Skip to content
Sample queries for Advanced hunting in Microsoft Defender ATP
Branch: master
Clone or download
danaim1 Merge pull request #90 from microsoft/revert-89-patch-16
Revert "Create crime fireball.txt"
Latest commit ed61072 Jun 19, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
Campaigns Revert "Create crime fireball.txt" Jun 19, 2019
Command and Control Delete ExternalDnsResolution.txt Apr 28, 2018
Delivery Create Email link + download + SmartScreen warning.txt Aug 30, 2018
Discovery Create URL Detection (#68) Apr 3, 2019
Execution Update to include decode64 for python (#67) Mar 31, 2019
Exfiltration Rename Connected devices.txt to Map external devices.txt Nov 23, 2018
Fun Rename EmojiHunt to EmojiHunt.txt Mar 22, 2018
General queries Baseline Comparison (#58) Oct 10, 2018
Lateral Movement Update Account brute force.txt Nov 22, 2018
Notebooks WDATP API Demo Jupyter Notebook Dec 4, 2018
Persistence Create scheduled task creation (#73) May 29, 2019
Protection events Update complete (#69) Apr 1, 2019
.gitignore Initial commit Mar 18, 2018
LICENSE Initial commit Mar 18, 2018 Update Apr 2, 2019


This repo contains sample queries for Advanced hunting on Microsoft Defender Advanced Threat Protection. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting.

To get started, simply paste a sample query into the query builder and run the query. If you get syntax errors, try removing empty lines introduced when pasting. If a query returns no results, try expanding the time range.

We are continually building up documentation about Advanced hunting and its data schema. You can access the full list of tables and columns in the portal or reference the following resources:

Not using Microsoft Defender ATP? If you haven't yet, experience how you can effectively scale your organization's incident response capabilities by signing up for a free Microsoft Defender ATP trial.

Suggestions and feedback

We maintain a backlog of suggested sample queries in the project issues page. Feel free to comment, rate, or provide suggestions.

We value your feedback. Let us know if you run into any problems or share your suggestions by sending email to


This project welcomes contributions and suggestions.

Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments.

Coding guidelines and references

The samples in this repo should include comments that explain the attack technique or anomaly being hunted. Whenever possible, provide links to related documentation.

In addition, construct queries that adhere to the published Microsoft Defender ATP Advanced hunting performance best practices.

You can’t perform that action at this time.