From abfc2d45e4bb0d66b9bc35301a99a26e1ceaf484 Mon Sep 17 00:00:00 2001
From: Tomer Alpert <talpert@microsoft.com>
Date: Mon, 16 Apr 2018 18:09:31 +0000
Subject: [PATCH] Updated advanced-hunting best-practice code example to filter
 on time

---
 ...t-practices-windows-defender-advanced-threat-protection.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
index 0b9c7cec39..49284ab1d1 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
@@ -81,11 +81,11 @@ ProcessCreationEvents
 
 // Better query - filters on filename, does case-insensitive matches
 ProcessCreationEvents
-| where FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" 
+| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" 
 
 // Best query also ignores quotes
 ProcessCreationEvents
-| where FileName in~ ("net.exe", "net1.exe")
+| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe")
 | extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
 | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" 
 ```