deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 6490: Updated advanced-hunting-windows-defender-advanced-threat-protection.md

Browse Source 
Updated advanced-hunting-windows-defender-advanced-threat-protection.md
This commit is contained in:
Liza Mash 2018-03-20 17:24:40 +00:00 committed by Joey Caparas
commit 6fce4fbf82
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -130,7 +130,7 @@ The results set has several capabilities to provide you with effective investiga
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- You can right-click on a cell in the results set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png)
![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-filter.png)
## Filters on results in advanced hunting
In advanced hunting, you can use the advanced filter on the output results set of the query.
@ -143,6 +143,14 @@ You can refine your query based on the filter by clicking the "+" or "-" buttons
The filter selections will resolve as an additional query term and the results will be updated accordingly.
## Query best practices
- Use time filters first. Kusto is highly optimized to utilize time filters.
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Prefer 'has' keyword over 'contains' when looking for full tokens.
- Prefer looking in specific column rather than using full text search accross all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
## Public Advanced Hunting query GitHub repository
Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers.

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting-results-filter.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB