Microsoft Defender XDR Advanced hunting API
Applies to:
- Microsoft Defender XDR
Warning
This advanced hunting API is an older version with limited capabilities. A more comprehensive version of the advanced hunting API is already available in the Microsoft Graph security API. See Advanced hunting using Microsoft Graph security API
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Advanced hunting is a threat-hunting tool that uses specially constructed queries to examine the past 30 days of event data in Microsoft Defender XDR. You can use advanced hunting queries to inspect unusual activity, detect possible threats, and even respond to attacks. The advanced hunting API allows you to programmatically query event data.
Quotas and resource allocation
The following conditions relate to all queries.
- Queries explore and return data from the past 30 days.
- Results can return up to 100,000 rows.
- You can make up to at least 45 calls per minute per tenant. The number of calls varies per tenant based on its size.
- Each tenant is allocated CPU resources, based on the tenant size. Queries are blocked if the tenant has reached 100% of the allocated resources until after the next 15-minute cycle. To avoid blocked queries due to excess consumption, follow the guidance in Optimize your queries to avoid hitting CPU quotas.
- If a single request runs for more than three minutes, it times out and returns an error.
- A
429
HTTP response code indicates that you've reached the allocated CPU resources, either by number of requests sent, or by allotted running time. Read the response body to understand the limit you have reached.
Permissions
One of the following permissions is required to call the advanced hunting API. To learn more, including how to choose permissions, see Access the Microsoft Defender XDR Protection APIs.
Permission type | Permission | Permission display name |
---|---|---|
Application | AdvancedHunting.Read.All | Run advanced queries |
Delegated (work or school account) | AdvancedHunting.Read | Run advanced queries |
Note
When obtaining a token using user credentials:
- The user needs to have the 'View Data' role.
- The user needs to have access to the device, based on device group settings.
HTTP request
POST https://api.security.microsoft.com/api/advancedhunting/run
Request headers
Header | Value |
---|---|
Authorization | Bearer {token} Note: required |
Content-Type | application/json |
Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description |
---|---|---|
Query | Text | The query to run. (required) |
Response
If successful, this method will return 200 OK
, and a QueryResponse object in the response body.
The response object contains three top-level properties:
- Stats - A dictionary of query performance statistics.
- Schema - The schema of the response, a list of Name-Type pairs for each column.
- Results - A list of advanced hunting events.
Example
In the following example, a user sends the query below and receives an API response object containing Stats
, Schema
, and Results
.
Query
{
"Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2"
}
Response object
{
"Stats": {
"ExecutionTime": 4.621215,
"resource_usage": {
"cache": {
"memory": {
"hits": 773461,
"misses": 4481,
"total": 777942
},
"disk": {
"hits": 994,
"misses": 197,
"total": 1191
}
},
"cpu": {
"user": "00:00:19.0468750",
"kernel": "00:00:00.0156250",
"total cpu": "00:00:19.0625000"
},
"memory": {
"peak_per_node": 236822432
}
},
"dataset_statistics": [
{
"table_row_count": 2,
"table_size": 102
}
]
},
"Schema": [
{
"Name": "Timestamp",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
}
],
"Results": [
{
"Timestamp": "2020-08-30T06:38:35.7664356Z",
"FileName": "conhost.exe",
"InitiatingProcessFileName": "powershell.exe"
},
{
"Timestamp": "2020-08-30T06:38:30.5163363Z",
"FileName": "conhost.exe",
"InitiatingProcessFileName": "powershell.exe"
}
]
}
Related articles
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.