| title | Extend advanced hunting coverage with the right settings | ||
|---|---|---|---|
| description | Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting | ||
| search.appverid | met150 | ||
| ms.service | defender-xdr | ||
| ms.subservice | adv-hunting | ||
| f1.keywords |
|
||
| ms.author | pauloliveria | ||
| author | poliveria | ||
| ms.localizationpriority | medium | ||
| manager | dansimp | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.custom |
|
||
| appliesto |
|
||
| ms.topic | how-to | ||
| ms.date | 03/28/2025 |
[!INCLUDE Microsoft Defender XDR rebranding]
Advanced hunting relies on data coming from various sources, including your devices, your Office 365 workspaces, Microsoft Entra ID, and Microsoft Defender for Identity. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.
| Data | Description | Schema table | How to configure |
|---|---|---|---|
| Account management | Events captured as various ActionType values indicating local account creation, deletion, and other account-related activities |
DeviceEvents | - Deploy an advanced security audit policy: Audit User Account Management - Learn about advanced security audit policies |
| Security group management | Events captured as various ActionType values indicating local security group creation and other local group management activities |
DeviceEvents | - Deploy an advanced security audit policy: Audit Security Group Management - Learn about advanced security audit policies |
| Service installation | Events captured with the ActionType value ServiceInstalled, indicating that a service has been created |
DeviceEvents | - Deploy an advanced security audit policy: Audit Security System Extension - Learn about advanced security audit policies |
If you're running Active Directory on premises, you need to install the Microsoft Defender for Identity sensor on the domain controller to get data for Microsoft Defender for Identity. When installed and properly configured, this data also feeds into advanced hunting through Microsoft Defender for Identity and provides a more holistic picture of identity information and events in your network. This data also enhances the ability of Microsoft Defender for Identity to generate relevant alerts that are also covered by advanced hunting.
| Data | Description | Schema table | How to configure |
|---|---|---|---|
| Domain controller | Data from on-premises Active Directory sent to Microsoft Defender for Identity, enriching identity-related information, such as account details, logon activity, and Active Directory queries | Multiple tables, including IdentityInfo, IdentityLogonEvents, and IdentityQueryEvents | - Install the Microsoft Defender for Identity sensor - Turn on relevant Windows Events |
Note
Some tables in this article might not be available in Microsoft Defender for Endpoint. Turn on Microsoft Defender XDR to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.