Edit

security: runHuntingQuery

  • Article

Namespace: microsoft.graph.security

Queries a specified set of event, activity, or entity data supported by Microsoft 365 Defender to proactively look for specific threats in your environment.

This is the method for advanced hunting in Microsoft 365 Defender. This method includes a query in Kusto Query Language (KQL). It specifies a data table in the advanced hunting schema and a piped sequence of operators to filter or search that data, and format the query output in specific ways.

Find out more about hunting for threats across devices, emails, apps, and identities. Learn about KQL.

For information on using advanced hunting in the Microsoft 365 Defender portal, see Proactively hunt for threats with advanced hunting in Microsoft 365 Defender.

This API is supported in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatHunting.Read.All
Delegated (personal Microsoft account) Not supported.
Application ThreatHunting.Read.All

HTTP request

POST /security/runHuntingQuery

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-Type application/json. Required.

Note

If you're using non-ANSI characters in your query, for example to query email subjects with malformed or lookalike characters, use application/json; charset=utf-8 for the Content-Type header.

Request body

In the request body, provide a JSON object for the parameter, Query.

Parameter Type Description
Query String The hunting query in Kusto Query Language (KQL). For more information on KQL syntax, see KQL quick reference.

Response

If successful, this action returns a 200 OK response code and a huntingQueryResults in the response body.

Examples

Request

This example specifies a KQL query which does the following:

  • Looks into the DeviceProcessEvents table in the advanced hunting schema.
  • Filters on the condition that the event is initiated by the powershell.exe process.
  • Specifies the output of 3 columns from the same table for each row: Timestamp, FileName, InitiatingProcessFileName.
  • Sorts the output by the Timestamp value.
  • Limits the output to 2 records (2 rows).
POST https://graph.microsoft.com/v1.0/security/runHuntingQuery

{
    "Query": "DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2"
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "schema": [
        {
            "Name": "Timestamp",
            "Type": "DateTime"
        },
        {
            "Name": "FileName",
            "Type": "String"
        },
        {
            "Name": "InitiatingProcessFileName",
            "Type": "String"
        }
    ],
    "results": [
        {
            "Timestamp": "2020-08-30T06:38:35.7664356Z",
            "FileName": "conhost.exe",
            "InitiatingProcessFileName": "powershell.exe"
        },
        {
            "Timestamp": "2020-08-30T06:38:30.5163363Z",
            "FileName": "conhost.exe",
            "InitiatingProcessFileName": "powershell.exe"
        }
    ]
}