deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

Browse Source
This commit is contained in:
officedocspr 2019-10-07 23:07:10 +00:00
commit f5ba9ca26a
25 changed files with 678 additions and 612 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

494
.openpublishing.redirection.json
View File

File diff suppressed because it is too large Load Diff

5
windows/deployment/planning/windows-10-1803-removed-features.md
View File

@ -5,7 +5,8 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.date: 08/16/2018
ms.reviewer:
@ -20,7 +21,7 @@ Each release of Windows 10 adds new features and functionality; we also occasion
> [!TIP]
> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes.
> - Have questions about other releases? Check out the information for [Windows 10, version 1703](windows-10-creators-update-deprecation.md), and [Windows 10, version 1709](windows-10-fall-creators-deprecation.md).
> - Have questions about other releases? Check out the information for [Windows 10, version 1703](windows-10-1703-removed-features.md) , and [Windows 10, version 1709](windows-10-1709-removed-features.md).
**The list is subject to change and might not include every affected feature or functionality.**

7
windows/deployment/planning/windows-10-1809-removed-features.md
View File

@ -5,7 +5,8 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: medium
ms.sitesec: library
audience: itpro author: greg-lindsay
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.date: 11/16/2018
ms.reviewer:
@ -20,7 +21,7 @@ Each release of Windows 10 adds new features and functionality; we also occasion
> [!TIP]
> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes.
> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-fall-creators-deprecation.md), and [Windows 10, version 1703](windows-10-creators-update-deprecation.md).
> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-1709-removed-features.md), and [Windows 10, version 1703](windows-10-1703-removed-features.md).
**The list is subject to change and might not include every affected feature or functionality.**
@ -35,7 +36,7 @@ We're removing the following features and functionalities from the installed pro
|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.|
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.|
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.|
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|Were no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.|
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|Were no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.|
## Features were no longer developing

29
windows/security/threat-protection/TOC.md
View File

@ -108,21 +108,22 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
#### [Learn the query language](microsoft-defender-atp/advanced-hunting.md)
#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Advanced hunting schema reference]()
##### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
##### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
##### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
##### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
##### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
##### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
##### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
##### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
##### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
##### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
##### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
#### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-reference.md)
##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
#### [Custom detections]()

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
The AlertEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -47,8 +47,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| Table | string | Table that contains the details of the event |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

