Investigate Incidents with Advanced Hunting
Manage security incidents and alerts in Defender XDR, correlate signals across workloads, and use KQL-based advanced hunting to find hidden threats.
From alerts to incidents — the correlation engine
Defender XDR automatically groups related alerts from different products into a single incident.
Imagine a phishing email arrives (Defender for Office 365 alert), the user clicks the link (Defender for Endpoint alert), credentials are harvested (Entra Identity Protection alert), and the attacker accesses SharePoint (Defender for Cloud Apps alert). Without correlation, that is four separate alerts across four consoles. Defender XDR links them into one incident with a full attack story — from initial access to data exfiltration.
Your job as an admin is to investigate the incident, classify it, assign it, and resolve it. Advanced hunting with KQL lets you dig deeper when the automated correlation misses something.
Incidents vs alerts
| Feature | Incidents | Alerts |
|---|---|---|
| Definition | A correlated group of related alerts representing a single attack | An individual detection from a single Defender product |
| Scope | Cross-workload — spans email, identity, endpoint, cloud apps | Single workload — generated by one Defender product |
| Primary view | Attack story with visual graph | Alert detail page with specific evidence |
| Management | Assign, classify (True/False positive), set determination, resolve | Link to incident, suppress, or tune the detection rule |
| Contains | Multiple alerts, affected assets, evidence, investigation graph | Specific detection details, severity, category, MITRE technique |
Incident management lifecycle
When Elena triages incidents at MedGuard Health, she follows a structured workflow:
1. Triage — prioritise by severity and scope
The incident queue shows all open incidents sorted by severity (High, Medium, Low, Informational). Elena filters for High severity first and checks the affected assets count — an incident touching 50 mailboxes gets attention before one affecting a single device.
2. Investigate — understand the full attack story
The Attack story tab visualises the incident as a graph:
- Root cause node — where the attack started (e.g., a phishing email)
- Progression nodes — how the attack moved (e.g., credential harvest, lateral movement)
- Impact nodes — what the attacker accessed or damaged
Elena clicks through each alert in the incident to review the evidence: email headers, process trees, sign-in logs, file hashes.
3. Classify and determine
| Classification | When to Use |
|---|---|
| True positive | The incident represents a real threat that requires remediation |
| Informational, expected activity | The activity is legitimate but triggered an alert (e.g., a red team exercise) |
| False positive | The detection was incorrect — tune the rule to prevent recurrence |
After classifying as true positive, Elena sets a determination — multi-stage attack, compromised account, malware, phishing, or unwanted software.
4. Respond — contain and remediate
Response actions available directly from the incident:
- Isolate a device — cut network access while keeping the Defender for Endpoint management channel alive
- Disable a user account — prevent further sign-ins while investigating
- Soft-delete emails — remove malicious messages from all recipient mailboxes
- Block a file or URL — add to the tenant block list
- Run automated investigation — trigger Defender’s AIR to expand the investigation
5. Resolve — close with documentation
Mark the incident as Resolved with the classification and determination set. This feeds into reporting and helps tune future detections.
Exam tip: Who can manage incidents?
Incident management requires the Security Operator or Security Administrator role in Defender XDR. Security Readers can view incidents but cannot assign, classify, or take response actions. The exam may test this in a “least privilege” scenario — if Elena only needs to view incidents, Security Reader is sufficient. If she needs to triage and respond, she needs Security Operator at minimum.
Alert correlation across Defender products
Understanding which products generate which alerts is critical for the exam:
| Defender Product | What It Detects | Example Alert |
|---|---|---|
| Defender for Office 365 | Email-borne threats — phishing, malware, BEC | ”Email messages containing phishing URL removed after delivery” |
| Defender for Endpoint | Endpoint threats — malware execution, suspicious processes, exploitation | ”Suspicious PowerShell command line” |
| Defender for Identity | Identity threats — lateral movement, privilege escalation, reconnaissance | ”Suspected brute-force attack (Kerberos, NTLM)“ |
| Defender for Cloud Apps | Cloud app risks — impossible travel, mass download, OAuth abuse | ”Activity from infrequent country” |
| Entra Identity Protection | Sign-in and user risk — leaked credentials, anonymous IPs | ”User risk level changed to High” |
When these alerts share common entities (same user clicked a phishing link, then ran malware on their endpoint, then authenticated to SharePoint from a new location), Defender XDR correlates them into a single incident.
Advanced hunting with KQL
Advanced hunting is the proactive investigation tool — it lets you query raw telemetry using Kusto Query Language (KQL) across all Defender workloads.
Key tables for MS-102
| Table | Data Source | Use Case |
|---|---|---|
| EmailEvents | Defender for Office 365 | Search email deliveries, sender analysis, subject line patterns |
| EmailAttachmentInfo | Defender for Office 365 | Find emails with specific attachment types or hashes |
| EmailUrlInfo | Defender for Office 365 | Track URL clicks and phishing link analysis |
| IdentityLogonEvents | Defender for Identity | Investigate sign-in patterns, failed logon attempts |
| DeviceProcessEvents | Defender for Endpoint | Hunt for suspicious process execution |
| CloudAppEvents | Defender for Cloud Apps | Audit cloud app activity, file downloads, sharing |
| AlertEvidence | All Defender products | Query evidence collected across all alerts |
Essential KQL patterns
Elena uses these query patterns daily at MedGuard:
Find phishing emails delivered in the last 24 hours:
EmailEvents
| where Timestamp > ago(1d)
| where ThreatTypes has "Phish"
| where DeliveryAction == "Delivered"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, ThreatTypes
| order by Timestamp descIdentify users who clicked a specific malicious URL:
EmailUrlInfo
| where Url contains "malicious-domain.com"
| join kind=inner EmailEvents on NetworkMessageId
| project Timestamp, RecipientEmailAddress, Url, SubjectHunt for suspicious PowerShell on endpoints (post-phishing compromise):
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "EncodedCommand")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp descDeep dive: KQL operators you need to know
The exam won’t ask you to write complex KQL from scratch, but you need to recognise what queries do:
- where — filters rows based on a condition
- project — selects specific columns (like SQL SELECT)
- order by — sorts results
- summarize — aggregates data (count, sum, avg)
- join — combines two tables on a common column
- has — case-insensitive substring match (faster than contains for single words)
- has_any — matches any value in a list
- ago() — time function for relative time ranges (ago(1d), ago(7d), ago(1h))
- extend — adds a calculated column to the result set
Read queries from top to bottom — each pipe operator transforms the result of the previous line.
Custom detection rules
You can save a hunting query as a custom detection rule that runs on a configurable schedule (from every 5 minutes to every 14 days). When the query returns results, Defender XDR automatically creates alerts — turning a one-time hunt into continuous monitoring.
Elena creates a custom detection for “any MedGuard user who clicks a URL in an email from an external sender and then runs PowerShell within 10 minutes” — a pattern that matches phishing-to-compromise chains specific to healthcare targeting.
Exam tip: Hunting permissions and quotas
Advanced hunting requires the Security Operator or Security Administrator role. Queries have a 30-day lookback limit for most tables and a 100,000-row result limit per query. The exam may ask about these constraints in capacity-planning scenarios.
Scenario: Elena investigates a phishing incident
A nurse at MedGuard Health reports a suspicious email. Elena traces the attack through the incident:
- Alert 1 (Defender for Office 365) — “Phishing email delivered” — an email with a credential-harvesting link was delivered to 12 staff members
- Alert 2 (Defender for Endpoint) — “Suspicious browser activity” — 3 users clicked the link, and the browser launched a fake login page
- Alert 3 (Entra Identity Protection) — “Anomalous token” — one user’s session token shows unusual properties, suggesting token theft
- Alert 4 (Defender for Cloud Apps) — “Mass file download” — the compromised account downloaded 200 patient files from SharePoint
Defender XDR correlates all four alerts into Incident #4821. The attack story shows the full chain: phishing > credential harvest > token theft > data exfiltration.
Elena’s response:
- Soft-delete the phishing email from all 12 mailboxes
- Revoke sessions for the compromised user account
- Force password change and MFA re-registration
- Isolate the device that showed suspicious browser activity
- Run advanced hunting to check if any other users clicked similar links in the past 7 days
- Report the incident to MedGuard’s compliance team (HIPAA breach notification may be required)
Key concepts to remember
Knowledge check
Elena sees an incident in Defender XDR containing alerts from Defender for Office 365 (phishing email), Defender for Endpoint (suspicious process), and Entra Identity Protection (risky sign-in). All three alerts reference the same user. Elena determines this is a legitimate red team exercise conducted by MedGuard's security consultant. How should she classify this incident?
Priya needs to find all emails delivered to GlobalReach users in the past 48 hours that contained URLs to a specific phishing domain. Which KQL approach is correct?
Marcus at Oakwood Financial wants to create a custom detection rule that automatically alerts when any user downloads more than 100 files from SharePoint within 30 minutes. Which table should the hunting query target, and what is a key limitation he should know?
🎬 Video coming soon
Next up: Defender for Office 365: Threat Policies — where Priya implements Safe Attachments, Safe Links, and anti-phishing policies to protect GlobalReach’s 20,000 users.