Skip to content

Commit 4c17139

Browse files
schmurkyschmurky
committed
edits
1 parent e42b8c4 commit 4c17139

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

defender-xdr/advanced-hunting-defender-results.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -93,15 +93,15 @@ You can use the link to incident feature to add advanced hunting query results t
9393
- URL
9494
- MailCluster
9595
- MailMessage
96-
96+
<br>
9797
> [!NOTE]
98-
> For queries containing only XDR data, only entity types that are available in XDR tables are shown.
99-
98+
> For queries containing only XDR data, only entity types that are available in XDR tables are shown.
99+
<br>
100100
After an entity type is selected, select an identifier type that exists in the selected records and will be used to identify this entity. Each entity type has a list of supported identifiers, as can be seen in the relevant drop down. Use the description displayed when hovering on each identifier to better understand it.
101101

102-
After selecting the identifier, select a column from the query results’ that contains the selected identifier. You can click on the schema icon to open the schema reference and read the description on every column, to make sure you chose the right column that matches the selected identifier.
102+
After selecting the identifier, select a column from the query results’ that contains the selected identifier. You can click on the schema icon to open the schema reference and read the description on every column, to make sure you chose the right column that matches the selected identifier.
103103

104-
:::image type="content" source="/defender/media/advanced-hunting-results-link5.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link5.png":::
104+
:::image type="content" source="/defender/media/advanced-hunting-results-link5.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link5.png":::
105105

106106
In our example, we used a query to find events related to a possible email exfiltration incident, therefore the recipient’s mailbox and recipient’s account are the impacted entities, and the sender’s IP as well as mail message are related evidence.
107107

0 commit comments

Comments
 (0)