In this section

Defender XDR Advanced Hunting

4-8 hours · Module 1 · Free

What you already know

You've run KQL queries in Sentinel (PT1.8). Defender XDR uses the same query language but different table names, different column names, and a different portal. This sub maps the differences so you can read both formats without confusion when you encounter them in technique subs.

Operational Objective

The course covers two Microsoft KQL environments: Sentinel and Defender XDR Advanced Hunting. Both use KQL. Both query endpoint telemetry. But the tables and columns differ. This sub walks the schema differences, shows you how the same detection looks in each environment, and confirms your endpoint is visible in Advanced Hunting.

Deliverable: A working understanding of the Sentinel/XDR schema differences and a confirmed first query in Advanced Hunting.

Estimated completion: 20 minutes

Access Advanced Hunting

Open the Microsoft Defender portal. Navigate to Hunting → Advanced Hunting. The query editor loads with the schema explorer on the left.

The schema explorer shows the available tables. The ones you'll use most:

Key Advanced Hunting Tables
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Table                     What it captures
────────────────────────  ───────────────────────────────
DeviceProcessEvents       Process creation + command lines
DeviceNetworkEvents       Network connections
DeviceFileEvents          File creation, modification, deletion
DeviceLogonEvents         Local and remote logons
DeviceRegistryEvents      Registry modifications
IdentityLogonEvents       Entra ID sign-ins
IdentityQueryEvents       AD/LDAP queries
EmailEvents               Email delivery and metadata
CloudAppEvents            Cloud app activity
AlertEvidence             Alert context + entities
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The key difference: Timestamp vs TimeGenerated

This is the difference that breaks queries when you copy them between portals:

Schema Differences — Sentinel vs Defender XDR
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                    Sentinel                  Defender XDR
Time column:        TimeGenerated             Timestamp
String compare:     =~ (case-insensitive)     == or =~
Table names:        Same                      Same
Column names:       Same                      Same (mostly)
Portal:             portal.azure.com          security.microsoft.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Here's the same query in both environments:

// Sentinel — recent process creation
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName,
          InitiatingProcessCommandLine, AccountName

// Defender XDR — same detection
DeviceProcessEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName,
          InitiatingProcessCommandLine, AccountName

The only differences: TimeGenerated → Timestamp, and =~ → == (though =~ works in both). Every technique sub in the course shows both versions in the tabbed detection blocks.

Run your first query

In Advanced Hunting, paste and run:

// List all devices reporting to Defender
DeviceInfo
| where Timestamp > ago(24h)
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceName, OSPlatform, OSVersion, OnboardingStatus

You should see your Windows endpoint VM listed. If it's not there, the endpoint isn't onboarded yet — check that the MDE onboarding script was applied (Settings → Endpoints → Onboarding → download the onboarding script and run it on the endpoint VM).

Cross-table query example

Advanced Hunting allows joining across tables. Here's a query that correlates a process event with a network connection — the pattern used in lateral movement detection:

// Process that made a network connection in the last hour
DeviceProcessEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe")
| project ProcessCreationTime = Timestamp, DeviceName,
          InitiatingProcessFileName, ProcessId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1h)
    | where RemotePort in (445, 135, 5985)
    | project NetworkTime = Timestamp, DeviceName, RemoteIP,
              RemotePort, InitiatingProcessId
  ) on $left.DeviceName == $right.DeviceName,
       $left.ProcessId == $right.InitiatingProcessId
| project ProcessCreationTime, DeviceName,
          InitiatingProcessFileName, RemoteIP, RemotePort

This query finds PowerShell or cmd processes that also made network connections to SMB (445), RPC (135), or WinRM (5985) ports — a lateral movement indicator. You'll use this pattern in Module 9.

Verification checklist

☐ Advanced Hunting loads in the Defender portal
☐ Schema explorer shows DeviceProcessEvents and other tables
☐ DeviceInfo query returns your Windows endpoint VM
☐ Cross-table join query runs without error
☐ You can explain the difference between TimeGenerated and Timestamp

PT1.10 — Secondary SIEM: Splunk Free. Install Splunk Free, configure inputs for Sysmon events, and verify event ingestion. (If you prefer Elastic, skip to PT1.11 instead.)

Unlock the Full Course See Full Course Agenda

Get weekly detection and investigation techniques

KQL queries, detection rules, and investigation methods — the same depth as this course, delivered every Tuesday.

No spam. Unsubscribe anytime. ~2,000 security practitioners.

← Previous Next →