Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Advanced hunting / KQL search for Investigation Priority (User's Score)

New Contributor

Hi good people,


When viewing identities in Defender, under 'Investigation Priority' there is a Score. Is it possible to find this score in a KQL query at all, or is it stored in any logs that could be exported? Or is it only visible on the user's page or the 'Identities' page?

Many thanks,


3 Replies
Hi, this per-identity score is available both in each identity page, in the overall identities page (where you can sort by it) or as part of alerts\incidents where the impacted identities have any.

@Or Tsemah Thanks for the answer; my question was are those the only two places its visible, as they can only be manually checked, or is it possible to view the numbers via Advanced Hunting or from an exported log.

best response confirmed by NewandForgiven (New Contributor)

This data is not available through advanced hunting, the only way export activities with score (which are part of the overall user score) is to use the Defender for cloud apps SIEM agents.

We are evaluating ways to enable more programmatic access to that data through Microsoft 365 Defender components but there is no current ETA that we can share at this point.