AH_synch

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md

@@ -49,6 +49,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md

@@ -1,27 +1,26 @@
 ---
 title: Advanced hunting best practices in Microsoft Defender ATP
 description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data.
-keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
+keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, kusto
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: lomayor
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: conceptual
-ms.date: 04/24/2018
+ms.topic: article
+ms.date: 09/25/2019
 ---
 
-# Advanced hunting query best practices in Microsoft Defender ATP
+# Advanced hunting query best practices
 
 **Applies to:**
-
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
@@ -36,7 +35,7 @@ The following best practices serve as a guideline of query performance best prac
 - When joining between two tables, specify the table with fewer rows first.
 - When joining between two tables, project only needed columns from both sides of the join.
 
->[!Tip]
+>[!TIP]
 >For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
 
 ## Query tips and pitfalls
@@ -93,4 +92,10 @@ ProcessCreationEvents
 | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" 
 ```
 
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
+
+## Related topics
+- [Advanced hunting overview](overview-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Learn the query language](advanced-hunting.md)
+- [Understand the schema](advanced-hunting-schema-reference.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md

@@ -75,6 +75,7 @@ For information on other tables in the Advanced hunting schema, see  [the Advanc
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md

@@ -61,6 +61,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md

@@ -69,6 +69,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md

@@ -50,6 +50,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md

@@ -51,6 +51,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md

@@ -82,6 +82,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md

@@ -65,6 +65,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md

@@ -73,6 +73,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md

@@ -8,25 +8,24 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: lomayor
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 07/24/2019
+ms.date: 09/25/2019
 ---
 
-# Advanced hunting reference in Microsoft Defender ATP
+# Understand the Advanced hunting schema
 
 **Applies to:**
-
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
 
-## Advanced hunting table reference
+## Schema tables
 
 The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
 
@@ -48,6 +47,7 @@ Table and column names are also listed within the Microsoft Defender Security Ce
 | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
 
 ## Related topics
-
-- [Query data using Advanced hunting](advanced-hunting.md)
-- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)
+- [Advanced hunting overview](overview-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md

@@ -63,6 +63,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance
 ## Related topics
 
 - [Advanced hunting overview](overview-hunting.md)
-- [All Advanced hunting tables](advanced-hunting-reference.md)
-- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
-- [Query data using Advanced hunting](advanced-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md

@@ -0,0 +1,66 @@
+---
+title: Use shared queries in advanced hunting
+description: Take advantage of shared advanced hunting queries. Share your queries to the public and to your organization.
+keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto, github repo
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+ms.date: 09/25/2019
+---
+
+# Use shared queries in Advanced hunting
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+
+Advanced hunting queries can be shared among users in the same organization. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
+
+![Image of shared queries](images/atp-advanced-hunting-shared-queries.png)
+
+## Save, modify, and share a query
+You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
+
+1. Type a new query or load an existing one from under **Shared queries** or **My queries**.
+
+2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**.
+
+3. Enter a name for the query.
+
+   ![Image of saving a query](images/advanced-hunting-save-query.png)
+
+4. Select the folder where you'd like to save the query.
+    - **Shared queries** — shared to all users in the your organization
+    - **My queries** — accessible only to you
+    
+5. Select **Save**.
+
+## Delete or rename a query
+1. Right-click on a query you want to rename or delete.
+
+    ![Image of delete query](images/atp_advanced_hunting_delete_rename.png)
+
+2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
+
+## Access queries in the GitHub repository  
+Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). 
+
+>[!TIP]
+>Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics) reports in Microsoft Defender Security Center.
+
+## Related topics
+- [Advanced hunting overview](overview-hunting.md)
+- [Learn the query language](advanced-hunting.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md

@@ -1,153 +1,140 @@
 ---
-title: Query data using Advanced hunting in Microsoft Defender ATP
-description: Learn about Advanced hunting in Microsoft Defender ATP and how to query ATP data.
-keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
+title: Learn the Advanced hunting query language
+description: Get an overview of the common operators and other aspects of the Advanced hunting query language you can use to formulate queries
+keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: lomayor
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 08/15/2018
+ms.date: 09/25/2019
 ---
 
-# Query data using Advanced hunting in Microsoft Defender ATP
+# Learn the Advanced hunting query language
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
+## Try your first query
 
-To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
+In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
 
-![Image of Advanced hunting window](images/atp-advanced-hunting.png)
+```
+// Finds PowerShell execution events that could involve a download.
+ProcessCreationEvents  
+| where EventTime > ago(7d)
+| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") 
+| where ProcessCommandLine has "Net.WebClient"
+        or ProcessCommandLine has "DownloadFile"
+        or ProcessCommandLine has "Invoke-WebRequest"
+        or ProcessCommandLine has "Invoke-Shellcode"
+        or ProcessCommandLine contains "http:"
+| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
+| top 100 by EventTime'
+```
 
-## Use advanced hunting to query data
-
-A typical query starts with a table name followed by a series of operators separated by **|**.
-
-In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed.
+This is how it will look like in Advanced hunting.
 
 ![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png)
 
-First, we define a time filter to review only records from the previous seven days. 
+The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
 
-We then add a filter on the _FileName_  to contain only instances of _powershell.exe_.
+```
+// Finds PowerShell execution events that could involve a download.
+ProcessCreationEvents
+```
 
-Afterwards, we add a filter on the _ProcessCommandLine_. 
+The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding  with the table name `ProcessCreationEvents` and add piped elements as needed.
 
-Finally, we  project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
+The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
 
-You have the option of expanding the screen view so you can focus on your hunting query and related results.
+```
+| where EventTime > ago(7d)
+```
 
-### Use operators
-The query language is very powerful and has a lot of available operators, some of them are - 
+The time range is immediately followed by a search for files representing the PowerShell application.
 
-- **where** - Filter a table to the subset of rows that satisfy a predicate.
-- **summarize** - Produce a table that aggregates the content of the input table.
-- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table.
-- **count** - Return the number of records in the input record set.
-- **top** - Return the first N records sorted by the specified columns.
-- **limit** - Return up to the specified number of rows.
-- **project** - Select the columns to include, rename or drop, and insert new computed columns.
-- **extend** - Create calculated columns and append them to the result set.
-- **makeset** -  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group
-- **find** - Find rows that match a predicate across a set of tables.
+```
+| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
+```
 
-To see a live example of these operators, run them as part of the **Get started** section.
+Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
+
+```
+| where ProcessCommandLine has "Net.WebClient"
+        or ProcessCommandLine has "DownloadFile"
+        or ProcessCommandLine has "Invoke-WebRequest"
+        or ProcessCommandLine has "Invoke-Shellcode"
+        or ProcessCommandLine contains "http:"
+```
+
+Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
+
+```
+| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
+| top 100 by EventTime'
+```
+
+Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
+
+## Learn common query operators for Advanced hunting
+
+Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones.
+
+| Operator | Description and usage |
+|--|--|
+| **where** | Filter a table to the subset of rows that satisfy a predicate. |
+| **summarize** | Produce a table that aggregates the content of the input table. |
+| **join** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
+| **count** | Return the number of records in the input record set. |
+| **top** | Return the first N records sorted by the specified columns. |
+| **limit** | Return up to the specified number of rows. |
+| **project** | Select the columns to include, rename or drop, and insert new computed columns. |
+| **extend** | Create calculated columns and append them to the result set. |
+| **makeset** |  Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
+| **find** | Find rows that match a predicate across a set of tables. |
+
+To see a live example of these operators, run them from the **Get started** section in advanced hunting.
+
+## Understand data types
+
+Data in Advanced hunting tables are generally classified into the following data types.
+
+| Data type | Description and query implications |
+|--|--|
+| **datetime** | Data and time information typically representing event timestamps |
+| **string** | Character string |
+| **bool** | True or false |
+| **int** | 32-bit numeric value  |
+| **long** | 64-bit numeric value |
+
+## Use sample queries
+
+The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
+
+![Image of Advanced hunting window](images/atp-advanced-hunting.png)
+
+>[!NOTE]
+>Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
 
 ## Access query language documentation
 
-For more information on the query language and supported operators, see  [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language).
-
-## Use exposed tables in Advanced hunting
-
-The following tables are exposed as part of Advanced hunting:
-
-- **AlertEvents** - Alerts on Microsoft Defender Security Center 
-- **MachineInfo** - Machine information, including OS information 
-- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
-- **ProcessCreationEvents** - Process creation and related events 
-- **NetworkCommunicationEvents** - Network connection and related events
-- **FileCreationEvents** - File creation, modification, and other file system events
-- **RegistryEvents** - Creation and modification of registry entries 
-- **LogonEvents** - Login and other authentication events 
-- **ImageLoadEvents** - DLL loading events  
-- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts
-
-These tables include data from the last 30 days.
-
-## Use shared queries
-Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.
-
-![Image of shared queries](images/atp-shared-queries.png)
-
-You can save, edit, update, or delete queries.
-
-### Save a query
-You can create or modify a query and save it as your own query or share it with users who are in the same tenant. 
-
-1. Create or modify a query. 
-
-2. Click the **Save query** drop-down button and select **Save as**.
-    
-3. Enter a name for the query. 
-
-   ![Image of saving a query](images/advanced-hunting-save-query.png)
-
-4. Select the folder where you'd like to save the query.
-    - Shared queries - Allows other users in the tenant to access the query
-    - My query - Accessible only to the user who saved the query
-    
-5. Click **Save**. 
-
-### Update a query
-These steps guide you on modifying and overwriting an existing query.
-
-1. Edit an existing query.
-
-2. Click the **Save**.
-
-### Delete a query
-1. Right-click on a query you want to delete.
-
-    ![Image of delete query](images/atp-delete-query.png)
-
-2. Select **Delete** and confirm that you want to delete the query.
-
-## Result set capabilities in Advanced hunting
-
-The result set has several capabilities to provide you with effective investigation, including:
-
-- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Microsoft Defender Security Center.
-- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. 
-
-![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
-
-## Filter results in Advanced hunting
-In Advanced hunting, you can use the advanced filter on the output result set of the query. 
-The filters provide an overview of the result set where 
-each column has it's own section and shows the distinct values that appear in the column and their prevalence.
-
-You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**.
-
-![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
-
-The filter selections will resolve as an additional query term and the results will be updated accordingly.
-
-
-
-## Public Advanced hunting query GitHub repository  
-Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. 
-
+For more information on Kusto query language and supported operators, see  [Query Language](https://docs.microsoft.com/en-us/azure/kusto/query/).
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
 
-## Related topic
-- [Advanced hunting reference](advanced-hunting-reference.md)
-- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
+## Related topics
+- [Advanced hunting overview](overview-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -33,8 +33,22 @@ Custom detection rules built from [Advanced hunting](overview-hunting.md) querie
 
 In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
 
->[!NOTE]
->To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns.
+#### Required columns in the query results
+To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
+
+There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine. 
+
+The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
+
+```
+MiscEvents
+| where EventTime > ago(7d)
+| where ActionType == "AntivirusDetection"
+| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId
+| where count_ > 5
+```
+
+
 
 ### 2. Create new rule and provide alert details.
 

windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md

@@ -1,40 +1,71 @@
 ---
-title: Overview of advanced hunting capabilities
+title: Overview of Advanced hunting
 description: Hunt for possible threats across your organization using a powerful search and query tool
-keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry
+keywords: advanced hunting, hunting, search, query, tool, telemetry, custom detection, schema, kusto
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: lomayor
+author: lomayor
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
-ms.topic: conceptual
+ms.topic: article
 ---
 
-# Overview of advanced hunting 
+# Proactively hunt for threats with Advanced hunting
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center. 
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
-With advanced hunting, you can take advantage of the following capabilities:
+Advanced hunting provides access to 30 days of raw data through a flexible query-based interface, allowing you to proactively explore events in your environment and locate interesting indicators and entities. This flexible access to data enables unconstrained hunting for both known and potential threats. 
 
-- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
-- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
-- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
-- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
+With custom detection rules, you can also leverage Advanced hunting queries to proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines.
 
-## In this section
-Topic | Description 
-:---|:---
-[Query data using Advanced hunting](advanced-hunting.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization.
-[Custom detections](overview-custom-detections.md)|  With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
+## Get started with Advanced hunting
 
+We recommend going through several steps to quickly get up and running with Advanced hunting.
 
+| Learning goal | Description | Resource |
+|--|--|--|
+| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/en-us/azure/kusto/query/) and thus supports the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting.md) |
+| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-reference.md) |
+| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
+| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) |  
 
+## Get help as you write queries
+Take advantage of the following functionality to write queries faster:
+- **Autosuggest** — as you write queries, Advanced hunting provides suggestions.. 
+- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
+
+## Drilldown from query results
+To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft Defender Security Center.
+
+## Tweak your queries from the results
+Right-click a value in the result set to quickly enhance your query. You can use the options to:
+
+- Explicitly look for the selected value (`==`)
+- Exclude the selected value from the query (`!=`)
+- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` 
+
+![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
+
+## Filter the query results
+The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
+
+Refine your query by selecting the "+" or "-" buttons on the values that you want to include or exclude and then selecting **Run query**.
+
+![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
+
+The filter selections are added as additional query elements and the results are updated accordingly.
+
+## Related topics
+- [Learn the query language](advanced-hunting.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-reference.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)