advanced hunting and KQL

%3CLINGO-SUB%20id%3D%22lingo-sub-2279908%22%20slang%3D%22en-US%22%3Eadvanced%20hunting%20and%20KQL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279908%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20hope%20you%20are%20well.%20I%20have%20a%20quick%20question%20which%20I'd%20like%20to%20understand%20if%20you%20could%20help%20me%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EBasically%20I've%20been%20working%20with%20Advanced%20Hunting%20to%20try%20to%20get%20some%20customized%20data%2C%20reports%20and%20so%20on%20in%20terms%20of%20for%20instance%20impersonation%2C%20url%20protection%2C%20etc...%20Reason%20to%20do%20this%20is%20because%20we%20would%20like%20to%20have%20some%20views%2C%20reports%2C%20tables%20customized%20whatever%20way%20we%20prefer...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EThat%20said%20I%20got%20stuck%20here%20in%20something%3A%20lets%20say%20URL%20threats%20protection%2C%20I%20can%20play%20with%20the%20data%20of%20the%20EmailEvents%20table%2C%20however%20if%20I%20want%20to%20distinguish%20which%20type%20of%20users%20are%20having%20some%20behaviours%20I%20cannot%20do%20anything%20as%20that%20information%20is%20not%20in%20any%20of%20the%20available%20advanced%20hunting%20tables%2C%20but%20it%20is%20in%20the%20O365%20URL%20predefined%20reports%20-%20basically%20would%20distinguish%20if%20user%20is%20a%20Protected%20User%26nbsp%3B%20or%20not%20-%20that%20is%20defined%20on%20the%20Phishing%20Policy...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3Eso%20this%20was%20just%20an%20example%20but%20main%20question%20is%20are%20we%20limited%20on%20Advanced%20Hunting%20to%20those%20tables%2C%20or%20is%20there%20anywhere%20where%20we%20can%20grab%20for%20instance%20that%20field%20I%20am%20missing%20in%20this%20example%20using%20Adv%20Hunting%20and%20Kusto%20QL%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EThanks%20a%20million%2C%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2279908%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKQL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Em365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPhishing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ereports%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

I hope you are well. I have a quick question which I'd like to understand if you could help me:

Basically I've been working with Advanced Hunting to try to get some customized data, reports and so on in terms of for instance impersonation, url protection, etc... Reason to do this is because we would like to have some views, reports, tables customized whatever way we prefer...

That said I got stuck here in something: lets say URL threats protection, I can play with the data of the EmailEvents table, however if I want to distinguish which type of users are having some behaviours I cannot do anything as that information is not in any of the available advanced hunting tables, but it is in the O365 URL predefined reports - basically would distinguish if user is a Protected User  or not - that is defined on the Phishing Policy...

so this was just an example but main question is are we limited on Advanced Hunting to those tables, or is there anywhere where we can grab for instance that field I am missing in this example using Adv Hunting and Kusto QL

Thanks a million,

0 Replies