Merge branch 'main' into wi-502580-batch-5-redone-defender-xdr-image-reorg

Author: mberdugo

defender-xdr/advanced-hunting-custom-functions.md

@@ -40,7 +40,7 @@ A function is a type of query in advanced hunting that you can use in other quer
 
 There are three different types of functions in advanced hunting:
 
-![Function types](/defender/media/advanced-hunting-custom-fxns/function-types.png)
+![Function types](media/advanced-hunting-custom-functions/function-types.png)
 
 - **Built-in functions** – Prebuilt functions included with Microsoft Defender XDR advanced hunting. These functions are available in all advanced hunting instances and can't be modified.
 - **Shared functions** – Custom functions that users create. All users in a specific tenant can access these functions. Users can modify and control these functions.
@@ -51,7 +51,7 @@ There are three different types of functions in advanced hunting:
 To create a function from the current query in the editor:
 
 1. Select **Save** and then **Save as function**.
-  ![Save as function](/defender/media/advanced-hunting-custom-fxns/save-as-function.png)
+  ![Save as function](media/advanced-hunting-custom-functions/save-as-function.png)
 
 1. In the **Save as function** flyout panel, provide the following information:
 
@@ -60,7 +60,7 @@ To create a function from the current query in the editor:
     - **Description** - A description that helps other users understand the purpose of the function and how it works.
     - **Parameters** - Add a parameter for each variable in the function that requires a value when it's used. For more information, see [Add parameters to your custom function](#add-parameters-to-your-custom-function).
 
-    ![Save as function dialog box](/defender/media/advanced-hunting-custom-fxns/save-as-function-dialog-box.png)
+    ![Save as function dialog box](media/advanced-hunting-custom-functions/save-as-function-dialog-box.png)
 
 1. Select **Save**.
 
@@ -84,7 +84,7 @@ To create tabular parameters for your custom function:
 1. Enter a **Name** and **Default value** for the table.
 1. Map each column that your query references to the table. Select **Add column**, then enter the column's properties.
 
-![Table parameter in custom functions](/defender/media/advanced-hunting-custom-fxns/save-as-function-table.png)
+![Table parameter in custom functions](media/advanced-hunting-custom-functions/save-as-function-table.png)
 
 > [!NOTE]
 >- You can save a function with more than one table. 
@@ -98,21 +98,21 @@ Add a function to the current query by double-clicking on its name or selecting
 
 If a query requires arguments, provide them using the following syntax: *function_name(parameter 1, parameter 2, ...)*
 
-![Open in query editor](/defender/media/advanced-hunting-custom-fxns/open-in-query-editor.png)
+![Open in query editor](media/advanced-hunting-custom-functions/open-in-query-editor.png)
 
 > [!NOTE]
 > You can't use functions inside another function.
 
 ## Work with function codes
 You can view the code of a function to understand how it works or to modify its code. Select the three dots to the right of the function and select **Load function code** to open a new tab with the function code. 
 
-![Load function code](/defender/media/advanced-hunting-custom-fxns/load-function-code.png)
+![Load function code](media/advanced-hunting-custom-functions/load-function-code.png)
 
 ## Edit a custom function
 
 Edit the properties of a function by selecting the three dots to the right of the function and selecting **Edit details**. Make any modifications that you want to the properties and parameters of the function, then select **Save**.
 
-![Edit function code](/defender/media/advanced-hunting-custom-fxns/edit-function.png)
+![Edit function code](media/advanced-hunting-custom-functions/edit-function.png)
 
 If the function code is already loaded in the editor, you can also select **Save** to apply any changes to the code or properties of the function.
 
@@ -125,7 +125,7 @@ You can delete functions from **My functions** and functions you created in **Sh
 
 To delete a function, select the three dots to the right of the function and select **Delete**.
 
-![Screenshot that shows how to delete a custom function.](/defender/media/advanced-hunting-custom-fxns/delete-function.png)
+![Screenshot that shows how to delete a custom function.](media/advanced-hunting-custom-functions/delete-function.png)
 ## See also
 
 - [Advanced hunting overview](advanced-hunting-overview.md)

defender-xdr/advanced-hunting-overview.md

@@ -104,7 +104,7 @@ Entity data populates tables with information about users and devices. This data
 ### Queries
 
 Advanced hunting data uses the UTC (Universal Time Coordinated) timezone. 
-![Screenshot of custom time range.](/defender/media/custom-time-range.png)
+![Screenshot of custom time range.](media/advanced-hunting-overview/custom-time-range.png)
 
 Queries should be created in UTC.
 

defender-xdr/advanced-hunting-query-builder-details.md

@@ -38,58 +38,58 @@ ms.date: 03/28/2025
 Advanced hunting in guided mode supports several data types that you can use to fine-tune your query.
 
 - Numbers<br>
-![Screenshot of numbers as third condition](/defender/media/guided-hunting/21-numbers.png)
+![Screenshot of numbers as third condition](media/advanced-hunting-query-builder-details/21-numbers.png)
 
 - Strings<br>
-![Screenshot of strings as third condition](/defender/media/guided-hunting/21-string.png)
+![Screenshot of strings as third condition](media/advanced-hunting-query-builder-details/21-string.png)
 
    In the free text box, type the value and press **Enter** to add it. Note that the delimiter between values is **Enter**.<br>
 
-   ![Screenshot showing different conditions you can use](/defender/media/guided-hunting/23-string2.png)
+   ![Screenshot showing different conditions you can use](media/advanced-hunting-query-builder-details/23-string2.png)
 
 - Boolean<br>
-![Screenshot of Boolean values as third condition](/defender/media/guided-hunting/24-boolean.png)
+![Screenshot of Boolean values as third condition](media/advanced-hunting-query-builder-details/24-boolean.png)
 
