Edit

Share via

security: runHuntingQuery

  • Article

Namespace: microsoft.graph.security

Queries a specified set of event, activity, or entity data supported by Microsoft 365 Defender to proactively look for specific threats in your environment.

This method is for advanced hunting in Microsoft 365 Defender. This method includes a query in Kusto Query Language (KQL). It specifies a data table in the advanced hunting schema and a piped sequence of operators to filter or search that data, and format the query output in specific ways.

Find out more about hunting for threats across devices, emails, apps, and identities. Learn about KQL.

For information on using advanced hunting in the Microsoft 365 Defender portal, see Proactively hunt for threats with advanced hunting in Microsoft 365 Defender.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) ThreatHunting.Read.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application ThreatHunting.Read.All Not available.

HTTP request

POST /security/runHuntingQuery

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Note

If you're using non-ANSI characters in your query, for example to query email subjects with malformed or lookalike characters, use application/json; charset=utf-8 for the Content-Type header.

Request body

In the request body, provide a JSON object for the Query parameter, and optionally include a Timespan parameter.

Parameter Type Description Example
Query String Required. The hunting query in Kusto Query Language (KQL). For more information, see KQL quick reference.
Timespan String Optional. The interval of time over which to query data, in ISO 8601 format. The default value is 30 days, meaning if no startTime is specified, the query looks back 30 days from now. If a time filter is specified in both the query and the startTime parameter, the shorter time span is applied. For example, if the query has a filter for the last seven days and the startTime is 10 days ago, the query only looks back seven days.

The following examples show the possible formats for the Timepsan parameter:

  • Date/Date: "2024-02-01T08:00:00Z/2024-02-15T08:00:00Z" - Start and end dates.
  • Duration/endDate: "P30D/2024-02-15T08:00:00Z" - A period before the end date.
  • Start/duration: "2024-02-01T08:00:00Z/P30D" - Start date and duration.
  • ISO8601 duration: "P30D" - Duration from now backwards.
  • Single date/time: "2024-02-01T08:00:00Z" - Start time with end time defaulted to the current time.

Response

If successful, this action returns a 200 OK response code and a huntingQueryResults in the response body.

Examples

Example 1: Query with default timespan

Request

The following example specifies a KQL query and does the following:

  • Looks into the DeviceProcessEvents table in the advanced hunting schema.
  • Filters on the condition that the powershell.exe process initiates the event.
  • Specifies the output of three columns from the same table for each row: Timestamp, FileName, InitiatingProcessFileName.
  • Sorts the output by the Timestamp value.
  • Limits the output to two records (two rows).
POST https://graph.microsoft.com/v1.0/security/runHuntingQuery

{
    "Query": "DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2"
}

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.security.huntingQueryResults",
    "schema": [
        {
            "name": "Timestamp",
            "type": "DateTime"
        },
        {
            "name": "FileName",
            "type": "String"
        },
        {
            "name": "InitiatingProcessFileName",
            "type": "String"
        }
    ],
    "results": [
        {
            "Timestamp": "2024-03-26T09:39:50.7688641Z",
            "FileName": "cmd.exe",
            "InitiatingProcessFileName": "powershell.exe"
        },
        {
            "Timestamp": "2024-03-26T09:39:49.4353788Z",
            "FileName": "cmd.exe",
            "InitiatingProcessFileName": "powershell.exe"
        }
    ]
}

Example 2: Query with optional the timespan parameter specified

Request

This example specifies a KQL query and looks into the deviceProcessEvents table in the advanced hunting schema 60 days back.

POST https://graph.microsoft.com/v1.0/security/runHuntingQuery

{
    "Query": "DeviceProcessEvents",
    "Timespan": "P90D"
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "schema": [
        {
            "name": "Timestamp",
            "type": "DateTime"
        },
        {
            "name": "FileName",
            "type": "String"
        },
        {
            "name": "InitiatingProcessFileName",
            "type": "String"
        }
    ],
    "results": [
        {
            "timestamp": "2020-08-30T06:38:35.7664356Z",
            "fileName": "conhost.exe",
            "initiatingProcessFileName": "powershell.exe"
        },
        {
            "timestamp": "2020-08-30T06:38:30.5163363Z",
            "fileName": "conhost.exe",
            "initiatingProcessFileName": "powershell.exe"
        }
    ]
}