From c175dc751432dc2cfcbd9fa52a5a2dd36382d792 Mon Sep 17 00:00:00 2001 From: Tomer Alpert Date: Wed, 28 Mar 2018 21:44:48 +0000 Subject: [PATCH] minor text changes --- ...t-practices-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index 12684f3056..a5c0738ed1 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -39,8 +39,8 @@ The following best practices serve as a guideline of query performance best prac ## Query tips and pitfalls ### Unique Process IDs -Process IDs are recycled in Windows and reused for new processes, so cannot serve as unique IDs for a specific process. -To address this issue, the time the process was created for the Windows Defender ATP data. Together with the process ID, this can serve as a unique ID on a specific machine. +Process IDs are recycled in Windows and reused for new processes, so cannot serve as a unique identifier for a specific process. +To address this issue, the time the process was created is part of the Windows Defender ATP data. Together with the process ID, this can serve as a unique ID on a specific machine. So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime)