Merge pull request #5458 from illfated/kusto_query_typos

Advanced hunting query language: Kusto query typos

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md

@@ -23,7 +23,7 @@ ms.date: 10/08/2019
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
 Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
 
@@ -31,7 +31,7 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
 
 In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
 
-```
+```kusto
 // Finds PowerShell execution events that could involve a download.
 ProcessCreationEvents  
 | where EventTime > ago(7d)
@@ -42,7 +42,7 @@ ProcessCreationEvents
         or ProcessCommandLine has "Invoke-Shellcode"
         or ProcessCommandLine contains "http:"
 | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime'
+| top 100 by EventTime
 ```
 
 This is how it will look like in Advanced hunting.
@@ -52,7 +52,7 @@ This is how it will look like in Advanced hunting.
 ### Describe the query and specify the table to search
 The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
 
-```
+```kusto
 // Finds PowerShell execution events that could involve a download.
 ProcessCreationEvents
 ```
@@ -62,19 +62,19 @@ The query itself will typically start with a table name followed by a series of
 ### Set the time range
 The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 
-```
+```kusto
 | where EventTime > ago(7d)
 ```
 ### Search for specific executable files
 The time range is immediately followed by a search for files representing the PowerShell application.
 
-```
+```kusto
 | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
 ```
 ### Search for specific command lines
 Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
 
-```
+```kusto
 | where ProcessCommandLine has "Net.WebClient"
         or ProcessCommandLine has "DownloadFile"
         or ProcessCommandLine has "Invoke-WebRequest"
@@ -84,9 +84,9 @@ Afterwards, the query looks for command lines that are typically used with Power
 ### Select result columns and length 
 Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
 
-```
+```kusto
 | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
-| top 100 by EventTime'
+| top 100 by EventTime
 ```
 
 Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
@@ -128,8 +128,8 @@ The **Get started** section provides a few simple queries using commonly used op
 
 ![Image of Advanced hunting window](images/atp-advanced-hunting.png)
 
->[!NOTE]
->Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
+> [!NOTE]
+> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
 
 ## Access comprehensive query language reference
 
@@ -140,4 +140,4 @@ For detailed information about the query language, see [Kusto query language doc
 - [Understand the schema](advanced-hunting-schema-reference.md)
 - [Apply query best practices](advanced-hunting-best-practices.md)
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)