Advanced hunting in multi-tenant management in Microsoft Defender XDR
Applies to:
Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time.
Run cross-tenant queries
In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the Queries tab. Select a tenant to view the queries available under each one.
Once you load the query in the query editor, you can then specify the scope of the query by tenant by selecting Tenant scope:
This action opens a side pane from which you can specify the tenants to include in the query:
Select the tenants you want to include in your query. Select Apply, then Run query.
Note
Queries that use the join
operator are currently not supported in multi-tenant management advanced hunting.
The query results contain the tenant ID:
To learn more about advanced hunting in Microsoft Defender XDR, read Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.
Custom detection rules
Likewise, you can manage custom detection rules from multiple tenants in the custom detection rules page.
View custom detection rules by tenant
To view custom detection rules, go to the Custom detection rules page in multi-tenant management in Microsoft Defender XDR.
View the Tenant name column to see which tenant the detection rule comes from:
To view only a specific tenant's custom detection rules, select Filter, choose the tenant or tenants and select Apply.
To read more about custom detection rules, read Custom detections overview.
Manage custom detection rules
You can Run, Turn off, and Delete detection rules from multi-tenant management in Microsoft Defender XDR.
To manage detection rules:
- Go to the Custom detection rules page in multi-tenant management in Microsoft Defender XDR
- Choose the detection rule you want to manage
When you select a single detection rule, a flyout panel opens with the detection rule details:
Select Open detection rules to view this rule in a new tab for the specific tenant in the Microsoft Defender portal. To learn more, see Custom detection rules.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for