Advanced Hunting Custom Date Range issue

Question

I am performing an Incident investigation on a string of spear phishing emails. I need to query user activity for the last 90 days. The advanced hunting query builder only returns the last 45. Is this a retention issue? Would it work better using the Graph API?

adiii · Answer

Advanced Hunting retention is 30 days, so that can be a problem in your query. With Graph API you can query Advanced Hunting as well, but you will have the same retention there I guess. What exactly is your goal? Maybe there is another way to find out.

bexstrom · Answer

adiii&nbsp;i’m looking at the login attempts for a user and trying to match them with the device and the IP address. We’re looking to determine if his account was compromised in that time I don’t think it was. I don’t see anything out of the norm however, the date in question is over 60 days in the past.

adiii · Answer

BExstrom&nbsp;Did you check UAL? Or Activity Log in Cloud Apps? Maybe you find something there...

bexstrom · Answer

adiii&nbsp;I will check the UAL and the cloud app logs. Thanks for the sugestion.&nbsp;&nbsp;

Forum Discussion

Advanced Hunting Custom Date Range issue

Share

Resources