You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-defender-results.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -93,21 +93,21 @@ You can use the link to incident feature to add advanced hunting query results t
93
93
- URL
94
94
- MailCluster
95
95
- MailMessage
96
-
<br>
97
-
> [!NOTE]
96
+
97
+
> [!NOTE]
98
98
> For queries containing only XDR data, only entity types that are available in XDR tables are shown.
99
-
<br>
100
-
After an entity type is selected, select an identifier type that exists in the selected records and will be used to identify this entity. Each entity type has a list of supported identifiers, as can be seen in the relevant drop down. Use the description displayed when hovering on each identifier to better understand it.
101
99
102
-
After selecting the identifier, select a column from the query results’ that contains the selected identifier. You can click on the schema icon to open the schema reference and read the description on every column, to make sure you chose the right column that matches the selected identifier.
100
+
After an entity type is selected, select an identifier type that exists in the selected records and will be used to identify this entity. Each entity type has a list of supported identifiers, as can be seen in the relevant drop down. Use the description displayed when hovering on each identifier to better understand it.
101
+
102
+
After selecting the identifier, select a column from the query results’ that contains the selected identifier. You can click on the schema icon to open the schema reference and read the description on every column, to make sure you chose the right column that matches the selected identifier.
103
103
104
-
:::image type="content" source="/defender/media/advanced-hunting-results-link5.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link5.png":::
104
+
:::image type="content" source="/defender/media/advanced-hunting-results-link5.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link5.png":::
105
105
106
-
In our example, we used a query to find events related to a possible email exfiltration incident, therefore the recipient’s mailbox and recipient’s account are the impacted entities, and the sender’s IP as well as mail message are related evidence.
106
+
In our example, we used a query to find events related to a possible email exfiltration incident, therefore the recipient’s mailbox and recipient’s account are the impacted entities, and the sender’s IP as well as mail message are related evidence.
107
107
108
-
:::image type="content" source="/defender/media/advanced-hunting-results-link6.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link6.png":::
108
+
:::image type="content" source="/defender/media/advanced-hunting-results-link6.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link6.png":::
109
109
110
-
A different alert is created for each record with a unique combination of impacted entities. In our example, if there are three different recipients mailboxes and recipient object ids combinations, for instance, then three alerts are created and linked to the chosen incident.
110
+
A different alert is created for each record with a unique combination of impacted entities. In our example, if there are three different recipients mailboxes and recipient object ids combinations, for instance, then three alerts are created and linked to the chosen incident.
111
111
112
112
6. Select **Next**.
113
113
7. Review the details you've provided in the Summary section.
0 commit comments