Edit

Share via

Advanced hunting in multi-tenant management in Microsoft Defender XDR

  • Article

Applies to:

Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time.

Run cross-tenant queries

In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the Queries tab. Select a tenant to view the queries available under each one.

Once you load the query in the query editor, you can then specify the scope of the query by tenant by selecting Tenant scope:

Screenshot of the Microsoft Defender XDR cross tenants advanced hunting query page

This action opens a side pane from which you can specify the tenants to include in the query:

Screenshot of the Microsoft Defender XDR cross tenants advanced hunting query side pane scope

Select the tenants you want to include in your query. Select Apply, then Run query.

Note

Queries that use the join operator are currently not supported in multi-tenant management advanced hunting.

The query results contain the tenant ID:

Screenshot of the Microsoft Defender XDR ross tenants advanced hunting query scope column

To learn more about advanced hunting in Microsoft Defender XDR, read Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.

Custom detection rules

Likewise, you can manage custom detection rules from multiple tenants in the custom detection rules page.

View custom detection rules by tenant

  1. To view custom detection rules, go to the Custom detection rules page in multi-tenant management in Microsoft Defender XDR.

  2. View the Tenant name column to see which tenant the detection rule comes from:

    Screenshot of the Microsoft Defender XDR multi-tenant custom detection page

To view only a specific tenant's custom detection rules, select Filter, choose the tenant or tenants and select Apply.

To read more about custom detection rules, read Custom detections overview.

Manage custom detection rules

You can Run, Turn off, and Delete detection rules from multi-tenant management in Microsoft Defender XDR.

To manage detection rules:

  1. Go to the Custom detection rules page in multi-tenant management in Microsoft Defender XDR
  2. Choose the detection rule you want to manage

When you select a single detection rule, a flyout panel opens with the detection rule details:

Screenshot of the Microsoft Defender XDR custom detection rule details page

Select Open detection rules to view this rule in a new tab for the specific tenant in the Microsoft Defender portal. To learn more, see Custom detection rules.