arg not supported for analytic rules

Author: mberdugo

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -61,14 +61,17 @@ For example, to get the first 10 rows of data from the `StormEvents` table store
 > [!NOTE]
 > The `adx()` operator isn't supported for custom detections.
 
-
 ### Use arg() operator for Azure Resource Graph queries
-The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
+
+The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like.
 
 This feature was previously only available in the Logs feature in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works to combine Azure Resource Graph (arg) queries with Microsoft Sentinel tables (that is, Defender XDR tables aren't supported). This allows users to make the cross-service query in advanced hunting without manually opening a Microsoft Sentinel window.
 
 For more information, see [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview).
 
+>[!NOTE]
+> Analytic rules don't support the `arg()` operator.
+
 In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
 
 For example:
@@ -86,7 +89,6 @@ BehaviorAnalytics
 ) on $left.name == $right.SourceDevice
 ```
 
-
 ## Use saved queries
 
 To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses ( ![kebab icon](/defender/media/ah-kebab.png) ) to the right of the query. From here, you can perform the following actions: