From f27e11d0fcf24370db9e2187a12910304ee450cb Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Tue, 25 Aug 2020 22:17:17 -0700 Subject: [PATCH] MDATP specific --- .../microsoft-defender-atp/advanced-hunting-overview.md | 4 ++-- .../microsoft-defender-atp/advanced-hunting-query-language.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index f2825a7ad1..e6feab4594 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -46,8 +46,8 @@ You can also go through each of the following steps to ramp up your advanced hun ## Data freshness and update frequency Advanced hunting data can be categorized into two distinct types, each consolidated differently: -- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can start to query event data from healthy sensors on workstations or domain controllers almost immediately after they are available on Microsoft Defender ATP and Azure ATP. -- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources, such as Active Directory entries, and dynamic sources, such as event logs. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. +- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP. +- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. ## Time zone All time information in advanced hunting is currently in the UTC time zone. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index a27ec1c3d1..1b1ce276f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -157,7 +157,7 @@ The query editor can serve as your scratch pad for experimenting with multiple q - Separate each query with an empty line. - Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**. -![Image of advanced hunting window](images/ah-multi-query.png) +![Image of the advanced hunting query editor with multiple queries](images/ah-multi-query.png) _Query editor with multiple queries_ @@ -165,7 +165,7 @@ _Query editor with multiple queries_ The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them. -![Image of advanced hunting window](images/atp-advanced-hunting.png) +![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png) > [!NOTE] > Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.