You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-office-365/step-by-step-guides/add-advanced-hunting-community-queries.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -125,7 +125,7 @@ Go to the next section to actually start creating or modifying queries.
125
125
126
126
## Step 4: Create Advanced Hunting queries in the working branch in the cloned repository on your local computer
127
127
128
-
When you open VS Code to create or update queries, alway verify that your desired working branch (not **master**) is the active branch:
128
+
When you open VS Code to create or update queries, always verify your desired working branch is the active branch (not **master**):
129
129
130
130
:::image type="content" source="../media/add-advanced-hunting-community-queries-vs-code-verify-active-branch.png" alt-text="Screenshot of the active (open) branch highlighted in Visual Studio Code, which is now the new branch that you created in the previous step." lightbox="../media/add-advanced-hunting-community-queries-vs-code-verify-active-branch.png":::
131
131
@@ -156,28 +156,28 @@ If it isn't, select the active branch name in the bottom left corner, and then s
156
156
157
157
You can find more information on the requirements and structure of the .yaml file at [Query Style Guide](https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide) on the Azure-Sentinel repository wiki.
158
158
159
-
Use the [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) cmdlet in Windows PowerShell to create a unique GUID for the **id** property of the query file (for example, 36f68d74-3e45-44d8-9915-ød35b7567bcf).
159
+
Use the [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) cmdlet in Windows PowerShell to create a unique GUID for the **id** property of the query file (for example, 36f68d74-3e45-44d8-9915-0d35b7567bcf).
160
160
161
161
The finished `Top user receiving phish.yaml` file looks something like this:
162
162
163
163
```yml
164
-
id: 36f68d74-3e45-44d8-9915-ød35b7567bcf
164
+
id: 36f68d74-3e45-44d8-9915-0d35b7567bcf
165
165
name: Friendly name describing the query
166
166
description: |
167
167
This is a short description of what the query does
168
168
description-detailed: |
169
-
This is a much longer description Of what the intention Of the query is within Defender for Office 365
169
+
This is a much longer description of what the intention of the query is within Defender for Office 365
170
170
requiredDataConnectors:
171
-
- connectorld: Microsoft ThreatProtection
171
+
- connectorId: MicrosoftThreatProtection
172
172
dataTypes:
173
173
- EmailEvents
174
174
tactics:
175
175
- InitialAccess
176
-
relevant Techniques :
176
+
relevantTechniques:
177
177
- T1566
178
178
query: |
179
179
EmailEvents
180
-
| where Threat Types has "Phish" and EmailDirection == "Inbound"
180
+
| where Threat Types has "Phish" and EmaiIdirection == "Inbound"
0 commit comments