deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add best practices

Browse Source
This commit is contained in:
Joey Caparas 2018-03-22 18:05:18 -07:00
parent b3bfb746ba
commit 5c3cce9cf9
2 changed files with 31 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: Advanced hunting table reference in Windows Defender ATP title: Advanced hunting reference in Windows Defender ATP
description: Learn about advanced hunting table reference such as column name, data type, and description description: Learn about advanced hunting table reference such as column name, data type, and description
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.date: 04/16/2018 ms.date: 04/16/2018
--- ---
# Advanced hunting table reference in Windows Defender ATP # Advanced hunting reference in Windows Defender ATP
**Applies to:** **Applies to:**
@ -25,12 +25,21 @@ ms.date: 04/16/2018
[!include[Prerelease information](prerelease.md)] [!include[Prerelease information](prerelease.md)]
## Advanced hunting query best practices
The following best practices serve as a guideline for you to maximize the advanced hunting capability.
- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Prefer 'has' keyword over 'contains' when looking for full tokens.
- Prefer looking in specific column rather than using full text search across all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
## Advanced hunting table reference
When you run a query using Advanced hunting, a table with columns is returned as a result. When you run a query using Advanced hunting, a table with columns is returned as a result.
Use the following table to understand what the columns represent, its data type, and their description. Use the following table to understand what the columns represent, its data type, and their description.
## Advanced hunting table reference
| Column name | Data type | Description | Column name | Data type | Description
:---|:--- |:--- :---|:--- |:---
| AccountDomain | string | Domain of the account. | | AccountDomain | string | Domain of the account. |

31
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -36,7 +36,18 @@ To get you started in querying your data, you can use the basic or advanced quer
![Image of Advanced hunting window](images/atp-advanced-hunting.png) ![Image of Advanced hunting window](images/atp-advanced-hunting.png)
## Query data in advanced hunting ## Before you begin
To maximize the advanced hunting capability, it's a good idea to understand the following query best practices.
### Query best practices
- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Prefer 'has' keyword over 'contains' when looking for full tokens.
- Prefer looking in specific column rather than using full text search across all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
## Use advanced hunting to query data
A typical query starts with a table name followed by a series of operators separated by **|**. A typical query starts with a table name followed by a series of operators separated by **|**.
@ -51,7 +62,7 @@ We then add a filter on the _FileName_ to contain only instances of _powershell
Afterwards, we add a filter on the _ProcessCommandLine_ Afterwards, we add a filter on the _ProcessCommandLine_
Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
### Operators ### Use operators
The query language is very powerful and has a lot of available operators, some of them are - The query language is very powerful and has a lot of available operators, some of them are -
- **limit** - Return up to the specified number of rows. - **limit** - Return up to the specified number of rows.
@ -67,11 +78,11 @@ The query language is very powerful and has a lot of available operators, some o
To see a live example of these operators, run them as part of the **Get started** section. To see a live example of these operators, run them as part of the **Get started** section.
## Query language documentation ## Access query language documentation
For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/). For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
## Tables in advanced hunting ## Use exposed tables in advanced hunting
The following tables are exposed as part of advanced hunting: The following tables are exposed as part of advanced hunting:
@ -85,7 +96,7 @@ The following tables are exposed as part of advanced hunting:
- **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events. - **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events.
- **SuspiciousEvents** - Stores all events that deviate from typical event behavior - **SuspiciousEvents** - Stores all events that deviate from typical event behavior
## Shared queries ## Use shared queries
Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.
![Image of shared queries](images/atp-shared-queries.png) ![Image of shared queries](images/atp-shared-queries.png)
@ -132,7 +143,7 @@ The results set has several capabilities to provide you with effective investiga
![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-filter.png) ![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-filter.png)
## Filters on results in advanced hunting ## Filter results in advanced hunting
In advanced hunting, you can use the advanced filter on the output results set of the query. In advanced hunting, you can use the advanced filter on the output results set of the query.
The filters provide an overview of the result set where The filters provide an overview of the result set where
each column has it's own section and shows the distinct values that appear in the column and their prevalence. each column has it's own section and shows the distinct values that appear in the column and their prevalence.
@ -143,13 +154,7 @@ You can refine your query based on the filter by clicking the "+" or "-" buttons
The filter selections will resolve as an additional query term and the results will be updated accordingly. The filter selections will resolve as an additional query term and the results will be updated accordingly.
## Query best practices
- Use time filters first. Kusto is highly optimized to utilize time filters.
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Prefer 'has' keyword over 'contains' when looking for full tokens.
- Prefer looking in specific column rather than using full text search across all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
## Public Advanced Hunting query GitHub repository ## Public Advanced Hunting query GitHub repository
Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers. Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers.