Merge pull request #3644 from MicrosoftDocs/maccruz-ahmto

MTO updates

Author: Ruchika-mittal01

defender-xdr/advanced-hunting-limits.md

@@ -18,7 +18,7 @@ ms.custom:
 - cx-ti
 - cx-ah
 ms.topic: how-to
-ms.date: 10/29/2024
+ms.date: 05/02/2025
 ---
 
 # Use the advanced hunting query resource report
@@ -43,6 +43,8 @@ Refer to the following table to understand existing quotas and usage parameters.
 
 In the unified Microsoft Defender portal, you are able to run queries over Microsoft Sentinel tables by onboarding a workspace. [Log analytics workspace limits](/azure/azure-monitor/service-limits#log-analytics-workspaces) therefore also apply. 
 
+For advanced hunting in multitenant organizations, see [Quotas in advanced hunting in multitenant management](/unified-secops-platform/mto-advanced-hunting#quotas).
+
 > [!NOTE]
 > A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md) 
 

defender-xdr/custom-detection-rules.md

@@ -22,7 +22,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: how-to
-ms.date: 02/10/2025
+ms.date: 05/02/2025
 ---
 
 # Create and manage custom detections rules
@@ -75,13 +75,14 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
 
 
 To create a custom detection rule, the query must return the following columns:
-1. `Timestamp` - Used to set the timestamp for generated alerts
-2. A column or combination of columns that uniquely identify the event in Defender XDR tables:
+1. `Timestamp` - This column is used to set the timestamp for generated alerts. The `Timestamp` that is returned from the query should not have been manipulated in the query and should be returned exactly as it appears in the raw event.
+   
+3. A column or combination of columns that uniquely identify the event in Defender XDR tables:
       - For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
       - For Alert* tables, `Timestamp` must appear in the event
       - For Observation* tables, `Timestamp`and `ObservationId` must appear in the same event
       - For all others, `Timestamp` and `ReportId` must appear in the same event
-3. One of the following columns that contain a strong identifier for an impacted asset:
+4. One of the following columns that contain a strong identifier for an impacted asset:
       - `DeviceId`
       - `DeviceName`
       - `RemoteDeviceName`
@@ -99,6 +100,8 @@ To create a custom detection rule, the query must return the following columns:
 > [!NOTE]
 > Support for more entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
 
+
+
 Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
 
 There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by entity under a column such as `DeviceId`, you can still return `Timestamp` and `ReportId` by getting it from the most recent event involving each unique `DeviceId`.

unified-secops-platform/mto-advanced-hunting.md

@@ -1,6 +1,6 @@
 ---
-title: Advanced hunting in Microsoft Defender multi-tenant management
-description: Learn about advanced hunting in Microsoft Defender multi-tenant management
+title: Advanced hunting in Microsoft Defender multitenant management
+description: Learn about advanced hunting in Microsoft Defender multitenant management
 search.appverid: met150
 ms.service: unified-secops-platform
 ms.author: deniseb
@@ -14,21 +14,27 @@ ms.collection:
 - tier1
 - usx-security
 ms.topic: conceptual
-ms.date: 03/25/2025
+ms.date: 05/02/2025
 appliesto:
   - Microsoft Defender XDR
   - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# Advanced hunting in Microsoft Defender multi-tenant management
+# Advanced hunting in Microsoft Defender multitenant management
 
-Advanced hunting in Microsoft Defender multi-tenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
+Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
+ 
 
-Multiple workspaces per tenant are supported in multi-tenant Advanced hunting as preview.
+Multiple workspaces per tenant are supported in multitenant Advanced hunting as preview.
+
+
+## Quotas
+
+Advanced hunting in multitenant organizations returns up to 50,000 records in total. For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters).
 
 ## Run cross-tenant queries
 
-You can run any query that you already have access to in the multi-tenant management **Advanced hunting** page.
+You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
 
 1. Queries listed on the **Queries** tab are filtered by tenant. Select a tenant to view the queries available for each one.
 
@@ -59,8 +65,15 @@ You can run any query that you already have access to in the multi-tenant manage
    | take 10
    ```
 
+
+> [!NOTE]
+> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
+
 To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
 
+
+
+
 ## Run cross-workspace queries (Preview)
 
 To run queries across multiple workspaces in the same tenant, use the [workspace( ) expression](/azure/azure-monitor/logs/cross-workspace-query#query-across-log-analytics-workspaces-using-workspace), with the workspace identifier as the argument in your query to refer to a table in a different workspace.
@@ -82,6 +95,10 @@ Results show from both *WorkspaceA1* and *WorkspaceB2*.
 
 For more information, see [Query multiple workspaces](/azure/sentinel/extend-sentinel-across-workspaces-tenants#query-multiple-workspaces) and [Manage workspaces across tenants using Azure Lighthouse](/azure/sentinel/extend-sentinel-across-workspaces-tenants#manage-workspaces-across-tenants-using-azure-lighthouse).
 
+> [!NOTE]
+> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
+
+
 ## Custom detection rules
 
 You can also manage custom detection rules from multiple tenants in the custom detection rules page.
@@ -91,7 +108,7 @@ You can also manage custom detection rules from multiple tenants in the custom d
 1. To view custom detection rules, go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in Microsoft Defender multitenant management.
 2. View the **Tenant name** column to see which tenant the detection rule comes from:
 
-   :::image type="content" source="media/mto-advanced-hunting/mto-custom-detection-tenant-name.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant custom detection page" lightbox="media/mto-advanced-hunting/mto-custom-detection-tenant-name.png":::
+   :::image type="content" source="media/mto-advanced-hunting/mto-custom-detection-tenant-name.png" alt-text="Screenshot of the Microsoft Defender XDR multitenant custom detection page." lightbox="media/mto-advanced-hunting/mto-custom-detection-tenant-name.png":::
 
 To view only a specific tenant's custom detection rules, select **Filter**, choose the tenant or tenants and select **Apply**.
 
@@ -112,9 +129,14 @@ To manage detection rules:
 
 1. Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](/defender-xdr/custom-detection-rules).
 
+
+
+
+
+
 ## Related content
 
 - [Set up Microsoft Defender multitenant management](mto-requirements.md)
 - [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
 - [View and manage incidents and alerts](mto-incidents-alerts.md)
-- [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579)
+- [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579)