🎤 Special Announcement
I’m at Black Hat 25 this week! If you’re attending, come see me at the Microsoft Booth, where I’ll be demoing Security Copilot. Stop by to learn how AI is transforming cybersecurity, and let’s connect to talk about Defender XDR, Advanced Hunting, and Security Copilot in action.
🚀 Introduction
In today’s fast-moving threat landscape, alerts and incidents are only the beginning. Security teams using Microsoft Defender XDR need more than built-in detections. They also need the ability to proactively hunt for signals of compromise. This is where Advanced Hunting with KQL becomes a game-changer, enabling analysts to discover threats before they escalate into major incidents.
In this post, we’ll cover proven strategies for using KQL across devices, email, and identity data. You’ll also see how these hunts can expand into Microsoft Sentinel for broader visibility.
🔎 Advanced Hunting in Defender XDR
Advanced Hunting is a query-based hunting tool available in the Microsoft 365 Defender portal. With it, analysts write custom KQL queries across telemetry streams from Microsoft’s security tools, including Endpoint, Office 365, Identity, and Cloud Apps.
This capability turns the platform into more than just an alerting engine. It allows SOC teams to ask their own questions, test theories, and expose hidden attacks that may never trigger default rules.
🧠 Why KQL Strengthens Threat Hunts
KQL powers hunting by allowing analysts to:
- Search massive datasets in seconds
- Filter, join, and correlate telemetry across endpoints, users, and email
- Pivot from one suspicious signal to another seamlessly
- Develop repeatable queries that evolve into detections
Because KQL is also the language of Microsoft Sentinel, mastering it in Defender XDR creates a consistent skillset across SIEM and XDR.
📖 Learn more: KQL Quick Reference
⚡ Proven Strategies for Hunting
When applied across devices, email, and identity, Advanced Hunting empowers analysts to uncover threats before damage occurs. Let’s explore three practical examples.
🔹 Endpoint Strategy: Detect Rare Processes
kqlCopyEditDeviceProcessEvents
| summarize count() by FileName
| top 10 by count asc
This highlights rare processes on devices that could represent malware execution.
🔹 Email Strategy: Identify Phishing URLs
kqlCopyEditEmailUrlInfo
| where UrlDomain has "contoso" and UrlDomain !in ("contoso.com")
| project RecipientEmailAddress, Url, ThreatTypes
This query uncovers phishing attempts using lookalike domains delivered by email.
🔹 Identity Strategy: Spot Unusual Remote Logins
kqlCopyEditIdentityLogonEvents
| where LogonType == "RemoteInteractive"
| summarize count() by AccountUpn, DeviceName, bin(Timestamp, 1h)
| top 10 by count
This flags accounts that perform unusual or excessive remote logins, often a sign of credential misuse.
🌐 Extending Hunts with Sentinel
While Defender XDR excels at hunting across Microsoft workloads, many enterprises need more. For example, you may want to:
- Hunt across firewall logs or Linux telemetry
- Retain data for months or years instead of days
- Write advanced rules that combine Microsoft and third-party data
This is where Microsoft Sentinel becomes essential. Since KQL works the same way in both tools, you can port queries directly for broader visibility and longer retention.
✅ Key Takeaways
In summary, Advanced Hunting elevates your security program beyond default detections. By mastering KQL, analysts can:
- Proactively investigate across devices, email, and identities
- Discover hidden attacks before they escalate
- Extend hunts into Sentinel for SIEM-level coverage
- Standardize skills across XDR and SIEM with one language
With these strategies, your SOC shifts from waiting for alerts to actively shaping defense with Microsoft’s XDR platform.
✅ If you missed last week’s post, please see here: Mastering Defender XDR – Secrets of Incident Correlation and Investigation
📚 If you missed any previous series/posts, please see here: https://itssecuritydaywithmike.blog/blog/