Advanced Hunting using Python

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:


Run advanced queries using Python, see Advanced Hunting API.

In this section, we share Python samples to retrieve a token and use it to run a query.

Prerequisite: You first need to create an app.

Get token

  • Run the following commands:
import json
import urllib.request
import urllib.parse

tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here

url = "" % (tenantId)

resourceAppIdUri = ''

body = {
    'resource' : resourceAppIdUri,
    'client_id' : appId,
    'client_secret' : appSecret,
    'grant_type' : 'client_credentials'

data = urllib.parse.urlencode(body).encode("utf-8")

req = urllib.request.Request(url, data)
response = urllib.request.urlopen(req)
jsonResponse = json.loads(
aadToken = jsonResponse["access_token"]


  • tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
  • appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint)
  • appSecret: Secret of your Microsoft Entra app

Run query

Run the following query:

query = 'DeviceRegistryEvents | limit 10' # Paste your own query here

url = ""
headers = { 
    'Content-Type' : 'application/json',
    'Accept' : 'application/json',
    'Authorization' : "Bearer " + aadToken

data = json.dumps({ 'Query' : query }).encode("utf-8")

req = urllib.request.Request(url, data, headers)
response = urllib.request.urlopen(req)
jsonResponse = json.loads(
schema = jsonResponse["Schema"]
results = jsonResponse["Results"]
  • schema contains the schema of the results of your query
  • results contain the results of your query

Complex queries

If you want to run complex queries (or multiline queries), save your query in a file and, instead of the first line in the above sample, run the below command:

queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file
query =

Work with query results

You can now use the query results.

To iterate over the results do the below:

for result in results:
    print(result) # Prints the whole result
    print(result["EventTime"]) # Prints only the property 'EventTime' from the result

To output the results of the query in CSV format in file file1.csv do the below:

import csv

outputFile = open("D:\\Temp\\file1.csv", 'w')
output = csv.writer(outputFile)
for result in results:


To output the results of the query in JSON format in file file1.json do the below:

outputFile = open("D:\\Temp\\file1.json", 'w')
json.dump(results, outputFile)


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.