From 3ea4da1c0d503588d353f31063bbb7397e63ceb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ant=C3=B3nio=20Vasconcelos?= Date: Wed, 17 Feb 2021 16:11:17 +0000 Subject: [PATCH] Lookback window for modified queries Note on lookback window when Custom Detections are changed and how that can impact the AH CPU quota from a customer tenant. --- .../microsoft-defender-atp/custom-detection-rules.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 8baab3e6c4..4680ae07fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -91,6 +91,10 @@ When saved, a new custom detection rule immediately runs and checks for matches - **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours - **Every hour**—runs hourly, checking data from the past 2 hours +> [!IMPORTANT] +>When changing a query that is already scheduled as a Custom Detection, it's next immediate execution will have a lookback window of 30 days, exactly as if a new query was being created. +>Changes to a large number of queries, and with time filters higher than the default lookback durantion for the selected frequency, might have an impact in the overall quota consumption of Advanced Hunting and resulting in exhausting the daily quota. + > [!TIP] > Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.