Understand the Defender Experts for Hunting report in Microsoft Defender

Applies to:

• Microsoft Defender XDR

Microsoft Defender Experts for Hunting combines human intelligence with expert-trained technology to help Microsoft Defender XDR customers understand the significant threats they face. It highlights how Defender Experts' threat hunting skills, thorough understanding of the threat landscape, and knowledge of emerging threats can help you identify, prioritize, and address those threats in your environment.

The Defender Experts for Hunting service generates reports to help you understand all the threats the hunting service surfaced in your environment, alongside the alerts generated by your Microsoft Defender XDR products. You can view the report in the current (running) month, or in one-, three-, or six-month periods.

To view the report in your Microsoft Defender portal, go to Reports, select Defender Experts > Hunting report. Each section of the report is designed to provide more insights into the threats and suspicious activities our Defender Experts found in your environment.

Refer to the following screenshot of a sample report:

Identify prevalent threats and other potential attack entry points

Signals from Microsoft Defender XDR and investigations by Defender Experts for Hunting help identify suspicious activities in your environment. Significant threat activities have corresponding Defender Experts Notifications, which also provide recommendations to remediate and defend your organization.

The top section of the report provides you with the total number of hunts, suspicious threats investigated, and Defender Experts Notifications our experts sent for your chosen period:

To view these notifications, select View Defender Experts Notifications. This action redirects you to the Microsoft Defender portal Incidents page. Defender Experts for Hunting alerts or Defender Experts Notifications have the Defender Experts tag.

All other identified activities are visualized or summarized in the following sections:

• Hunt trend
• Emerging threats
• Hunts by threat category

Hunt trend

The Hunt trend section displays a trendline chart of the number of hunting activities Defender Experts conducted in your environment for your chosen time period. This chart gives you visibility of the continuous monitoring and investigation our experts are doing even if they don't find any active threats or suspicious activities.

Emerging threats

The Emerging threats section details the proactive, hypothesis-based hunts we conducted in your environment. These hunts focus on tactics that threat actors are just beginning to adopt and other threat intelligence. By surfacing these hunts, we give you visibility into how we're anticipating attacker behavior, validating your defenses against new and notable techniques, and identifying relevant suspicious activity before significant exploitation.

This section is a table that shows the threat title, whether we identified impact in your environment, the threat's severity, and threat category. It aggregates our hunts for emerging threats based on their severity. You can filter this section by the hunts' severity and threat category.

Selecting one of the threat titles opens a side panel with its hunting summary, which summarizes our findings about the threat. Hunting summaries give you insight into our investigations and keep you updated with the threat landscape.

Hunts by threat category

The Hunts by threat category section displays hunting activity tiles that are sorted according to their threat categories. This sorting helps you visualize what an activity is trying to achieve in each attack phase so you can plan the corresponding containment and remediation actions.

You can filter the activities displayed in the table by choosing any of the following options in the dropdown menu:

• All – Displays all true positive, benign true positive, and false positive activities.
• Suspicious activities – Displays identified true positive and benign true positive activities in your environment. Not all suspicious activities have corresponding Defender Expert Notifications.
• Defender Experts Notified – Displays activities with corresponding Defender Expert Notifications only.

You can also toggle Show all categories if you want to display or hide categories that don't have related activities.

Each activity tile shows the number of hunts Defender Experts conducted related to it. It might also display any of the three icons corresponding to related hunts, hunting summaries, and Defender Experts Notifications.

Hunting summaries

Each hunt that Defender Experts conduct tells a story, even when they don't find an active threat. In nearly every hunt that Defender Experts conduct in your environment, there's a corresponding investigation summary that goes along with it, regardless of whether they identified a confirmed threat.

When you select one of the threat titles in the Emerging threats section or one of the activity tiles with the scroll icon in the Hunts by threat category section, a side panel opens that displays the hunting summary, or summary of the investigation related to the threat or activity: what the Defender Experts hunted for, why they hunted for it, and how they reached their final determination. The summary also provides the dates and times the hunt started and concluded, the hunt classification, and impacted assets. If applicable, it also provides links to view related Defender Experts Notifications.

Know and understand the security weak spots in your environment

The Top trending suspicious activities section of the report identifies up to 20 suspicious activities that Defender Experts consistently observed in your environment in the last three months, sorted based on their severity rating and frequency of occurrence:

By showing the most critical and frequently observed activities, you can assess and evaluate their impact and develop strategies to prevent or mitigate potential threats to your environment.

Select View details in each card to open a flyout panel that details the impacted devices and users. If applicable, the page also provides links to view related Defender Expert Notifications.