The Microsoft 365 Defender team is thrilled to share that we have made several enhancements to the advanced hunting experience. Our new and improved hunting page now has multi-tab support, smart scrolling, streamlined schema tabs, and more. Also, among these improvements, is the ”link to incident” feature, which allows you to link advanced hunting query results to specific incidents.
In response to popular requests and feedback, we have made the hunting experience more streamlined. Below are the changes and updates:
You can even collapse the schema at the left to maximize your view of the whole screen:
For more information about working with query results, visit our full documentation at Work with advanced hunting query results.
In addition to the enhancements above, we are happy to share that we have dded the much-requested option to link events from hunting to incidents. This capability can help you quickly add additional evidence for an ongoing investigation based on what you find in advanced hunting.
After you run your advanced hunting query, you can select which events are related to the investigation you are working on. The events you select can now be added as an alert to the incident of your choice.
1. Select the events you would like to add to an incident, and then select Link to incident.
2. Select if you would like to link to an existing incident (Link to an existing incident). or to a new one (Create a new incident) Next, provide the alert details.
If you choose Link to an existing incident, you can select an existing incident from the dropdown menu. Type the first few characters of the incident name or ID to narrow down the options.
3. Next, select the impacted entities, which are the columns in your query results where you expect to find the main affected or impacted entity. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts.
For example, in our scenario, we are investigating events related to a possible email exfiltration incident, so the Sender is the impacted entity. We have four different senders, therefore four alerts will be created and linked to the chosen incident.
4. You can also select the incident name (Email exfiltration) to go to the incident that the events are linked to.
The four alerts, representing the four selected events, were linked successfully to a new incident.
For more information about the link to incident feature, visit our full documentation on Link query results to an incident.
NOTE: The expected use case for this feature does not currently include bulk linking of hunting query results to incidents. For example, you can currently link twenty results to a single incident. As we continue to develop how this feature helps you identify events that are likely to be related to an incident, we look forward to your feedback about the volume of events you reasonably expect to add manually to an incident.
The new hunting page is enabled by default. You can still use the old page by turning off the Try the new Hunting page toggle. If you prefer to continue using the old page, kindly share your feedback with us, so we can consider your reasons for preferring the old page.
These enhancements are available today for public preview customers. We would love to know what you think. Please share your feedback with us in the Microsoft 365 Defender portal or by emailing AHfeedback@microsoft.com.
- The Microsoft 365 Defender hunting team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.