Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Advanced Hunting Custom Date Range issue

Copper Contributor

I am performing an Incident investigation on a string of spear phishing emails. I need to query user activity for the last 90 days. The advanced hunting query builder only returns the last 45. Is this a retention issue? Would it work better using the Graph API?

4 Replies
Advanced Hunting retention is 30 days, so that can be a problem in your query. With Graph API you can query Advanced Hunting as well, but you will have the same retention there I guess. What exactly is your goal? Maybe there is another way to find out.

@adiii i’m looking at the login attempts for a user and trying to match them with the device and the IP address. We’re looking to determine if his account was compromised in that time I don’t think it was. I don’t see anything out of the norm however, the date in question is over 60 days in the past.

@BExstrom Did you check UAL? Or Activity Log in Cloud Apps? Maybe you find something there...

@adiii I will check the UAL and the cloud app logs. Thanks for the sugestion.