We’re thrilled to share the public preview of a new query resources report in Microsoft 365 Defender to help you optimize your hunting performance.
Visibility into how query resources are being used across the SOC team is critical to optimize performance, ensure queries are executed efficiently, and allow team to operate in the most effective way possible. The new query resources report now enables you to view how hunting resources are consumed in your organization and provides insights into your consumption of CPU resources for hunting activities. It provides data on queries that were run in the last 30 days using any of the hunting interfaces in Microsoft’s XDR. This report can help you identify the most resource-intensive queries and understand how to prevent throttling due to excessive use in the future.
Image 1: The organization’s resource usage over time
By default, the report table displays queries from the last day and is sorted by resource usage to help you easily identify which queries consumed the highest amount of CPU resources. Queries with high resource usage or a long query time can also be optimized to prevent throttling in this view.
The interactive graph in image 1 allows you to identify excessive usage and you can easily filter the table by clicking on any relevant spikes you want to understand further drill into. Once you select an entry along the graph, the table is filtered to that specific date. You can identify the queries that used the most resources on that day and take action to improve them. Use the Microsoft 365 Defender Advanced hunting query best practices to educate users who ran the query or created the rule to take query efficiency and resources into consideration.
The report can be accessed in two ways:
In the advanced hunting page, select Query resources report
Access the new query resources report via the Advanced hunting view
Within the Reports page, find the new report entry in the General section:
Image 3: Access the new query resources report via the Reports tab