Edit

security: runHuntingQuery

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Query a specified set of event, activity, or entity data supported by Microsoft Defender XDR to proactively look for specific threats in your environment.

This method is for advanced hunting in Microsoft Defender XDR. This method includes a query in Kusto Query Language (KQL). It specifies a data table in the advanced hunting schema and a piped sequence of operators to filter or search that data and format the query output in specific ways.

Find out more about hunting for threats across devices, emails, apps, and identities. Learn about KQL.

For information on using advanced hunting in the Microsoft Defender portal, see Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) ThreatHunting.Read.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application ThreatHunting.Read.All Not available.

Important

The signed-in user also needs one of the following roles:

HTTP request

POST /security/runHuntingQuery

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Note

If you're using non-ANSI characters in your query, for example, to query email subjects with malformed or lookalike characters, use application/json; charset=utf-8 for the Content-Type header.

Request body

In the request body, provide a JSON object for the query parameter, and optionally include a timespan parameter and a workspaceId parameter.

Parameter Type Description Example
query String Required. The hunting query in Kusto Query Language (KQL). For more information, see KQL quick reference.
timespan String Optional. The interval of time over which to query data, in ISO 8601 format. The default value is 30 days. If a time filter is specified in both the query and the timespan parameter, the shorter time span is applied.
workspaceId Guid Optional. The GUID of a specific Log Analytics workspace to target. If omitted, the service uses the caller's primary workspace. If the workspace isn't found or not accessible, the service falls back to the caller's primary workspace. 00000000-0000-0000-0000-000000000001

The following examples show the possible formats for the timespan parameter:

  • Date/Date: "2024-02-01T08:00:00Z/2024-02-15T08:00:00Z" - Start and end dates.
  • Duration/endDate: "P30D/2024-02-15T08:00:00Z" - A period before the end date.
  • Start/duration: "2024-02-01T08:00:00Z/P30D" - Start date and duration.
  • ISO8601 duration: "P30D" - Duration from now backwards.
  • Single date/time: "2024-02-01T08:00:00Z" - Start time with end time defaulted to the current time.

Response

If successful, this action returns a 200 OK response code and a huntingQueryResults in the response body.

Examples

Example 1: Query with default timespan

Request

The following example specifies a KQL query and:

  • Looks into the DeviceProcessEvents table in the advanced hunting schema.
  • Filters on the condition that the powershell.exe process initiates the event.
  • Specifies the output of three columns from the same table for each row: Timestamp, FileName, InitiatingProcessFileName.
  • Sorts the output by the Timestamp value.
  • Limits the output to two records (two rows).
POST https://graph.microsoft.com/beta/security/runHuntingQuery

{
    "query": "DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2"
}

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.security.huntingQueryResults",
    "schema": [
        {
            "name": "Timestamp",
            "type": "DateTime"
        },
        {
            "name": "FileName",
            "type": "String"
        },
        {
            "name": "InitiatingProcessFileName",
            "type": "String"
        }
    ],
    "results": [
        {
            "Timestamp": "2024-03-26T09:39:50.7688641Z",
            "FileName": "cmd.exe",
            "InitiatingProcessFileName": "powershell.exe"
        },
        {
            "Timestamp": "2024-03-26T09:39:49.4353788Z",
            "FileName": "cmd.exe",
            "InitiatingProcessFileName": "powershell.exe"
        }
    ]
}

Example 2: Query with optional the timespan parameter specified

Request

This example specifies a KQL query and looks into the deviceProcessEvents table in the advanced hunting schema 60 days back.

POST https://graph.microsoft.com/beta/security/runHuntingQuery

{
    "query": "DeviceProcessEvents",
    "timespan": "P90D"
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "schema": [
        {
            "Name": "Timestamp",
            "Type": "DateTime"
        },
        {
            "Name": "FileName",
            "Type": "String"
        },
        {
            "Name": "InitiatingProcessFileName",
            "Type": "String"
        }
    ],
    "results": [
        {
            "Timestamp": "2020-08-30T06:38:35.7664356Z",
            "FileName": "conhost.exe",
            "InitiatingProcessFileName": "powershell.exe"
        },
        {
            "Timestamp": "2020-08-30T06:38:30.5163363Z",
            "FileName": "conhost.exe",
            "InitiatingProcessFileName": "powershell.exe"
        }
    ]
}

Example 3: Query against a specific workspace

Request

The following example specifies a KQL query and targets a specific Log Analytics workspace by passing the optional workspaceId parameter.

POST https://graph.microsoft.com/beta/security/runHuntingQuery
Content-Type: application/json

{
    "query": "DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2",
    "timespan": "P1D",
    "workspaceId": "00000000-0000-0000-0000-000000000001"
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "schema": [
        {
            "name": "Timestamp",
            "type": "DateTime"
        },
        {
            "name": "FileName",
            "type": "String"
        },
        {
            "name": "InitiatingProcessFileName",
            "type": "String"
        }
    ],
    "results": [
        {
            "Timestamp": "2026-03-10T06:38:35.766Z",
            "FileName": "conhost.exe",
            "InitiatingProcessFileName": "powershell.exe"
        },
        {
            "Timestamp": "2026-03-10T06:38:30.516Z",
            "FileName": "conhost.exe",
            "InitiatingProcessFileName": "powershell.exe"
        }
    ]
}