cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more
SOLVED

Advanced hunting / KQL search for Investigation Priority (User's Score)

NewandForgiven
New Contributor

‎Feb 13 2023 06:46 AM

‎Feb 13 2023 06:46 AM

Advanced hunting / KQL search for Investigation Priority (User's Score)

Hi good people,

 

When viewing identities in Defender, under 'Investigation Priority' there is a Score. Is it possible to find this score in a KQL query at all, or is it stored in any logs that could be exported? Or is it only visible on the user's page or the 'Identities' page?

Many thanks,

NaF

Labels:
202 Views
0 Likes
3 Replies
Reply
3 Replies
Or Tsemah

‎Feb 14 2023 02:00 AM

‎Feb 14 2023 02:00 AM

Re: Advanced hunting / KQL search for Investigation Priority (User's Score)

Hi, this per-identity score is available both in each identity page, in the overall identities page (where you can sort by it) or as part of alerts\incidents where the impacted identities have any.
0 Likes
Reply
NewandForgiven

‎Feb 14 2023 02:07 AM

‎Feb 14 2023 02:07 AM

Re: Advanced hunting / KQL search for Investigation Priority (User's Score)

@Or Tsemah Thanks for the answer; my question was are those the only two places its visible, as they can only be manually checked, or is it possible to view the numbers via Advanced Hunting or from an exported log.

0 Likes
Reply
best response confirmed by NewandForgiven (New Contributor)
Or Tsemah

‎Feb 14 2023 04:20 AM - edited ‎Feb 14 2023 04:21 AM

‎Feb 14 2023 04:20 AM - edited ‎Feb 14 2023 04:21 AM

Solution

Re: Advanced hunting / KQL search for Investigation Priority (User's Score)

This data is not available through advanced hunting, the only way export activities with score (which are part of the overall user score) is to use the Defender for cloud apps SIEM agents.

We are evaluating ways to enable more programmatic access to that data through Microsoft 365 Defender components but there is no current ETA that we can share at this point.

0 Likes
Reply