deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Clarify 30 days limit in advanced hunting doc

Browse Source
This commit is contained in:
Tomer Alpert
2018-04-15 06:52:06 +00:00
parent f8e7c04dba
commit 67de91da7b
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -81,13 +81,15 @@ The following tables are exposed as part of Advanced hunting:
- **AlertEvents** - Stores alerts related information - **AlertEvents** - Stores alerts related information
- **MachineInfo** - Stores machines properties - **MachineInfo** - Stores machines properties
- **ProcessCreationEvents** - Stores process creation events - **ProcessCreationEvents** - Stores process creation events
- **NetworkCommunicationEvents** - Stores network communication events o - **NetworkCommunicationEvents** - Stores network communication events
- **FileCreationEvents** - Stores file creation, modification, and rename events - **FileCreationEvents** - Stores file creation, modification, and rename events
- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events - **RegistryEvents** - Stores registry key creation, modification, rename and deletion events
- **LogonEvents** - Stores login events - **LogonEvents** - Stores login events
- **ImageLoadEvents** - Stores load dll events - **ImageLoadEvents** - Stores load dll events
- **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others. - **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others.
These tables include data from the last 30 days.
## Use shared queries ## Use shared queries
Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities. Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.