Extend advanced hunting coverage with the right settings
Applies to:
- Microsoft Defender XDR
Advanced hunting relies on data coming from various sources, including your devices, your Office 365 workspaces, Microsoft Entra ID, and Microsoft Defender for Identity. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
Advanced security auditing on Windows devices
Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
| Data | Description | Schema table | How to configure |
|---|---|---|---|
| Account management | Events captured as various ActionType values indicating local account creation, deletion, and other account-related activities |
DeviceEvents | - Deploy an advanced security audit policy: Audit User Account Management - Learn about advanced security audit policies |
| Security group management | Events captured as various ActionType values indicating local security group creation and other local group management activities |
DeviceEvents | - Deploy an advanced security audit policy: Audit Security Group Management - Learn about advanced security audit policies |
| Service installation | Events captured with the ActionType value ServiceInstalled, indicating that a service has been created |
DeviceEvents | - Deploy an advanced security audit policy: Audit Security System Extension - Learn about advanced security audit policies |
Microsoft Defender for Identity sensor on the domain controller
If you're running Active Directory on premises, you need to install the Microsoft Defender for Identity sensor on the domain controller to get data for Microsoft Defender for Identity. When installed and properly configured, this data also feeds into advanced hunting through Microsoft Defender for Identity and provides a more holistic picture of identity information and events in your network. This data also enhances the ability of Microsoft Defender for Identity to generate relevant alerts that are also covered by advanced hunting.
| Data | Description | Schema table | How to configure |
|---|---|---|---|
| Domain controller | Data from on-premises Active Directory sent to Microsoft Defender for Identity, enriching identity-related information, such as account details, logon activity, and Active Directory queries | Multiple tables, including IdentityInfo, IdentityLogonEvents, and IdentityQueryEvents | - Install the Microsoft Defender for Identity sensor - Turn on relevant Windows Events |
Note
Some tables in this article might not be available in Microsoft Defender for Endpoint. Turn on Microsoft Defender XDR to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.
Related topics
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.