XDR data can Advanced Hunting query?

Microsoft currently documents up to 30 days of Defender XDR raw data per query unless the data is streamed through Microsoft Sentinel for longer retention. It also documents up to 100,000 result rows, a 10-minute timeout, 64 MB result-size limit, and tenant CPU allocation. Record the time, data source, result completeness, and any limit or telemetry gap with every material conclusion.

Should a beginner use guided mode or KQL advanced mode?

Guided mode is useful for learning schema, filtering, and builder concepts without writing KQL. Advanced mode is appropriate when the hunt needs exact semantics, joins, parsing, functions, reusable queries, or custom detections. Beginners can start guided, inspect generated concepts, then rebuild small queries in KQL with time filters, counts, and selected columns.

Does a query with no results prove there was no attack?

No. It can also mean the time is wrong, data is older than retention, a source is not onboarded or delayed, a table/column changed, RBAC hides the data, an entity was not normalized, the wrong Sentinel workspace was selected, or telemetry is unsupported. Validate source health and a known benign event before interpreting absence.

When should hunting results be linked to an incident?

Link rows that are materially relevant to an existing or new investigation and that represent validated impacted/related entities or timeline evidence. Preserve the exact query, UTC window, selected records, interpretation, and permissions. Microsoft notes that linked rows can create alerts based on unique impacted-entity combinations, so review correlation and noise.

When is a hunt ready to become a custom detection?

Only after it reliably identifies the intended behavior with supported entity mapping, efficient time/query logic, known frequency/volume, positive and negative tests, acceptable false positives, useful alert context, clear severity and owner, incident correlation, resource monitoring, and safe response/rollback. Begin alert-only before adding high-impact automatic response.

Does this guide replace professional threat hunting or incident response?

No. It is a starter framework. Real hunts require tenant-specific telemetry, KQL and forensic expertise, authorized employee/data use, incident command, evidence custody, malware/threat intelligence, business context, legal/privacy guidance, response approval, and peer review. A checklist does not replace a professional cybersecurity audit, penetration test, forensic investigation, or incident-response engagement.

Practical, evidence-first Microsoft threat hunting

Need hunts that are fast, reproducible, and useful to incident response?

IT Perfection can help Orange County and Southern California organizations map Defender XDR and Sentinel telemetry, design safe Advanced Hunting workflows, build and optimize KQL, validate identities and chronology, create hunt libraries, preserve evidence, link incidents, govern response actions, engineer custom detections, test unified RBAC, measure performance, and coordinate remediation with internal IT, security, legal, privacy, compliance, and business owners.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.

This guide is for initial operational guidance only. It does not replace legal advice, a professional cybersecurity audit, compliance assessment, penetration test, forensic investigation, malware analysis, threat-hunting engagement, incident-response service, employee/privacy review, or legal/compliance review.