This demo shows Guided hunting in Microsoft 365 Defender—a visual query builder for Advanced hunting that doesn’t require KQL or schema knowledge. It compares the two modes (Query in editor vs Query in builder), then builds a phishing-focused hunt by filtering delivered messages using ThreatTypes (phish, malware, spam) and DeliveryLocation (inbox and junk). From there it expands the query by selecting a suspicious SenderMailfromDomain value directly from results, adding it as a filter, and layering in UrlCount > 0 to focus on messages containing links. The walkthrough also covers quality-of-life features: customizing displayed columns without KQL project, opening entity details via linked fields like NetworkMessageId, taking action on results from within Advanced hunting, and using Edit in KQL to reveal the generated query as a learning path.
We produced this as an approachable, confidence-building tutorial—built to make “advanced hunting” feel accessible to any analyst. We choreographed the on-screen steps to match how people actually explore data (filter, inspect, refine), kept the visuals uncluttered, and tuned the pacing so viewers can follow along live. Final delivery includes closed captions, audio description, and thumbnails.
The inevitable sequels
Hollywood keeps stretching good ideas into progressively worse sequels. We don’t. These are the related videos—spiritual siblings of the one you just watched—as good or better than this video. Expect callbacks, new plot twists, and maybe even a scene-stealing cameo from a lower third.
