You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-office-365/step-by-step-guides/add-advanced-hunting-community-queries.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -152,21 +152,21 @@ If it isn't, select the active branch name in the bottom left corner, and then s
152
152
153
153
In most cases, you should ultimately create the query file in both locations so you can use the query in both scenarios.
154
154
155
-
4. In VS Code, create a new .yaml file in the appropriate subfolder of those locations. There are many subfolders to choose from. In our example, the most logical name and place for our new query file is `Top user receiving phish.yaml` in the `Phish` subfolder.
155
+
4. In VS Code, create a new .yaml file in the appropriate subfolder of those locations. There are many subfolders to choose from. In our example, a logical name and location for our new query file is `Top users receiving phish.yaml` in the `Phish` subfolder.
156
156
157
157
You can find more information on the requirements and structure of the .yaml file at [Query Style Guide](https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide) on the Azure-Sentinel repository wiki.
158
158
159
159
Use the [New-Guid](/powershell/module/microsoft.powershell.utility/new-guid) cmdlet in Windows PowerShell to create a unique GUID for the **id** property of the query file (for example, 36f68d74-3e45-44d8-9915-0d35b7567bcf).
160
160
161
-
The finished `Top user receiving phish.yaml` file looks something like this:
161
+
The finished `Top users receiving phish.yaml` file looks something like this:
162
162
163
163
```yml
164
164
id: 36f68d74-3e45-44d8-9915-0d35b7567bcf
165
165
name: Friendly name describing the query
166
166
description: |
167
-
This is a short description of what the query does
167
+
A short description of what the query does.
168
168
description-detailed: |
169
-
This is a much longer description of what the intention of the query is within Defender for Office 365
169
+
A much longer description of the intention of the query within Defender for Office 365.
170
170
requiredDataConnectors:
171
171
- connectorId: MicrosoftThreatProtection
172
172
dataTypes:
@@ -177,7 +177,7 @@ If it isn't, select the active branch name in the bottom left corner, and then s
177
177
- T1566
178
178
query: |
179
179
EmailEvents
180
-
| where Threat Types has "Phish" and EmaiIdirection == "Inbound"
180
+
| where Threat Types has "Phish" and EmailDirection == "Inbound"
0 commit comments