Threat Hunting is critical to any effective Security Operations Center (SOC). Proactively hunting for threats strengthens the detection and protection coverage and can limit the impact an attack can have on any given environment. Actively detecting adversaries, mitigating the findings quickly, and implementing protection and prevention capabilities to prevent future instances all strengthen an organization’s defenses.
To reduce the learning curve for hunting and enable all analysts to hunt easily, we are excited to announce that a Guided hunting experience in Microsoft 365 Defender is now in public preview! This removes previous dependencies on KQL.
The guided experience in Microsoft 365 Defender is a new hunting mode that enables analysts with any level of experience to hunt without any knowledge of the Kusto Query Language (KQL) or the associated data schema. The new mode enables you to use the new query builder to construct your queries. You just need to know what you are looking for and you can easily hunt for it.
Microsoft 365 Defender hunting is the place to hunt for threats across workloads including devices, identities, emails, documents, and cloud apps. The data is equally available in both modes, the only difference is how you build the query. In the advanced mode, you craft a KQL query from scratch, and in the guided mode it is via a friendly query builder UI that wraps the KQL for you behind the scenes.
Guided mode provides an easy-to-use query builder with an interface that uses building blocks to construct queries through dropdown menus and provides filters to apply additional conditions:
Image 1: New guided hunting query builder interface
You can either start off with the basic filters set and load sample queries as shown above, or view and use more filters as seen below:
Image 2: Guided hunting query builder using advanced filtering
For instance, you can use query builder to hunt for high confidence phish or spam email delivered to an inbox.
We encourage you to explore how guided mode can help you expand your incident investigations, perform analytics on threat data, or focus on specific threat areas. Read more about guided mode in our documentation:
This enhancement is available today in public preview. We would love to know what you think. Please share your feedback with us in the Microsoft 365 Defender portal or by emailing AHfeedback@microsoft.com.