You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-limits.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,6 +43,8 @@ Refer to the following table to understand existing quotas and usage parameters.
43
43
44
44
In the unified Microsoft Defender portal, you are able to run queries over Microsoft Sentinel tables by onboarding a workspace. [Log analytics workspace limits](/azure/azure-monitor/service-limits#log-analytics-workspaces) therefore also apply.
45
45
46
+
For advanced hunting in multitenant organizations, see [Quotas in advanced hunting in multitenant management](/unified-secops-platform/mto-advanced-hunting.md#quotas).
47
+
46
48
> [!NOTE]
47
49
> A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md)
Copy file name to clipboardExpand all lines: defender-xdr/custom-detection-rules.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -99,6 +99,8 @@ To create a custom detection rule, the query must return the following columns:
99
99
> [!NOTE]
100
100
> Support for more entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
101
101
102
+
The `Timestamp` that is returned from the query should not have been manipulated in the query and should be returned exactly as it appears in the raw event.
103
+
102
104
Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
103
105
104
106
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by entity under a column such as `DeviceId`, you can still return `Timestamp` and `ReportId` by getting it from the most recent event involving each unique `DeviceId`.
Copy file name to clipboardExpand all lines: unified-secops-platform/mto-advanced-hunting.md
+22Lines changed: 22 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,9 +23,15 @@ appliesto:
23
23
# Advanced hunting in Microsoft Defender multitenant management
24
24
25
25
Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
26
+
26
27
27
28
Multiple workspaces per tenant are supported in multitenant Advanced hunting as preview.
28
29
30
+
31
+
## Quotas
32
+
33
+
Advanced hunting in multitenant organizations returns up to 50,000 records in total. For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits.md#understand-advanced-hunting-quotas-and-usage-parameters).
34
+
29
35
## Run cross-tenant queries
30
36
31
37
You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -59,8 +65,15 @@ You can run any query that you already have access to in the multitenant managem
59
65
| take 10
60
66
```
61
67
68
+
69
+
> [!NOTE]
70
+
> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
71
+
62
72
To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
63
73
74
+
75
+
76
+
64
77
## Run cross-workspace queries (Preview)
65
78
66
79
To run queries across multiple workspaces in the same tenant, use the [workspace( ) expression](/azure/azure-monitor/logs/cross-workspace-query#query-across-log-analytics-workspaces-using-workspace), with the workspace identifier as the argument in your query to refer to a table in a different workspace.
@@ -82,6 +95,10 @@ Results show from both *WorkspaceA1* and *WorkspaceB2*.
82
95
83
96
For more information, see [Query multiple workspaces](/azure/sentinel/extend-sentinel-across-workspaces-tenants#query-multiple-workspaces) and [Manage workspaces across tenants using Azure Lighthouse](/azure/sentinel/extend-sentinel-across-workspaces-tenants#manage-workspaces-across-tenants-using-azure-lighthouse).
84
97
98
+
> [!NOTE]
99
+
> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
100
+
101
+
85
102
## Custom detection rules
86
103
87
104
You can also manage custom detection rules from multiple tenants in the custom detection rules page.
@@ -112,6 +129,11 @@ To manage detection rules:
112
129
113
130
1. Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](/defender-xdr/custom-detection-rules).
114
131
132
+
133
+
134
+
135
+
136
+
115
137
## Related content
116
138
117
139
-[Set up Microsoft Defender multitenant management](mto-requirements.md)
0 commit comments