You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-defender-use-custom-rules.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ ms.custom:
23
23
appliesto:
24
24
- Microsoft Defender XDR
25
25
- Microsoft Sentinel in the Microsoft Defender portal
26
-
ms.date: 03/28/2025
26
+
ms.date: 07/28/2025
27
27
---
28
28
29
29
# Use Microsoft Sentinel functions, saved queries, and custom rules
@@ -61,14 +61,17 @@ For example, to get the first 10 rows of data from the `StormEvents` table store
61
61
> [!NOTE]
62
62
> The `adx()` operator isn't supported for custom detections.
63
63
64
-
65
64
### Use arg() operator for Azure Resource Graph queries
66
-
The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like.
65
+
66
+
The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like.
67
67
68
68
This feature was previously only available in the Logs feature in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works to combine Azure Resource Graph (arg) queries with Microsoft Sentinel tables (that is, Defender XDR tables aren't supported). This allows users to make the cross-service query in advanced hunting without manually opening a Microsoft Sentinel window.
69
69
70
70
For more information, see [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview).
71
71
72
+
>[!NOTE]
73
+
> The `arg()` operator isn't supported for analytics rules.
74
+
72
75
In the query editor, enter *arg("").* followed by the Azure Resource Graph table name.
73
76
74
77
For example:
@@ -86,7 +89,6 @@ BehaviorAnalytics
86
89
) on $left.name == $right.SourceDevice
87
90
```
88
91
89
-
90
92
## Use saved queries
91
93
92
94
To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses (  ) to the right of the query. From here, you can perform the following actions:
0 commit comments