Updates

schmurky · schmurky · commit ac989d07dd09 · 2024-10-15T15:14:18.000+01:00
diff --git a/defender-xdr/advanced-hunting-defender-use-custom-rules.md b/defender-xdr/advanced-hunting-defender-use-custom-rules.md
@@ -40,8 +40,28 @@ For editable functions, more options are available when you select the vertical
 - **Edit details** – opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions)
 - **Delete** – deletes the function
 
-## (Preview) Use arg() function
-Preview customers can use the *arg()* operator to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. Read [Create alerts with Azure REsource Graph and Log Analytics](/azure/governance/resource-graph/alerts-query-quickstart?tabs=azure-resource-graph) for more details.
+### Use arg() operator for Azure Resource Graph queries (Preview)
+Preview customers can use the *arg()* operator to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. Read [Create alerts with Azure Resource Graph and Log Analytics](/azure/governance/resource-graph/alerts-query-quickstart?tabs=azure-resource-graph) for more details.
+
+In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
+
+```Kusto
+arg("").<Azure-Resource-Graph-table-name>
+```
+
+You can then, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
+
+```Kusto
+arg("").Resources 
+| where type == "microsoft.compute/virtualmachines" and properties.hardwareProfile.vmSize startswith "Standard_D"
+| join (
+    Heartbeat
+    | where TimeGenerated > ago(1d)
+    | distinct Computer
+    )
+    on $left.name == $right.Computer
+```
+
 
 ## Use saved queries
 
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -32,7 +32,7 @@ You can also get product updates and important notifications through the [messag
 
 ## October 2024
 
-- (Preview) Microsoft Defender portal users can now use the *arg()* function to query Azure resources in [advanced hunting](advanced-hunting-defender-use-custom-rules.md#preview-use-arg-function). You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator.
+- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#preview-use-arg-function), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
 
 ## September 2024
 
