You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-defender-use-custom-rules.md
+9-11Lines changed: 9 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -65,9 +65,9 @@ For example, to get the first 10 rows of data from the `StormEvents` table store
65
65
### Use arg() operator for Azure Resource Graph queries
66
66
The `arg()` operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like.
67
67
68
-
This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables aren't supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window.
68
+
This feature was previously only available in the Logs feature in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works to combine Azure Resource Graph (arg) queries with Microsoft Sentinel tables (that is, Defender XDR tables aren't supported). This allows users to make the cross-service query in advanced hunting without manually opening a Microsoft Sentinel window.
69
69
70
-
Note that queries using the `arg()` operator return the first 1,000 records only. Read [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview) for more details.
70
+
For more information, see [Query data in Azure Resource Graph by using arg()](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#query-data-in-azure-resource-graph-by-using-arg-preview).
71
71
72
72
In the query editor, enter *arg("").* followed by the Azure Resource Graph table name.
73
73
@@ -78,14 +78,12 @@ For example:
78
78
You can also, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
79
79
80
80
```Kusto
81
-
arg("").Resources
82
-
| where type == "microsoft.compute/virtualmachines" and properties.hardwareProfile.vmSize startswith "Standard_D"
83
-
| join (
84
-
Heartbeat
85
-
| where TimeGenerated > ago(1d)
86
-
| distinct Computer
87
-
)
88
-
on $left.name == $right.Computer
81
+
arg("").Resources
82
+
| where type=="microsoft.compute/virtualmachines" | extend name = tolower(name)
83
+
| join (
84
+
BehaviorAnalytics
85
+
| where isnotempty(SourceDevice) and InvestigationPriority > 2 | extend SourceDevice = tolower(SourceDevice)
86
+
) on $left.name == $right.SourceDevice
89
87
```
90
88
91
89
@@ -141,4 +139,4 @@ You can view all your user-defined rules—both custom detection rules and analy
141
139
142
140
143
141
For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace.
0 commit comments