Edit

Share via

Advanced hunting in Microsoft Defender multitenant management

  • Article
  • Applies to:
    Microsoft Defender XDR, Microsoft Sentinel in the Microsoft Defender portal

Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time. If you have tenants with a Microsoft Sentinel workspace onboarded to the Microsoft unified security operations platform, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants.

Run cross-tenant queries

In multitenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the Queries tab. Select a tenant to view the queries available under each one.

Once you load the query in the query editor, you can then specify the scope of the query by tenant by selecting Tenant scope:

Screenshot of the Microsoft Defender XDR cross tenants advanced hunting query page

This action opens a side pane from which you can specify the tenants to include in the query:

Screenshot of the Microsoft Defender XDR cross tenants advanced hunting query side pane scope

Select the tenants you want to include in your query. Select Apply, then Run query.

The query results contain the tenant ID:

Screenshot of the Microsoft Defender XDR ross tenants advanced hunting query scope column

To learn more about advanced hunting in Microsoft Defender XDR, read Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.

Custom detection rules

Likewise, you can manage custom detection rules from multiple tenants in the custom detection rules page.

View custom detection rules by tenant

  1. To view custom detection rules, go to the Custom detection rules page in Microsoft Defender multitenant management.

  2. View the Tenant name column to see which tenant the detection rule comes from:

    Screenshot of the Microsoft Defender XDR multi-tenant custom detection page

To view only a specific tenant's custom detection rules, select Filter, choose the tenant or tenants and select Apply.

To read more about custom detection rules, read Custom detections overview.

Manage custom detection rules

You can Run, Turn off, and Delete detection rules from Microsoft Defender multitenant management.

To manage detection rules:

  1. Go to the Custom detection rules page in Microsoft Defender multitenant management
  2. Choose the detection rule you want to manage

When you select a single detection rule, a flyout panel opens with the detection rule details:

Screenshot of the Microsoft Defender XDR custom detection rule details page

Select Open detection rules to view this rule in a new tab for the specific tenant in the Microsoft Defender portal. To learn more, see Custom detection rules.

Related content