61
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -1,55 +1,50 @@
---
title: Advanced hunting best practices in Microsoft Defender ATP
description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data.
keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, kusto
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/24/2018
ms.topic: article
ms.date: 09/25/2019
---
# Advanced hunting query best practices in Microsoft Defender ATP
# Advanced hunting query best practices
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set.
- Use time filters first. Ideally, limit your queries to 7 days.
## Optimize query performance
Apply the recommendations to get results faster and avoid timeouts while running complex queries:
- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
- Use time filters first. Ideally, limit your queries to seven days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
- Use the `has` operator over `contains` when looking for full tokens.
- Use looking in specific column rather than using full text search across all columns.
- When joining between two tables, specify the table with fewer rows first.
- When joining between two tables, project only needed columns from both sides of the join.
- Look in a specific column rather than running full text searches across all columns.
- When joining tables, specify the table with fewer rows first.
- `project` only the necessary columns from tables you've joined.
>[!Tip]
>[!TIP]
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
## Query tips and pitfalls
### Using process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
### Queries with process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
Example query:
```
NetworkCommunicationEvents
| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
@ -59,22 +54,19 @@ NetworkCommunicationEvents
The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
### Using command lines
### Queries with command lines
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task.
There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
To create more durable queries using command lines, apply the following practices:
To create more durable queries using command lines, we recommended the following guidelines:
- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field.
- When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
- To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
```
// Non-durable query - do not use
@ -94,3 +86,8 @@ ProcessCreationEvents
```
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
The FileCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -73,8 +73,6 @@ For information on other tables in the Advanced hunting schema, see [the Advanc
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
The ImageLoadEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -59,8 +59,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
The LogonEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -67,8 +67,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
The MachineInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -48,8 +48,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
The MachineNetworkInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -49,8 +49,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
The MiscEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -80,8 +80,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
The NetworkCommunicationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -63,8 +63,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
The ProcessCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -71,8 +71,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

18
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
View File

@ -8,27 +8,26 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
ms.date: 09/25/2019
---
# Advanced hunting reference in Microsoft Defender ATP
# Understand the Advanced hunting schema
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
## Advanced hunting table reference
## Schema tables
The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
The [Advanced hunting](overview-hunting.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
@ -48,6 +47,5 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
## Related topics
- [Query data using Advanced hunting](advanced-hunting.md)
- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)
- [Advanced hunting overview](overview-hunting.md)
- [Learn the query language](advanced-hunting.md)

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
View File

@ -26,9 +26,9 @@ ms.date: 07/24/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
The RegistryEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
@ -61,8 +61,6 @@ For information on other tables in the Advanced hunting schema, see [the Advance
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)
- [Learn the query language](advanced-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)

64
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Use shared queries in advanced hunting
description: Take advantage of shared advanced hunting queries. Share your queries to the public or to your organization.
keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto, github repo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/25/2019
---
# Use shared queries in Advanced hunting
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
[Advanced hunting](overview-hunting.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
![Image of shared queries](images/atp-advanced-hunting-shared-queries.png)
## Save, modify, and share a query
You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
1. Type a new query or load an existing one from under **Shared queries** or **My queries**.
2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**.
3. Enter a name for the query.
![Image of saving a query](images/advanced-hunting-save-query.png)
4. Select the folder where you'd like to save the query.
- **Shared queries** — shared to all users in the your organization
- **My queries** — accessible only to you
5. Select **Save**.
## Delete or rename a query
1. Right-click on a query you want to rename or delete.
![Image of delete query](images/atp_advanced_hunting_delete_rename.png)
2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
## Access queries in the GitHub repository
Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
>[!TIP]
>Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [Learn the query language](advanced-hunting.md)

222
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
View File

@ -1,153 +1,143 @@
---
title: Query data using Advanced hunting in Microsoft Defender ATP
description: Learn about Advanced hunting in Microsoft Defender ATP and how to query ATP data.
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics
title: Learn the Advanced hunting query language
description: Get an overview of the common operators and other aspects of the Advanced hunting query language you can use to formulate queries
keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 08/15/2018
ms.date: 09/25/2019
---
# Query data using Advanced hunting in Microsoft Defender ATP
# Learn the Advanced hunting query language
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
## Try your first query
![Image of Advanced hunting window](images/atp-advanced-hunting.png)
In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
## Use advanced hunting to query data
```
// Finds PowerShell execution events that could involve a download.
ProcessCreationEvents
| where EventTime > ago(7d)
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime'
```
A typical query starts with a table name followed by a series of operators separated by **|**.
In the following example, we start with the table name **ProcessCreationEvents** and add piped elements as needed.
This is how it will look like in Advanced hunting.
![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png)
First, we define a time filter to review only records from the previous seven days.
### Describe the query and specify the table to search
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
We then add a filter on the _FileName_ to contain only instances of _powershell.exe_.
```
// Finds PowerShell execution events that could involve a download.
ProcessCreationEvents
```
Afterwards, we add a filter on the _ProcessCommandLine_.
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `ProcessCreationEvents` and add piped elements as needed.
Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
### Set the time range
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
You have the option of expanding the screen view so you can focus on your hunting query and related results.
```
| where EventTime > ago(7d)
```
### Search for specific executable files
The time range is immediately followed by a search for files representing the PowerShell application.
### Use operators
The query language is very powerful and has a lot of available operators, some of them are -
```
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
```
### Search for specific command lines
Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
- **where** - Filter a table to the subset of rows that satisfy a predicate.
- **summarize** - Produce a table that aggregates the content of the input table.
- **join** - Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table.
- **count** - Return the number of records in the input record set.
- **top** - Return the first N records sorted by the specified columns.
- **limit** - Return up to the specified number of rows.
- **project** - Select the columns to include, rename or drop, and insert new computed columns.
- **extend** - Create calculated columns and append them to the result set.
- **makeset** - Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group
- **find** - Find rows that match a predicate across a set of tables.
```
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
```
### Select result columns and length
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
To see a live example of these operators, run them as part of the **Get started** section.
```
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime'
```
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
## Learn common query operators for Advanced hunting
Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones.
| Operator | Description and usage |
|--|--|
| **where** | Filter a table to the subset of rows that satisfy a predicate. |
| **summarize** | Produce a table that aggregates the content of the input table. |
| **join** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
| **count** | Return the number of records in the input record set. |
| **top** | Return the first N records sorted by the specified columns. |
| **limit** | Return up to the specified number of rows. |
| **project** | Select the columns to include, rename or drop, and insert new computed columns. |
| **extend** | Create calculated columns and append them to the result set. |
| **makeset** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
| **find** | Find rows that match a predicate across a set of tables. |
To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page.
## Understand data types
Data in Advanced hunting tables are generally classified into the following data types.
| Data type | Description and query implications |
|--|--|
| **datetime** | Data and time information typically representing event timestamps |
| **string** | Character string |
| **bool** | True or false |
| **int** | 32-bit numeric value |
| **long** | 64-bit numeric value |
## Use sample queries
The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
![Image of Advanced hunting window](images/atp-advanced-hunting.png)
>[!NOTE]
>Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
## Access query language documentation
For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language).
## Use exposed tables in Advanced hunting
The following tables are exposed as part of Advanced hunting:
- **AlertEvents** - Alerts on Microsoft Defender Security Center
- **MachineInfo** - Machine information, including OS information
- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
- **ProcessCreationEvents** - Process creation and related events
- **NetworkCommunicationEvents** - Network connection and related events
- **FileCreationEvents** - File creation, modification, and other file system events
- **RegistryEvents** - Creation and modification of registry entries
- **LogonEvents** - Login and other authentication events
- **ImageLoadEvents** - DLL loading events
- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts
These tables include data from the last 30 days.
## Use shared queries
Shared queries are prepopulated queries that give you a starting point on running queries on your organization's data. It includes a couple of examples that help demonstrate the query language capabilities.
![Image of shared queries](images/atp-shared-queries.png)
You can save, edit, update, or delete queries.
### Save a query
You can create or modify a query and save it as your own query or share it with users who are in the same tenant.
1. Create or modify a query.
2. Click the **Save query** drop-down button and select **Save as**.
3. Enter a name for the query.
![Image of saving a query](images/advanced-hunting-save-query.png)
4. Select the folder where you'd like to save the query.
- Shared queries - Allows other users in the tenant to access the query
- My query - Accessible only to the user who saved the query
5. Click **Save**.
### Update a query
These steps guide you on modifying and overwriting an existing query.
1. Edit an existing query.
2. Click the **Save**.
### Delete a query
1. Right-click on a query you want to delete.
![Image of delete query](images/atp-delete-query.png)
2. Select **Delete** and confirm that you want to delete the query.
## Result set capabilities in Advanced hunting
The result set has several capabilities to provide you with effective investigation, including:
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Microsoft Defender Security Center.
- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
## Filter results in Advanced hunting
In Advanced hunting, you can use the advanced filter on the output result set of the query.
The filters provide an overview of the result set where
each column has it's own section and shows the distinct values that appear in the column and their prevalence.
You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to include or exclude and click **Run query**.
![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
The filter selections will resolve as an additional query term and the results will be updated accordingly.
## Public Advanced hunting query GitHub repository
Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers.
For more information on Kusto query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/kusto/query/).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
## Related topic
- [Advanced hunting reference](advanced-hunting-reference.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [Understand the schema](advanced-hunting-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)

8
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -33,8 +33,10 @@ Custom detection rules built from [Advanced hunting](overview-hunting.md) querie
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
> [!NOTE]
> To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns.
#### Required columns in the query results
To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that dont use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine.
The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
@ -112,3 +114,5 @@ You can also take the following actions on the rule from this page:
## Related topic
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](overview-hunting.md)
- [Learn the Advanced hunting query language](advanced-hunting.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting-shared-queries.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 137 KiB

After

Width:  |  Height:  |  Size: 135 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp_advanced_hunting_delete_rename.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.2 KiB

3
windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
View File

@ -28,7 +28,7 @@ With custom detections, you can proactively monitor for and respond to various e
Custom detections work with [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
- Alerts from rule-based detections built from Advanced hunting queries
- Alerts for rule-based detections built from Advanced hunting queries
- Automatic response actions that apply to files and machines
>[!NOTE]
@ -36,3 +36,4 @@ Custom detections provide:
## Related topic
- [Create and manage custom detection rules](custom-detection-rules.md)
- [Advanced hunting overview](overview-hunting.md)

66
windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md
View File

@ -1,40 +1,72 @@
---
title: Overview of advanced hunting capabilities
title: Overview of Advanced hunting
description: Hunt for possible threats across your organization using a powerful search and query tool
keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry
keywords: advanced hunting, hunting, search, query, tool, telemetry, custom detection, schema, kusto
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.topic: article
---
# Overview of advanced hunting
# Proactively hunt for threats with Advanced hunting
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Microsoft Defender Security Center.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
With advanced hunting, you can take advantage of the following capabilities:
Advanced hunting provides access to 30 days of raw data through a flexible query-based interface, allowing you to proactively explore events in your environment and locate interesting indicators and entities. This flexible access to data enables unconstrained hunting for both known and potential threats.
- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
With custom detection rules, you can also use Advanced hunting queries to proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines.
## In this section
Topic | Description
:---|:---
[Query data using Advanced hunting](advanced-hunting.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization.
[Custom detections](overview-custom-detections.md)| With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
## Get started with Advanced hunting
We recommend going through several steps to quickly get up and running with Advanced hunting.
| Learning goal | Description | Resource |
|--|--|--|
| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) |
## Get help as you write queries
Take advantage of the following functionality to write queries faster:
- **Autosuggest** — as you write queries, Advanced hunting provides suggestions.
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
## Drilldown from query results
To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft Defender Security Center.
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:
- Explicitly look for the selected value (`==`)
- Exclude the selected value from the query (`!=`)
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
## Related topics
- [Learn the query language](advanced-hunting.md)
- [Use shared queries](advanced-hunting-shared-queries.md)
- [Understand the schema](advanced-hunting-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
- [Custom detections overview](overview-custom-detections.md)

3
windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
---
@ -41,7 +40,7 @@ MpCmdRun.exe [command] [-options]
| Command | Description |
|:--------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
| \-? **or** -h | Displays all available options for this tool |
| \-Scan [-ScanType #] [-File \<path> [-DisableRemediation] [-BootSectorScan]] [-Timeout \<days>] [-Cancel] | Scans for malicious software |
| \-Scan [-ScanType [0\|1\|2\|3]] [-File \<path> [-DisableRemediation] [-BootSectorScan]] [-Timeout \<days>] [-Cancel] | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **1** Quick scan, **2** Full scan, **3** File and directory custom scan. |
| \-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing |
| \-GetFiles | Collects support information |
| \-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder |