You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Get results faster and avoid timeouts while running complex queries by optimizing your queries. For guidance on improving query performance:
33
+
-[General optimization tips](#understand-cpu-resource-quotas) - in this article
34
+
-[Optimize the `join` operator](#optimize-the-join-operator) - in this article
35
+
-[Optimize the `summarize` operator](#optimize-the-summarize-operator) - in this article
36
+
-[Query scenarios](#query-scenarios) - in this article
37
+
-[Kusto query best practices](/azure/kusto/query/best-practices) - includes several scenarios for making your query more efficient
38
+
-[Optimize log queries in Azure Monitor](/azure/azure-monitor/logs/query-optimization#early-filtering-of-records-prior-to-using-high-cpu-functions) - contains additional guidance for query optimization
39
+
-[Optimizing KQL queries](https://www.youtube.com/watch?v=ceYvRuPp5D8) (video) - most common ways to improve your query
31
40
32
-
Apply these recommendations to get results faster and avoid timeouts while running complex queries. For more guidance on improving query performance, read [Kusto query best practices](/azure/kusto/query/best-practices).
33
41
34
42
## Understand CPU resource quotas
35
43
Depending on its size, each tenant has access to a set amount of CPU resources allocated for running advanced hunting queries. For detailed information about various usage parameters, [read about advanced hunting quotas and usage parameters](advanced-hunting-limits.md).
@@ -40,7 +48,6 @@ After running your query, you can see the execution time and its resource usage
40
48
41
49
Customers who run multiple queries regularly should track consumption and apply the optimization guidance in this article to minimize disruption resulting from exceeding quotas or usage parameters.
42
50
43
-
Watch [Optimizing KQL queries](https://www.youtube.com/watch?v=ceYvRuPp5D8) to see some of the most common ways to improve your queries.
Custom detection rules are rules you can design and tweak using [advanced hunting](advanced-hunting-overview.md) queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
33
35
@@ -265,7 +267,7 @@ Only data from devices in the scope will be queried. Also, actions are taken onl
265
267
After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
266
268
267
269
> [!IMPORTANT]
268
-
> Custom detections should be regularly reviewed for efficiency and effectiveness. To make sure you're creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in [Manage existing custom detection rules](#manage-existing-custom-detection-rules).
270
+
> Custom detections should be regularly reviewed for efficiency and effectiveness. For guidance on how to optimize your queries, follow the **[Advanced hunting query best practices](advanced-hunting-best-practices.md)**. To make sure you're creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in **[Manage existing custom detection rules](#manage-existing-custom-detection-rules)**.
269
271
>
270
272
> You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured endpoints. This is made possible by customizable detection rules that automatically trigger alerts and response actions.
33
+
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured endpoints. Custom detections are customizable detection rules that automatically trigger alerts and response actions.
33
34
34
35
Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
35
36
@@ -38,10 +39,12 @@ Custom detections provide:
38
39
- Alerts for rule-based detections built from advanced hunting queries
39
40
- Automatic response actions
40
41
42
+
Optimizing your queries in custom detection rules is important in avoiding time-outs and ensuring efficiency. There are several resources available that provide guidance on optimizing your queries in [Advanced hunting query best practices](advanced-hunting-best-practices.md).
43
+
41
44
## See also
42
45
43
46
-[Create and manage custom detection rules](custom-detection-rules.md)
-[Advanced hunting query best practices](advanced-hunting-best-practices.md)
45
48
-[Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md)
46
49
-[Microsoft Graph security API for custom detections](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)
0 commit comments