diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 58f09d7eb7..7ce887afa8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -45,7 +45,7 @@ Process IDs (PIDs) are recycled in Windows and reused for new processes. On thei The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. -``` +```kusto DeviceNetworkEvents | where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4) | summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName @@ -68,7 +68,7 @@ To create more durable queries using command lines, apply the following practice The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: -``` +```kusto // Non-durable query - do not use DeviceProcessEvents | where ProcessCommandLine == "net stop MpsSvc" diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index e4e202f76f..363a0b815b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -50,7 +50,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-h Here is an example query: -```PowerShell +```kusto DeviceEvents | where ActionType startswith 'Asr' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 90c461b3d6..c5a436c489 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -40,7 +40,7 @@ There are various ways to ensure more complex queries return these columns. For The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. -``` +```kusto DeviceEvents | where Timestamp > ago(7d) | where ActionType == "AntivirusDetection" diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index 30e3eff1f4..c0073ce75e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -53,7 +53,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query: -```PowerShell +```kusto DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index cdcb26b8fd..3c6f9f6bc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -56,7 +56,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query -```PowerShell +```kusto DeviceEvents | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked') ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 2d623aad56..55ffb2b7ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -167,7 +167,7 @@ When an exception is created for a recommendation, the recommendation is no long 3. Enter the following queries: -``` +```kusto // Search for machines with High active alerts or Critical CVE public exploit DeviceTvmSoftwareInventoryVulnerabilities | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId