deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5066 from joinimran/patch-15

Browse Source 
Added query as example
This commit is contained in:
Louie Mayor 2019-10-01 07:53:45 -07:00 committed by GitHub
commit 8c271fc337
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -36,6 +36,16 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
> [!NOTE] > [!NOTE]
> To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns. > To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns.
The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```
MiscEvents
| where EventTime > ago(7d)
| where ActionType == "AntivirusDetection"
| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId
| where count_ > 5
```
### 2. Create new rule and provide alert details. ### 2. Create new rule and provide alert details.
With the query in the query editor, select **Create detection rule** and specify the following alert details: With the query in the query editor, select **Create detection rule** and specify the following alert details: