Microsoft Threat Protection ‘Jupyter notebook’ #AdvancedHunting sample

Maarten Goet
Aug 28 · 4 min read

TL;DR — I’ve created a Microsoft Threat Protection advanced hunting Jupyter notebook and shared it on my GitHub repository:

Microsoft Threat Protection

Microsoft Threat Protection unifies pre- and post-breach enterprise defenses and natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Image for post
Image for post

It combines the power of Microsoft Defender ATP, Azure AD Identity Protection, Microsoft Cloud App Security and Office 365 ATP. Do you have 2 or more of these products in your environment, then try out MTP by going to

Advanced Hunting

Microsoft Threat Protection features a built-in Advanced Hunting capability, much like the one in Microsoft Defender ATP.

Image for post
Image for post

Are you new to advanced hunting? I’ve published a lengthy blog earlier that takes you down the Rabbit Hole and learns you the basics of analyzing malware, as discovered by Microsoft Threat Protection.

MTP Advanced Hunting blog here:


Although the built-in KQL-based Advanced Hunting possibilities already satisfy most incident investigations, a complex investigation could require that the hunting professionals starts using Jupyter.

Although more advanced, and certainly requires some more experiences (and preferably Python skills), it extends Microsoft Threat Protection in many ways. For instance, by combining note taking (markdown) with advanced code (python) and the ability to pull in 3rd party data sources.

Image for post
Image for post

I’ve written an introduction into Jupyter and hunting in an earlier blog. Have a look at that article if you need more information on this.

Hunting with Jupyter blog here:

PRO TIP: Ian Hellen (MS Threat Intelligence Center) and myself presented on Jupyter-based hunting and the MSTIC toolkit at MS Ignite 2019. Recording here:

Visual Studio Code

You might think that using Jupyter will be hard, but that is not the case. Better yet: you can use the IDE you already know and love — Visual Studio Code. Microsoft’s Python extension includes support for Jupyter.

Visual Studio Code + Jupyter blog here:

Image for post
Image for post


Before we can use the Microsoft Threat Protection API from a Jupyter notebook, we first have to create an Application + Secret pair in Azure Active Directory. Use the Microsoft Threat Protection API, select Application Permissions and select the AdvancedHunting.Read.All

Image for post
Image for post

PRO TIP: Did you already create an Azure AD Application for hunting with Microsoft Defender ATP? Make sure you add the new / extra permissions for the MTP API!

Image for post
Image for post

Advanced Hunting notebook

I’ve not seen a sample Advanced Hunting notebook for Microsoft Threat Protection from the community yet, so I figured I would create one and contribute back.

Image for post
Image for post

Download the MTP Advanced Hunting notebook here:

Image for post
Image for post

MTP Cheat Sheet

In search of some good MTP Advanced Hunting query samples? Milad Aslaner has you covered with his MTP Cheat Sheet!

MTP Advanced Hunting query cheat sheet here:

Happy hunting!

— Maarten Goet, MVP & RD


Microsoft Cloud & Enterprise Security

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store