deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-30 22:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Added query as example

Browse Source 
Added query in the document as an example.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4904
This commit is contained in:
ImranHabib 2019-09-28 05:43:15 +05:00 committed by GitHub
parent 7ce8990fbc
commit c9871554bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -36,6 +36,13 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
>[!NOTE] >[!NOTE]
>To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns. >To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns.
>[Example]
>MiscEvents
| where EventTime > ago(7d)
| where ActionType == "AntivirusDetection"
| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId
This will fetch latest EventTime and ReportId of the latest event among multiple events returned by the query and adds the count by MachineId.
### 2. Create new rule and provide alert details. ### 2. Create new rule and provide alert details.
With the query in the query editor, select **Create detection rule** and specify the following alert details: With the query in the query editor, select **Create detection rule** and specify the following alert details: