Merge pull request #650 from MicrosoftDocs/lomayor-mdatp-ah-best-practice

Update advanced-hunting-best-practices.md

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 ms.date: 04/24/2018
 ---
 
-# Advanced hunting query best practices Microsoft Defender ATP
+# Advanced hunting query best practices in Microsoft Defender ATP
 
 **Applies to:**
 
@@ -28,23 +28,26 @@ ms.date: 04/24/2018
 
 ## Performance best practices
 The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. 
-- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
+- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set.
-- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
+- Use time filters first. Ideally, limit your queries to 7 days.
-- Use 'has' keyword over 'contains' when looking for full tokens.
+- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
+- Use the `has` operator over `contains` when looking for full tokens.
 - Use looking in specific column rather than using full text search across all columns.
-- When joining between two tables - choose the table with less rows to be the first one (left-most). 
+- When joining between two tables, specify the table with fewer rows first.
-- When joining between two tables - project only needed columns from both sides of the join.
+- When joining between two tables, project only needed columns from both sides of the join.
+
+>[!Tip]
+>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
 
 ## Query tips and pitfalls
 
-### Unique Process IDs
+### Using process IDs
-Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
+Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
 To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
 
+So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
 
-So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime)
+The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
-
-The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares.
 
 Example query:
 ```
@@ -54,11 +57,11 @@ NetworkCommunicationEvents
 | where RemoteIPCount > 10
 ```
 
-The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
+The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
 
-### Using command line queries
+### Using command lines
 
-Command lines may vary - when applicable, filter on file names and do fuzzy matching.
+Command lines can vary. When applicable, filter on file names and do fuzzy matching.
 
 There are numerous ways to construct a command line to accomplish a task.
 
@@ -68,7 +71,7 @@ To create more durable queries using command lines, we recommended the following
 
 - Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
 - When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
-- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
+- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
 - To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
 
 The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
@@ -91,6 +94,3 @@ ProcessCreationEvents
 ```
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
-
-
-