Merge pull request #1814 from MicrosoftDocs/lomayor-code-lang

Add "kusto" language name to AH sample code
2025-06-28 16:53:40 +00:00 · 2020-01-07 15:29:53 -08:00
parent 8903076001 4590a32343
commit cf958371dd
6 changed files with 7 additions and 7 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -45,7 +45,7 @@ Process IDs (PIDs) are recycled in Windows and reused for new processes. On thei

 The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.

-```
+```kusto
 DeviceNetworkEvents
 | where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
 | summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
@ -68,7 +68,7 @@ To create more durable queries using command lines, apply the following practice

 The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:

-```
+```kusto
 // Non-durable query - do not use
 DeviceProcessEvents
 | where ProcessCommandLine == "net stop MpsSvc"
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@ -50,7 +50,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-h

 Here is an example query:

-```PowerShell
+```kusto
 DeviceEvents
 | where ActionType startswith 'Asr'
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@ -40,7 +40,7 @@ There are various ways to ensure more complex queries return these columns. For

 The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.

-```
+```kusto
 DeviceEvents
 | where Timestamp > ago(7d)
 | where ActionType == "AntivirusDetection"
--- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@ -53,7 +53,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do

 Here is an example query:

-```PowerShell
+```kusto
 DeviceEvents
 | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@ -56,7 +56,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do

 Here is an example query

-```PowerShell
+```kusto
 DeviceEvents
 | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@ -167,7 +167,7 @@ When an exception is created for a recommendation, the recommendation is no long

 3. Enter the following queries:

-```
+```kusto
 // Search for machines with High active alerts or Critical CVE public exploit 
 DeviceTvmSoftwareInventoryVulnerabilities 
 | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId