deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fixed minor rendering issues.

Browse Source
This commit is contained in:
Andrea Bichsel (Aquent LLC)
2018-02-14 14:08:54 -08:00
parent 3d28cbd46d
commit fdae8910bc
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -40,7 +40,7 @@ A typical query starts with a table name followed by a series of operators separ
We start with the table name FileCreationEvents and add piped elements as needed.
First, we define a time filter to review only records from the last 1 day. We then add a filter on the _FolderPath_ field to contain only the paths \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
First, we define a time filter to review only records from the last 1 day. We then add a filter on the _FolderPath_ field to contain only the path \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
Finally, we limit the results to 100 and click **Run query**.
@ -67,20 +67,20 @@ For more information on the query language and supported operators, see [Query L
The following tables are exposed as part of advanced hunting:
- **ProcessCreationEvents** <EFBFBD> stores all process creation events telemetry of the organization.
- **ProcessCreationEvents** - stores all process creation events telemetry of the organization.
- **NetworkCommunicationEvents** - stores all network communication events telemetry of the organization.
- **FileCreationEvents** - stores all file creation, modification and rename events telemetry of the organization.
- **AlertEvents** - stores all alerts related information trigged in the organization.
- **RegistryEvents** - stores all registry key creation, modification, rename and deletion events telemetry of the organization.
- **LogonEvents** <EFBFBD> stores all Login events telemetry of the organization.
- **ImageLoadEvents** <EFBFBD> stores all load dll events telemetry of the organization.
- **MiscEvents** <EFBFBD> stores several types of events, including Exploit Guard, Smart Screen, Application Guard, and Firewall events.
- **LogonEvents** - stores all Login events telemetry of the organization.
- **ImageLoadEvents** - stores all load dll events telemetry of the organization.
- **MiscEvents** - stores several types of events, including Exploit Guard, Smart Screen, Application Guard, and Firewall events.
## Results set in advanced hunting
The results set has several capabilities to provide you with effective investigation, including:
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, user, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- If you right-click on a cell in the results set, you can add a filter to your written query. The current filtering options are **include** or **exclude**; these cell values are part of the row set.
![Image of Windows Defender ATP advanced hunting results set](images/atp-advanced-hunting-results-set.png)