In this module
PT1.9 Defender XDR Advanced Hunting
You've run KQL queries in Sentinel (PT1.8). Defender XDR uses the same query language but different table names, different column names, and a different portal. This sub maps the differences so you can read both formats without confusion when you encounter them in technique subs.
Access Advanced Hunting
Open the Microsoft Defender portal. Navigate to Hunting → Advanced Hunting. The query editor loads with the schema explorer on the left.
The schema explorer shows the available tables. The ones you'll use most:
Key Advanced Hunting Tables
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Table What it captures
──────────────────────── ───────────────────────────────
DeviceProcessEvents Process creation + command lines
DeviceNetworkEvents Network connections
DeviceFileEvents File creation, modification, deletion
DeviceLogonEvents Local and remote logons
DeviceRegistryEvents Registry modifications
IdentityLogonEvents Entra ID sign-ins
IdentityQueryEvents AD/LDAP queries
EmailEvents Email delivery and metadata
CloudAppEvents Cloud app activity
AlertEvidence Alert context + entities
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━The key difference: Timestamp vs TimeGenerated
This is the difference that breaks queries when you copy them between portals:
Schema Differences — Sentinel vs Defender XDR
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Sentinel Defender XDR
Time column: TimeGenerated Timestamp
String compare: =~ (case-insensitive) == or =~
Table names: Same Same
Column names: Same Same (mostly)
Portal: portal.azure.com security.microsoft.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Here's the same query in both environments:
// Sentinel — recent process creation
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName =~ "powershell.exe"
| project TimeGenerated, DeviceName,
InitiatingProcessCommandLine, AccountName// Defender XDR — same detection
DeviceProcessEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName,
InitiatingProcessCommandLine, AccountNameThe only differences: TimeGenerated → Timestamp, and =~ → == (though =~ works in both). Every technique sub in the course shows both versions in the tabbed detection blocks.
Run your first query
In Advanced Hunting, paste and run:
// List all devices reporting to Defender
DeviceInfo
| where Timestamp > ago(24h)
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceName, OSPlatform, OSVersion, OnboardingStatusYou should see your Windows endpoint VM listed. If it's not there, the endpoint isn't onboarded yet — check that the MDE onboarding script was applied (Settings → Endpoints → Onboarding → download the onboarding script and run it on the endpoint VM).
Cross-table query example
Advanced Hunting allows joining across tables. Here's a query that correlates a process event with a network connection — the pattern used in lateral movement detection:
// Process that made a network connection in the last hour
DeviceProcessEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe")
| project ProcessCreationTime = Timestamp, DeviceName,
InitiatingProcessFileName, ProcessId
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort in (445, 135, 5985)
| project NetworkTime = Timestamp, DeviceName, RemoteIP,
RemotePort, InitiatingProcessId
) on $left.DeviceName == $right.DeviceName,
$left.ProcessId == $right.InitiatingProcessId
| project ProcessCreationTime, DeviceName,
InitiatingProcessFileName, RemoteIP, RemotePortThis query finds PowerShell or cmd processes that also made network connections to SMB (445), RPC (135), or WinRM (5985) ports — a lateral movement indicator. You'll use this pattern in Module 9.
Verification checklist
☐ Advanced Hunting loads in the Defender portal
☐ Schema explorer shows DeviceProcessEvents and other tables
☐ DeviceInfo query returns your Windows endpoint VM
☐ Cross-table join query runs without error
☐ You can explain the difference between TimeGenerated and TimestampYou've built the lab and understand the validation gap.
Module 0 showed you why detection rules fail silently — vendor schema changes, attacker tool evolution, environment divergence, tuning drift. Module 1 gave you a working four-environment, three-SIEM purple-team lab. From here, you walk the kill chain technique by technique.
- 61 ATT&CK techniques across 12 tactic modules — Initial Access through Impact, each walked end-to-end with attack commands, annotated telemetry, and multi-SIEM detection rules
- Every detection in four formats — Sigma rule (canonical), Sentinel KQL, Defender XDR Advanced Hunting KQL, and Splunk SPL or Elastic. Tabbed side-by-side in every technique sub
- Module 14 Capstone — CHAIN-HARVEST — full purple-team exercise on an AiTM credential-phishing chain. Multi-stage attack, detection results across all three SIEMs, coverage gaps, tuning recommendations
- Programme template — coverage matrix, MTTD per technique, FP rates, detection quality scores, remediation backlog. Populated as you work, presentable to leadership by Module 14
- Public Sigma rule repo — every detection rule in a GitHub repository. Alumni contribute via PR. The artefacts outlive the course
Cancel anytime