Skip to main content
Query a specified set of events, activities, or entity data to look for specific threats in the environment. Least privileged Microsoft Graph permissions to access the action via application: ThreatHunting.Read.All.
External DocumentationTo learn more, visit the Microsoft Defender XDR documentation.

Parameters

ParameterDescription
End TimeThe end time of the query.

When specified without Start Time value the start time will be 30 days before the end time. If none is specified, the timespan will be the last 30 days.
QueryThe hunting query in Kusto Query Language (KQL).
Start TimeThe start time of the query.

When specified without End Time value, the end time will be 30 days after the start time. If none is specified, the timespan will be the last 30 days.

Example Output

{
	"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.security.huntingQueryResults",
	"schema": [
		{
			"name": "Timestamp",
			"type": "DateTime"
		},
		{
			"name": "FileName",
			"type": "String"
		},
		{
			"name": "InitiatingProcessFileName",
			"type": "String"
		}
	],
	"results": [
		{
			"Timestamp": "2024-03-26T09:39:50.7688641Z",
			"FileName": "cmd.exe",
			"InitiatingProcessFileName": "powershell.exe"
		},
		{
			"Timestamp": "2024-03-26T09:39:49.4353788Z",
			"FileName": "cmd.exe",
			"InitiatingProcessFileName": "powershell.exe"
		}
	]
}

Workflow Library Example

Run Hunting Query with Microsoft Defender Xdr and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop
I