From 462c0426dd7556a1cf72b4bc8fbdd479099c1e15 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 26 Mar 2018 14:09:01 -0700 Subject: [PATCH] adv hunting update --- windows/security/threat-protection/TOC.md | 1 + ...ows-defender-advanced-threat-protection.md | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 434041c60a..ca9f274ce8 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -91,6 +91,7 @@ #### [Automated investigations](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md) #### [Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) ##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) +##### [Query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) ### [Enable conditional access to better protect users, devices, and data](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..ba8e81d0b2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -0,0 +1,44 @@ +--- +title: Advanced hunting best practices in Windows Defender ATP +description: Learn about advanced hunting best practices such as what filters and keywords to use to effectively query data. +keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 04/16/2018 +--- + +# Advanced hunting query best practices Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) + +## Advanced hunting query best practices +The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. +- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). +- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. +- Use 'has' keyword over 'contains' when looking for full tokens. +- Use looking in specific column rather than using full text search across all columns. +- When joining between two tables - choose the table with less rows to be the first one (left-most). +- When joining between two tables - project only needed columns from both sides of the join. + + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) + + +