deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5458 from illfated/kusto_query_typos

Browse Source 
Advanced hunting query language: Kusto query typos
This commit is contained in:
Daniel Simpson 2019-11-19 16:26:14 -08:00 committed by GitHub
commit 05fb902c91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -31,7 +31,7 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
```
```kusto
// Finds PowerShell execution events that could involve a download.
ProcessCreationEvents
| where EventTime > ago(7d)
@ -42,7 +42,7 @@ ProcessCreationEvents
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime'
| top 100 by EventTime
```
This is how it will look like in Advanced hunting.
@ -52,7 +52,7 @@ This is how it will look like in Advanced hunting.
### Describe the query and specify the table to search
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
```
```kusto
// Finds PowerShell execution events that could involve a download.
ProcessCreationEvents
```
@ -62,19 +62,19 @@ The query itself will typically start with a table name followed by a series of
### Set the time range
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
```
```kusto
| where EventTime > ago(7d)
```
### Search for specific executable files
The time range is immediately followed by a search for files representing the PowerShell application.
```
```kusto
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
```
### Search for specific command lines
Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
```
```kusto
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
@ -84,9 +84,9 @@ Afterwards, the query looks for command lines that are typically used with Power
### Select result columns and length
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
```
```kusto
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime'
| top 100 by EventTime
```
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.