 
 - Datetime<br>
-![Screenshot of datetime values as third condition](/defender/media/guided-hunting/25-datetime.png)
+![Screenshot of datetime values as third condition](media/advanced-hunting-query-builder-details/25-datetime.png)
 
 
 - Closed list - You don't need to remember the exact value you're looking for. You can easily choose from a suggested closed list that supports multi-selection.<br>
-![Screenshot of a closed list used as third condition](/defender/media/guided-hunting/26-closed.png)
+![Screenshot of a closed list used as third condition](media/advanced-hunting-query-builder-details/26-closed.png)
 
 
 ## Use subgroups
 You can create groups of conditions by clicking **Add subgroup**:
 
-![Screenshot highlighting Add subgroup button](/defender/media/guided-hunting/27-subgroup1.png)
+![Screenshot highlighting Add subgroup button](media/advanced-hunting-query-builder-details/27-subgroup1.png)
 
-![Screenshot showing use of subgroups](/defender/media/guided-hunting/28-subgroup2.png)
+![Screenshot showing use of subgroups](media/advanced-hunting-query-builder-details/28-subgroup2.png)
 
 ## Use smart auto-complete for search
 Smart auto-complete for searching devices and user accounts is supported. 
 You don't need to remember the device ID, full device name, or user account name. You can start typing the first few characters of the device or user you're looking for and a suggested list appears from which you can choose what you need:
 
-![Screenshot showing smart auto-complete support](/defender/media/guided-hunting/29-smart-auto.png)
+![Screenshot showing smart auto-complete support](media/advanced-hunting-query-builder-details/29-smart-auto.png)
 
 ## Use `EventType`
 You can even look for specific event types like all failed logons, file modification events, or successful network connections by using the **EventType** filter in any section where it is applicable.
 
 For instance, if you want to add a condition that looks for registry value deletions, you can go to the **Registry Events** section and select **EventType**.
 
-![Screenshot of various EventTypes](/defender/media/guided-hunting/30-eventtype1.png)
+![Screenshot of various EventTypes](media/advanced-hunting-query-builder-details/30-eventtype1.png)
 
 Selecting EventType under Registry Events allows you to choose from different registry events, including the one you're hunting for, **RegistryValueDeleted**.
 
-![Screenshot of EventType RegistryValueDeleted](/defender/media/guided-hunting/31-eventtype2.png)
+![Screenshot of EventType RegistryValueDeleted](media/advanced-hunting-query-builder-details/31-eventtype2.png)
 
 > [!NOTE] 
 >`EventType` is the equivalent of `ActionType` in the data schema, which users of advanced mode might be more familiar with.
 
 ## Test your query with a smaller sample size
 If you're still working on your query and would like to see its performance and some sample results quickly, adjust the number of records to return by picking a smaller set through the **Sample size** dropdown menu. 
 
-![Screenshot of sample size dropdown menu](/defender/media/guided-hunting/32-sample-size.png)
+![Screenshot of sample size dropdown menu](media/advanced-hunting-query-builder-details/32-sample-size.png)
 
 The sample size is set to 10,000 results by default, which is the maximum number of records that can be returned in hunting. However, we highly recommend lowering the sample size to 10 or 100 to quickly test your query, as doing so consumes less resources while you're still working on improving the query.
 
@@ -98,15 +98,15 @@ Then, once you finalize your query and are ready to use it to get all the releva
 ## Switch to advanced mode after building a query
 You can click on **Edit in KQL** to view the KQL query generated by your selected conditions. Editing in KQL opens a new tab in advanced mode, with the corresponding KQL query:
 
-![Screenshot highlighting Edit in KQL button](/defender/media/guided-hunting/33-edit-kql.png)
+![Screenshot highlighting Edit in KQL button](media/advanced-hunting-query-builder-details/33-edit-kql.png)
 
-![Screenshot showing same query from guided to advanced](/defender/media/guided-hunting/33-edit-kql-2.png)
+![Screenshot showing same query from guided to advanced](media/advanced-hunting-query-builder-details/33-edit-kql-2.png)
 
 In the above example, the selected view is All, therefore you can see that the KQL query searches all tables that have file properties of name and SHA256, and in all the relevant columns covering these properties. 
 
 If you change the view to **Emails & collaboration**, the query is narrowed down to:
 
-![Screenshot showing same query from guided to advanced but with limited domain](/defender/media/guided-hunting/34-edit-kql-3.png)
+![Screenshot showing same query from guided to advanced but with limited domain](media/advanced-hunting-query-builder-details/34-edit-kql-3.png)
 
 ## See also
  - [Advanced hunting quotas and usage parameters](advanced-hunting-limits.md)

defender-xdr/advanced-hunting-query-builder-results.md

@@ -35,7 +35,7 @@ ms.date: 03/28/2025
 
 In hunting using guided mode, the results of the query appear in the **Results** tab.
 
-![Screenshot of results tab](/defender/media/guided-hunting/35-query-results.png)
+![Screenshot of results tab](media/advanced-hunting-query-builder-results/35-query-results.png)
 
 You can work on the results further by exporting them to a CSV file by selecting **Export**. This downloads the CSV file for your use.
 
@@ -54,7 +54,7 @@ To view more columns:
 1. Select **Customize columns** in the upper right-hand portion of the results view.
 2. From here, select the columns to include in the results view and deselect columns to hide.
 
-   ![Screenshot of list of columns you can add to the results view](/defender/media/guided-hunting/36-columns.png)
+   ![Screenshot of list of columns you can add to the results view](media/advanced-hunting-query-builder-results/36-columns.png)
 
 3. Select **Apply** to view results with the added columns. Use the scroll bars if necessary.