microsoftgraph
diff --git a/‎api-reference/beta/api/security-security-gethuntingschema.md‎
Lines changed: 173 additions & 0 deletions b/‎api-reference/beta/api/security-security-gethuntingschema.md‎
Lines changed: 173 additions & 0 deletions
diff --git a/‎api-reference/beta/resources/security-huntingschemabuiltinfunction.md‎
Lines changed: 51 additions & 0 deletions b/‎api-reference/beta/resources/security-huntingschemabuiltinfunction.md‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎api-reference/beta/resources/security-huntingschemafunctionparameter.md‎
Lines changed: 45 additions & 0 deletions b/‎api-reference/beta/resources/security-huntingschemafunctionparameter.md‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎api-reference/beta/resources/security-huntingschemafunctions.md‎
Lines changed: 43 additions & 0 deletions b/‎api-reference/beta/resources/security-huntingschemafunctions.md‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎api-reference/beta/resources/security-huntingschemaresult.md‎
Lines changed: 43 additions & 0 deletions b/‎api-reference/beta/resources/security-huntingschemaresult.md‎
Lines changed: 43 additions & 0 deletions
@@ -0,0 +1,173 @@
+---
+title: "security: getHuntingSchema"
+description: "Retrieve the advanced hunting schema accessible to the signed-in user."
+author: "nitzanfrogel"
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: apiPageType
+ms.date: 05/13/2026
+---
+
+# security: getHuntingSchema
+
+Namespace: microsoft.graph.security
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Retrieve the advanced hunting schema accessible to the signed-in user, including the tables and functions the user is authorized to query and invoke in [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide&preserve-view=true) with Microsoft Defender XDR.
+
+The returned schema reflects the user's effective permissions. Each user within a tenant may have a different effective schema depending on their role and access level.
+
+Common use cases include:
+
+- **Preventing unauthorized queries**: Determine which tables and functions a user can access before executing Kusto queries, reducing the risk of authorization failures.
+- **Permission-aware query generation**: Enable applications and tools to construct queries dynamically based on the user's effective schema.
+
+[!INCLUDE [national-cloud-support](../../includes/global-us.md)]
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- { "blockType": "permissions", "name": "security_security_gethuntingschema" } -->
+[!INCLUDE [permissions-table](../includes/permissions/security-security-gethuntingschema-permissions.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+```http
+GET /security/getHuntingSchema
+```
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this function returns a `200 OK` response code and a [huntingSchemaResult](../resources/security-huntingschemaresult.md) in the response body.
+
+## Examples
+
+### Request
+
+<!-- {
+  "blockType": "request",
+  "name": "security_gethuntingschema"
+}
+-->
+```http
+GET https://graph.microsoft.com/beta/security/getHuntingSchema
+```
+
+### Response
+
+<!-- {
+  "blockType": "response",
+  "@odata.type": "microsoft.graph.security.huntingSchemaResult",
+  "truncated": true
+}
+-->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+  "tables": [
+    {
+      "name": "DeviceProcessEvents",
+      "description": "Process creation and related events",
+      "columns": [
+        {
+          "name": "Timestamp",
+          "dataType": "DateTime",
+          "description": "Date and time when the record was generated"
+        },
+        {
+          "name": "DeviceId",
+          "dataType": "String",
+          "description": "Unique identifier for the device in the service"
+        },
+        {
+          "name": "DeviceName",
+          "dataType": "String",
+          "description": "Fully qualified domain name (FQDN) of the device"
+        }
+      ]
+    },
+    {
+      "name": "DeviceNetworkEvents",
+      "description": "Network connection and related events",
+      "columns": [
+        {
+          "name": "Timestamp",
+          "dataType": "DateTime",
+          "description": "Date and time when the record was generated"
+        },
+        {
+          "name": "DeviceId",
+          "dataType": "String",
+          "description": "Unique identifier for the device in the service"
+        }
+      ]
+    }
+  ],
+  "functions": {
+    "builtInFunctions": [
+      {
+        "huntingFunctionId": 1,
+        "name": "FileProfile",
+        "path": "Built-in",
+        "documentation": "Enriches query results with file information such as file name, size, and hash.",
+        "inputParameters": [
+          {
+            "name": "SHA1",
+            "cslType": "string",
+            "defaultValue": null
+          }
+        ],
+        "outputColumns": [
+          {
+            "name": "SHA1",
+            "dataType": "String",
+            "description": "SHA-1 hash of the file"
+          },
+          {
+            "name": "SHA256",
+            "dataType": "String",
+            "description": "SHA-256 hash of the file"
+          }
+        ]
+      }
+    ],
+    "savedFunctions": [
+      {
+        "huntingFunctionId": 100,
+        "name": "MyCustomQuery",
+        "path": "Shared",
+        "description": "A custom query that filters device events by severity.",
+        "createdBy": "user@contoso.com",
+        "lastModifiedBy": "user@contoso.com",
+        "lastModifiedDateTime": "2026-04-15T10:30:00Z",
+        "inputParameters": [],
+        "outputColumns": [
+          {
+            "name": "DeviceId",
+            "dataType": "String",
+            "description": "Unique identifier for the device"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
@@ -0,0 +1,51 @@
+---
+title: "huntingSchemaBuiltInFunction resource type"
+description: "Represents a prebuilt function included with Microsoft Defender XDR advanced hunting."
