deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
lomayor d37bd86752 AH-SEO-optimization 
Legacy files renamed, redirected. Meta desc and keywords enhanced
2019-10-08 18:21:28 -07:00

3.1 KiB
Raw Blame History

title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic, ms.date
title description keywords search.product search.appverid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.author author ms.localizationpriority manager audience ms.collection ms.topic ms.date
Use shared queries in Advanced hunting Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization. advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries eADQiWindows 10XVcnh met150 w10 deploy library security lomayor lomayor medium dansimp ITPro M365-security-compliance article 10/08/2019

Use shared queries in Advanced hunting

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Advanced hunting queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.

Image of shared queries

Save, modify, and share a query

You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.

  1. Type a new query or load an existing one from under Shared queries or My queries.

  2. Select Save or Save as from the save options. To avoid overwriting an existing query, choose Save as.

  3. Enter a name for the query.

    Image of saving a query

  4. Select the folder where you'd like to save the query.

    • Shared queries — shared to all users in the your organization
    • My queries — accessible only to you

  5. Select Save.

Delete or rename a query

  1. Right-click on a query you want to rename or delete.

    Image of delete query

  2. Select Delete and confirm deletion. Or select Rename and provide a new name for the query.

Access queries in the GitHub repository

Microsoft security researchers regularly share Advanced hunting queries in a designated public repository on GitHub. This repository is open to contributions. To contribute, join GitHub for free.

Tip

Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the threat analytics reports in Microsoft Defender Security Center.

Related topics