From 67de91da7bebdc0781376b7a78fd18cbc7f43e1e Mon Sep 17 00:00:00 2001 From: Tomer Alpert Date: Sun, 15 Apr 2018 06:52:06 +0000 Subject: [PATCH] Clarify 30 days limit in advanced hunting doc --- ...ced-hunting-windows-defender-advanced-threat-protection.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index e3d2f2b5ce..f523b1c8d1 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -81,13 +81,15 @@ The following tables are exposed as part of Advanced hunting: - **AlertEvents** - Stores alerts related information - **MachineInfo** - Stores machines properties - **ProcessCreationEvents** - Stores process creation events -- **NetworkCommunicationEvents** - Stores network communication events o +- **NetworkCommunicationEvents** - Stores network communication events - **FileCreationEvents** - Stores file creation, modification, and rename events - **RegistryEvents** - Stores registry key creation, modification, rename and deletion events - **LogonEvents** - Stores login events - **ImageLoadEvents** - Stores load dll events - **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others. +These tables include data from the last 30 days. + ## Use shared queries Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.