+author: "nitzanfrogel"
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: resourcePageType
+ms.date: 05/13/2026
+---
+
+# huntingSchemaBuiltInFunction resource type
+
+Namespace: microsoft.graph.security
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Represents a prebuilt function included with Microsoft Defender XDR advanced hunting. Built-in functions are available to all advanced hunting instances and can't be modified by users. Part of the [huntingSchemaFunctions](../resources/security-huntingschemafunctions.md) returned by the [getHuntingSchema](../api/security-security-gethuntingschema.md) function.
+
+## Properties
+
+|Property|Type|Description|
+|:---|:---|:---|
+|huntingFunctionId|Int64|Unique identifier for the function. Required.|
+|name|String|Name of the function. Required.|
+|path|String|Folder path of the function.|
+|documentation|String|Description of the function and its usage.|
+|inputParameters|[microsoft.graph.security.huntingSchemaFunctionParameter](../resources/security-huntingschemafunctionparameter.md) collection|Collection of input parameters accepted by the function.|
+|outputColumns|[microsoft.graph.security.huntingSchemaTableColumn](../resources/security-huntingschematablecolumn.md) collection|Collection of columns returned by the function.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.security.huntingSchemaBuiltInFunction"
+}
+-->
+``` json
+{
+  "huntingFunctionId": 1,
+  "name": "FileProfile",
+  "path": "Built-in",
+  "documentation": "Enriches query results with file information such as file name, size, and hash.",
+  "inputParameters": [{"@odata.type": "microsoft.graph.security.huntingSchemaFunctionParameter"}],
+  "outputColumns": [{"@odata.type": "microsoft.graph.security.huntingSchemaTableColumn"}]
+}
+```
@@ -0,0 +1,45 @@
+---
+title: "huntingSchemaFunctionParameter resource type"
+description: "Represents an input parameter for an advanced hunting function."
+author: "nitzanfrogel"
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: resourcePageType
+ms.date: 05/13/2026
+---
+
+# huntingSchemaFunctionParameter resource type
+
+Namespace: microsoft.graph.security
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Represents an input parameter for an advanced hunting function. Parameters allow callers to provide arguments when invoking a function. Used by both [huntingSchemaBuiltInFunction](../resources/security-huntingschemabuiltinfunction.md) and [huntingSchemaSavedFunction](../resources/security-huntingschemasavedfunction.md) resource types.
+
+## Properties
+
+|Property|Type|Description|
+|:---|:---|:---|
+|name|String|Name of the parameter. Required.|
+|cslType|String|Data type of the parameter in Kusto Query Language (KQL) CSL format. Required.|
+|defaultValue|String|Default value used when the caller doesn't provide a value for this parameter.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.security.huntingSchemaFunctionParameter"
+}
+-->
+``` json
+{
+  "name": "SHA1",
+  "cslType": "string",
+  "defaultValue": null
+}
+```
@@ -0,0 +1,43 @@
+---
+title: "huntingSchemaFunctions resource type"
+description: "Contains the two categories of advanced hunting functions accessible to the user: built-in functions and saved functions."
+author: "nitzanfrogel"
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: resourcePageType
+ms.date: 05/13/2026
+---
+
+# huntingSchemaFunctions resource type
+
+Namespace: microsoft.graph.security
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Contains the two categories of advanced hunting functions accessible to the user: built-in functions and saved functions. Part of the [huntingSchemaResult](../resources/security-huntingschemaresult.md) returned by the [getHuntingSchema](../api/security-security-gethuntingschema.md) function.
+
+## Properties
+
+|Property|Type|Description|
+|:---|:---|:---|
+|builtInFunctions|[microsoft.graph.security.huntingSchemaBuiltInFunction](../resources/security-huntingschemabuiltinfunction.md) collection|Prebuilt functions included with Microsoft Defender XDR advanced hunting.|
+|savedFunctions|[microsoft.graph.security.huntingSchemaSavedFunction](../resources/security-huntingschemasavedfunction.md) collection|Custom functions created by users, including shared functions accessible to all tenant users and personal functions visible only to their creator.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.security.huntingSchemaFunctions"
+}
+-->
+``` json
+{
+  "builtInFunctions": [{"@odata.type": "microsoft.graph.security.huntingSchemaBuiltInFunction"}],
+  "savedFunctions": [{"@odata.type": "microsoft.graph.security.huntingSchemaSavedFunction"}]
+}
+```
@@ -0,0 +1,43 @@
+---
+title: "huntingSchemaResult resource type"
+description: "Contains the advanced hunting schema accessible to the signed-in user, including tables and functions."
+author: "nitzanfrogel"
+ms.localizationpriority: medium
+ms.subservice: "security"
+doc_type: resourcePageType
+ms.date: 05/13/2026
+---
+
+# huntingSchemaResult resource type
+
+Namespace: microsoft.graph.security
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Contains the advanced hunting schema accessible to the signed-in user, including tables and functions. Returned by the [getHuntingSchema](../api/security-security-gethuntingschema.md) function.
+
+## Properties
+
+|Property|Type|Description|
+|:---|:---|:---|
+|tables|[microsoft.graph.security.huntingSchemaTable](../resources/security-huntingschematable.md) collection|Collection of advanced hunting tables the user is authorized to query.|
+|functions|[microsoft.graph.security.huntingSchemaFunctions](../resources/security-huntingschemafunctions.md)|Object containing the built-in functions and saved functions available to the user.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.security.huntingSchemaResult"
+}
+-->
+``` json
+{
+  "tables": [{"@odata.type": "microsoft.graph.security.huntingSchemaTable"}],
+  "functions": {"@odata.type": "microsoft.graph.security.huntingSchemaFunctions"}
+}
+```