Skip to content

Commit c4e1b7d

Browse files
committed
Updates
1 parent 761d9e3 commit c4e1b7d

File tree

3 files changed

+26
-0
lines changed

3 files changed

+26
-0
lines changed

defender-xdr/advanced-hunting-limits.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,8 @@ Refer to the following table to understand existing quotas and usage parameters.
4343

4444
In the unified Microsoft Defender portal, you are able to run queries over Microsoft Sentinel tables by onboarding a workspace. [Log analytics workspace limits](/azure/azure-monitor/service-limits#log-analytics-workspaces) therefore also apply.
4545

46+
For advanced hunting in multitenant organizations, see [Quotas in advanced hunting in multitenant management](/unified-secops-platform/mto-advanced-hunting.md#quotas).
47+
4648
> [!NOTE]
4749
> A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md)
4850

defender-xdr/custom-detection-rules.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,8 @@ To create a custom detection rule, the query must return the following columns:
9999
> [!NOTE]
100100
> Support for more entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
101101
102+
The `Timestamp` that is returned from the query should not have been manipulated in the query and should be returned exactly as it appears in the raw event.
103+
102104
Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
103105

104106
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by entity under a column such as `DeviceId`, you can still return `Timestamp` and `ReportId` by getting it from the most recent event involving each unique `DeviceId`.

unified-secops-platform/mto-advanced-hunting.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,9 +23,15 @@ appliesto:
2323
# Advanced hunting in Microsoft Defender multitenant management
2424

2525
Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
26+
2627

2728
Multiple workspaces per tenant are supported in multitenant Advanced hunting as preview.
2829

30+
31+
## Quotas
32+
33+
Advanced hunting in multitenant organizations returns up to 50,000 records in total. For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits.md#understand-advanced-hunting-quotas-and-usage-parameters).
34+
2935
## Run cross-tenant queries
3036

3137
You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -59,8 +65,15 @@ You can run any query that you already have access to in the multitenant managem
5965
| take 10
6066
```
6167

68+
69+
> [!NOTE]
70+
> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
71+
6272
To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
6373

74+
75+
76+
6477
## Run cross-workspace queries (Preview)
6578

6679
To run queries across multiple workspaces in the same tenant, use the [workspace( ) expression](/azure/azure-monitor/logs/cross-workspace-query#query-across-log-analytics-workspaces-using-workspace), with the workspace identifier as the argument in your query to refer to a table in a different workspace.
@@ -82,6 +95,10 @@ Results show from both *WorkspaceA1* and *WorkspaceB2*.
8295

8396
For more information, see [Query multiple workspaces](/azure/sentinel/extend-sentinel-across-workspaces-tenants#query-multiple-workspaces) and [Manage workspaces across tenants using Azure Lighthouse](/azure/sentinel/extend-sentinel-across-workspaces-tenants#manage-workspaces-across-tenants-using-azure-lighthouse).
8497

98+
> [!NOTE]
99+
> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
100+
101+
85102
## Custom detection rules
86103

87104
You can also manage custom detection rules from multiple tenants in the custom detection rules page.
@@ -112,6 +129,11 @@ To manage detection rules:
112129

113130
1. Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](/defender-xdr/custom-detection-rules).
114131

132+
133+
134+
135+
136+
115137
## Related content
116138

117139
- [Set up Microsoft Defender multitenant management](mto-requirements.md)

0 commit comments

Comments
 (0)