deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Minor fixes to AH topics

Browse Source
This commit is contained in:
lomayor 2019-10-14 13:47:03 -07:00
parent b4d6f09236
commit 452574147c
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -26,7 +26,7 @@ ms.date: 10/08/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Optimize query performance
Apply the recommendations to get results faster and avoid timeouts while running complex queries:
Apply these recommendations to get results faster and avoid timeouts while running complex queries.
- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
- Use time filters first. Ideally, limit your queries to seven days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
@ -63,7 +63,7 @@ To create more durable queries using command lines, apply the following practice
- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field.
- When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
- Use case insensitive matches. For example, use `=~`, `in~`, and `contains` instead of `==`, `in` and `contains_cs`
- To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.
The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -25,10 +25,10 @@ ms.date: 10/08/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
## Schema tables
The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
## Schema tables
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.