deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updated advanced-hunting-windows-defender-advanced-threat-protection.md

Browse Source
This commit is contained in:
Liza Mash 2018-03-26 06:49:52 +00:00
parent dbc0b9fe87
commit c8e7acc1e4
1 changed files with 0 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -39,17 +39,6 @@ To get you started in querying your data, you can use the basic or advanced quer
![Image of Advanced hunting window](images/atp-advanced-hunting.png) ![Image of Advanced hunting window](images/atp-advanced-hunting.png)
## Before you begin
To maximize the advanced hunting capability, it's a good idea to understand the following query best practices.
### Query best practices
- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Prefer 'has' keyword over 'contains' when looking for full tokens.
- Prefer looking in specific column rather than using full text search across all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
## Use advanced hunting to query data ## Use advanced hunting to query data
A typical query starts with a table name followed by a series of operators separated by **|**. A typical query starts with a table name followed by a series of operators separated by **|**.