From 5c3cce9cf9305b798d6529d6676fd848aec24f1e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 22 Mar 2018 18:05:18 -0700 Subject: [PATCH] add best practices --- ...ows-defender-advanced-threat-protection.md | 17 +++++++--- ...ows-defender-advanced-threat-protection.md | 31 +++++++++++-------- 2 files changed, 31 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 0c7e7f3339..69fccb47fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Advanced hunting table reference in Windows Defender ATP +title: Advanced hunting reference in Windows Defender ATP description: Learn about advanced hunting table reference such as column name, data type, and description keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 04/16/2018 --- -# Advanced hunting table reference in Windows Defender ATP +# Advanced hunting reference in Windows Defender ATP **Applies to:** @@ -25,12 +25,21 @@ ms.date: 04/16/2018 [!include[Prerelease information](prerelease.md)] +## Advanced hunting query best practices +The following best practices serve as a guideline for you to maximize the advanced hunting capability. +- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). +- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. +- Prefer 'has' keyword over 'contains' when looking for full tokens. +- Prefer looking in specific column rather than using full text search across all columns. +- When joining between two tables - choose the table with less rows to be the first one (left-most). +- When joining between two tables - project only needed columns from both sides of the join. + + +## Advanced hunting table reference When you run a query using Advanced hunting, a table with columns is returned as a result. Use the following table to understand what the columns represent, its data type, and their description. -## Advanced hunting table reference - | Column name | Data type | Description :---|:--- |:--- | AccountDomain | string | Domain of the account. | diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index eef5492235..6e8a569c62 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -36,7 +36,18 @@ To get you started in querying your data, you can use the basic or advanced quer ![Image of Advanced hunting window](images/atp-advanced-hunting.png) -## Query data in advanced hunting +## Before you begin +To maximize the advanced hunting capability, it's a good idea to understand the following query best practices. + +### Query best practices +- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). +- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. +- Prefer 'has' keyword over 'contains' when looking for full tokens. +- Prefer looking in specific column rather than using full text search across all columns. +- When joining between two tables - choose the table with less rows to be the first one (left-most). +- When joining between two tables - project only needed columns from both sides of the join. + +## Use advanced hunting to query data A typical query starts with a table name followed by a series of operators separated by **|**. @@ -51,7 +62,7 @@ We then add a filter on the _FileName_ to contain only instances of _powershell Afterwards, we add a filter on the _ProcessCommandLine_ Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. -### Operators +### Use operators The query language is very powerful and has a lot of available operators, some of them are - - **limit** - Return up to the specified number of rows. @@ -67,11 +78,11 @@ The query language is very powerful and has a lot of available operators, some o To see a live example of these operators, run them as part of the **Get started** section. -## Query language documentation +## Access query language documentation For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/). -## Tables in advanced hunting +## Use exposed tables in advanced hunting The following tables are exposed as part of advanced hunting: @@ -85,7 +96,7 @@ The following tables are exposed as part of advanced hunting: - **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events. - **SuspiciousEvents** - Stores all events that deviate from typical event behavior -## Shared queries +## Use shared queries Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. ![Image of shared queries](images/atp-shared-queries.png) @@ -132,7 +143,7 @@ The results set has several capabilities to provide you with effective investiga ![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-filter.png) -## Filters on results in advanced hunting +## Filter results in advanced hunting In advanced hunting, you can use the advanced filter on the output results set of the query. The filters provide an overview of the result set where each column has it's own section and shows the distinct values that appear in the column and their prevalence. @@ -143,13 +154,7 @@ You can refine your query based on the filter by clicking the "+" or "-" buttons The filter selections will resolve as an additional query term and the results will be updated accordingly. -## Query best practices -- Use time filters first. Kusto is highly optimized to utilize time filters. -- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. -- Prefer 'has' keyword over 'contains' when looking for full tokens. -- Prefer looking in specific column rather than using full text search across all columns. -- When joining between two tables - choose the table with less rows to be the first one (left-most). -- When joining between two tables - project only needed columns from both sides of the join. + ## Public Advanced Hunting query GitHub repository Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers.