| title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.date | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Use shared queries in Microsoft Defender XDR advanced hunting |
Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization. |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
conceptual |
02/16/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
Advanced hunting queries can be shared among users in the same organization. You can also save queries that are only accessible to you. You can also find community queries that are shared publicly on GitHub. These saved queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
Under the Queries tab in advanced hunting, you can find the drop-down menus for Shared queries, My queries, and Community queries. You can select a downward-facing arrow to expand a menu.
:::image type="content" source="/defender/media/advanced-hunting-shared-queries-1.png" alt-text="Shared queries, My queries, and Community queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-shared-queries-1.png":::
You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
-
Create or modify a query.
-
Click the Save query drop-down button and select Save as.
-
Enter a name for the query.
:::image type="content" source="/defender/media/shared-query-2.png" alt-text="The new query that is about to be saved in the Microsoft Defender portal" lightbox="/defender/media/shared-query-2.png":::
-
Select the folder where you'd like to save the query.
- Shared queries — shared to all users your organization
- My queries — accessible only to you
-
Select Save.
-
Select the three dots to the right of a query you want to rename or delete.
:::image type="content" source="/defender/media/advanced-hunting-del-save-query.png" alt-text="Rename or delete a query in the Advanced Hunting page in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-del-save-query.png":::
-
Select Delete and confirm deletion. Or select Rename and provide a new name for the query.
To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select Share link.
Microsoft security researchers regularly share advanced hunting queries in a designated public repository on GitHub. Contributions to this repository are reviewed before getting published. To contribute, join GitHub for free.
You can easily find these queries in the Community queries drop-down menu as well.
:::image type="content" source="/defender/media/advanced-hunting-shared-queries-2.png" alt-text="Community queries organized by folder in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-shared-queries-2.png":::
Community queries are grouped into folders like Campaigns, Collection, Defense evasion, and the like. Further information about the query is provided as in-line comments in the query itself.
Tip
Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the threat analytics reports in Microsoft Defender XDR.