deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 06:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

second pass adding pages

Browse Source
This commit is contained in:
Marty Hernandez Avedon
2020-10-08 15:12:16 -04:00
parent a6b6ad3428
commit 2f6d859736
4 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
ms.date: 09/20/2020 ms.date: 10/10/2020
--- ---
# Extend advanced hunting coverage with the right settings # Extend advanced hunting coverage with the right settings
@ -26,7 +26,7 @@ ms.date: 09/20/2020
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Advanced hunting](advanced-hunting-overview.md) relies on data coming from various sources, including your devices, your Office 365 workspaces, Azure AD, and Azure ATP. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources. [Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
## Advanced security auditing on Windows devices ## Advanced security auditing on Windows devices

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md
View File

@ -73,12 +73,12 @@ You can use *go hunt* after selecting any of these entity types:
## Query for event information ## Query for event information
When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occured around the same time period on the same device: When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
```kusto ```kusto
// List relevant events 30 minutes before and after selected RegistryValueSet event // List relevant events 30 minutes before and after selected RegistryValueSet event
let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z); let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z);
search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents, ResponseEvents) search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m)) Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))
and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4" and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4"
| sort by Timestamp desc | sort by Timestamp desc

3
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -52,6 +52,9 @@ We recommend going through several steps to quickly get up and running with adva
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) | | **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) | | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) | | **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md) |
| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) |
| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) |
| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) |
| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) | | **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
## Data freshness and update frequency ## Data freshness and update frequency

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -180,6 +180,6 @@ For detailed information about the query language, see [Kusto query language doc
## Related topics ## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md) - [Advanced hunting overview](advanced-hunting-overview.md)
- [Work with query results](advanced-hunting-query-results.md) - [Work with query results](advanced-hunting-query-results.md)
- [Use shared queries](advanced-hunting-shared-queries) - [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-schema-reference.md) - [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md) - [Apply query best practices](advanced-hunting-best-practices.md)