deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 6172: Updated advanced-hunting-windows-defender-advanced-threat-protection.md

Browse Source 
Updated advanced-hunting-windows-defender-advanced-threat-protection.md
This commit is contained in:
Liza Mash 2018-03-06 17:42:18 +00:00 committed by Joey Caparas
commit c7ccf0c903
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -82,16 +82,24 @@ The following tables are exposed as part of advanced hunting:
- **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events. - **MiscEvents** - Stores several types of events, including Windows Defender Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall events.
- **SuspiciousEvents** - Stores all events that deviate from typical event behavior - **SuspiciousEvents** - Stores all events that deviate from typical event behavior
## Results set in advanced hunting ## Saved queries
we provide built it saved queries, that will give you an initial starting point to hunt on you organizational data and provide you additional examples of the query langauge capabilties.
we provide the following capabilities -
- save a query - simply click on the "Save as" button and name your query. you have 2 options of saving - 1. **Shared queries** section - visible to all users in the tenant. 2. **My queries** section - visible only to the user who saved the query
- update a query - open the query, update the query content and click "Save".
- delete a query - right click on the query you want to delete, and select the "delete" option.
## Results set capabilities in advanced hunting
The results set has several capabilities to provide you with effective investigation, including: The results set has several capabilities to provide you with effective investigation, including:
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal. - Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- If you right-click on a cell in the results set, you can add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. - If you right-click on a cell in the results set, you can add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png) ![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png)
## Filter results in advanced hunting ## Filters on results in advanced hunting
In advanced hunting, you can use the advanced filter on the output results set of the query. In advanced hunting, you can use the advanced filter on the output results set of the query.
The filters provide an overview of the result set where The filters provide an overview of the result set where
each column has it's own section and shows the distinct values that appear in the column and their prevalence. each column has it's own section and shows the distinct values that appear in the column and their prevalence.