deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

Browse Source 
Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
This commit is contained in:
ImranHabib
2019-09-29 19:07:21 +05:00
committed by GitHub
parent 99fa2ef07f
commit 8924116703
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -37,7 +37,7 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
> To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns. > To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns.
> [Example] > [Example]
>MiscEvents > MiscEvents
| where EventTime > ago(7d) | where EventTime > ago(7d)
| where ActionType == "AntivirusDetection" | where ActionType == "AntivirusDetection"
| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId | summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId