deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 6490: Updated advanced-hunting-windows-defender-advanced-threat-protection.md

Browse Source 
Updated advanced-hunting-windows-defender-advanced-threat-protection.md
This commit is contained in:
Liza Mash 2018-03-20 17:24:40 +00:00 committed by Joey Caparas
commit 6fce4fbf82
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -130,7 +130,7 @@ The results set has several capabilities to provide you with effective investiga
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal. - Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- You can right-click on a cell in the results set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. - You can right-click on a cell in the results set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png) ![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-filter.png)
## Filters on results in advanced hunting ## Filters on results in advanced hunting
In advanced hunting, you can use the advanced filter on the output results set of the query. In advanced hunting, you can use the advanced filter on the output results set of the query.
@ -143,6 +143,14 @@ You can refine your query based on the filter by clicking the "+" or "-" buttons
The filter selections will resolve as an additional query term and the results will be updated accordingly. The filter selections will resolve as an additional query term and the results will be updated accordingly.
## Query best practices
- Use time filters first. Kusto is highly optimized to utilize time filters.
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Prefer 'has' keyword over 'contains' when looking for full tokens.
- Prefer looking in specific column rather than using full text search accross all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
## Public Advanced Hunting query GitHub repository ## Public Advanced Hunting query GitHub repository
Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers. Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers.

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB