Constructing KQL queries to hunt
M365D advanced hunting has two ways of constructing queries, as mentioned in the Understanding advanced hunting section: the more basic Query in builder (guided) and the more advanced Query in editor. Let us start by looking at the builder option, as it might be just what you need to take that next step in advanced hunting:
- In the Microsoft 365 Defender portal, go to Advanced hunting | + Create new | Query in builder:
Figure 19.1 – Creating a new Query in builder
- In the builder, we can start by adding the information we want to look for in the different fields:
Image 19.2 – Showing the result of entering just a device name in the query builder