Merge pull request #1709 from MicrosoftDocs/maccruz-argfxn

arg() function

Author: padmagit77

defender-xdr/TOC.yml

@@ -218,8 +218,14 @@
                href: advanced-hunting-modes.md
              - name: Generate KQL queries with Security Copilot
                href: advanced-hunting-security-copilot.md
-             - name: Advanced hunting in the Microsoft Defender portal
-               href: advanced-hunting-microsoft-defender.md
+             - name: Hunt over Microsoft Sentinel data
+               items:
+                 - name: Microsoft Sentinel data in advanced hunting
+                   href: advanced-hunting-microsoft-defender.md
+                 - name: Use functions, saved queries, and custom rules
+                   href: advanced-hunting-defender-use-custom-rules.md
+                 - name: Work with results containing Microsoft Sentinel data
+                   href: advanced-hunting-defender-results.md
              - name: Build queries using guided mode
                items:
                  - name: Get started with query builder

defender-xdr/advanced-hunting-defender-results.md

@@ -0,0 +1,46 @@
+---
+title: Work with results containing Microsoft Sentinel data
+description: Work with advanced hunting in the portal unifying Defender XDR and Sentinel data
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+  - m365-security
+  - m365initiative-m365-defender
+  - tier1
+  - usx-security
+ms.topic: conceptual
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.date: 08/07/2024
+---
+
+# Work with advanced hunting results containing Microsoft Sentinel data
+
+## Explore results
+
+Results of queries that were run appear in the **Results** tab. You can export the results to a CSV file by selecting **Export**. 
+
+:::image type="content" source="/defender/media/advanced-hunting-unified-results.png" alt-text="Screenshot of advanced hunting results with options to expand result rows in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-results.png":::
+
+You can also explore the results in-line with the following features:
+
+- Expand a result by selecting the dropdown arrow at the left of each result
+- Where applicable, expand details for results that are in JSON or array format by selecting the dropdown arrow at the left of applicable result row for added readability
+- Open the side pane to see a record's details (concurrent with expanded rows)
+
+You can also right-click on any result value in a row so that you can use it to:
+- Add more filters to the existing query
+- Copy the value for use in further investigation
+- Update the query to extend a JSON field to a new column
+
+For Microsoft Defender XDR data, you can take further action by selecting the checkboxes to the left of each result row. Select **Link to incident** to link the selected results to an incident (read [Link query results to an incident](advanced-hunting-link-to-incident.md)) or **Take actions** to open the Take actions wizard (read [Take action on advanced hunting query results](advanced-hunting-take-action.md)).
+

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -0,0 +1,95 @@
+---
+title: Use Microsoft Sentinel custom functions in advanced hunting in Microsoft Defender
+description: Using functions, saved queries, and custom rules in advanced hunting in the portal unifying Defender XDR and Sentinel data
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+  - m365-security
+  - m365initiative-m365-defender
+  - tier1
+  - usx-security
+ms.topic: conceptual
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.date: 08/07/2024
+---
+
+# Use Microsoft Sentinel functions, saved queries, and custom rules 
+
+
+## Use functions
+
+To use a function from Microsoft Sentinel, go to the **Functions** tab and scroll until you find the function that you want. Double-click the function name to insert the function in the query editor. 
+
+You can also select the vertical ellipses ( ![kebab icon](/defender/media/ah-kebab.png) ) to the right of the function and select **Insert to query** to insert the function into a query in the query editor. 
+
+Other options include:
+- **View details** – opens the function side pane containing its details
+- **Load function code** – opens a new tab containing the function code
+
+For editable functions, more options are available when you select the vertical ellipses:
+- **Edit details** – opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions)
+- **Delete** – deletes the function
+
+### Use arg() operator for Azure Resource Graph queries (Preview)
+Preview customers can use the *arg()* operator to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. Read [Create alerts with Azure Resource Graph and Log Analytics](/azure/governance/resource-graph/alerts-query-quickstart?tabs=azure-resource-graph) for more details.
+
+In the query editor, enter *arg("").* followed by the Azure Resource Graph table name. 
+
+```Kusto
+arg("").<Azure-Resource-Graph-table-name>
+```
+
+You can then, for instance, filter a query that searches over Microsoft Sentinel data based on the results of an Azure Resource Graph query:
+
+```Kusto
+arg("").Resources 
+| where type == "microsoft.compute/virtualmachines" and properties.hardwareProfile.vmSize startswith "Standard_D"
+| join (
+    Heartbeat
+    | where TimeGenerated > ago(1d)
+    | distinct Computer
+    )
+    on $left.name == $right.Computer
+```
+
+
+## Use saved queries
+
+To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses ( ![kebab icon](/defender/media/ah-kebab.png) ) to the right of the query. From here, you can perform the following actions:
+
+- **Run query** – loads the query in the query editor and runs it automatically
+- **Open in query editor** – loads the query in the query editor
+- **View details** – opens the query details side pane where you can inspect the query, run the query, or open the query in the editor
+
+   :::image type="content" source="/defender/media/advanced-hunting-unified-view-details.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-view-details.png":::
+
+
+For editable queries, more options are available:
+
+- **Edit details** – opens the query details side pane with the option to edit the details like description (if applicable) and the query itself; only the folder names (location) of Microsoft Sentinel queries can't be edited
+- **Delete** – deletes the query
+- **Rename** – allows you to modify the query name
+
+## Create custom analytics and detection rules
+
+To help discover threats and anomalous behaviors in your environment, you can create custom detection policies. 
+
+For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
+
+:::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
+
+The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
+
+You can also create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
+
+If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between **Create custom detection** and **Create analytics rule**.

defender-xdr/advanced-hunting-microsoft-defender.md

@@ -1,6 +1,6 @@
 ---
-title: Advanced hunting in Microsoft Defender
-description: Advanced hunting in the portal unifying Defender XDR and Sentinel data
+title: Advanced hunting with Microsoft Sentinel data in Microsoft Defender
+description: Learn how to use advanced hunting in the portal unifying Defender XDR and Sentinel data
 search.appverid: met150
 ms.service: defender-xdr
 ms.subservice: adv-hunting
@@ -25,9 +25,9 @@ appliesto:
 ms.date: 10/18/2024
 ---
 
-# Advanced hunting in the Microsoft Defender portal
+# Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal
 
-Advanced hunting allows you to view and query all the data sources available within the Micrsoft Defender portal. The data sources might include Microsoft Defender XDR and various Microsoft security services. If you onboard Microsoft Sentinel to the Defender portal, access and use all your existing Microsoft Sentinel workspace content, including queries and functions.
+Advanced hunting allows you to view and query all the data sources available within the [unified Microsoft Defender portal](/defender-xdr/microsoft-365-defender-portal). The data sources might include Microsoft Defender XDR and various Microsoft security services. If you onboard Microsoft Sentinel to the Defender portal, access and use all your existing Microsoft Sentinel workspace content, including queries and functions.
 
 Querying from a single portal across different data sets makes hunting more efficient and removes the need for context-switching.
 
@@ -79,86 +79,22 @@ In the unified portal, in addition to viewing the schema column names and descri
 
 :::image type="content" source="/defender/media/advanced-hunting-unified-view-schema.png" alt-text="Screenshot of the schema information pane in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-view-schema.png":::
 
-## Use functions
-
-To use a function from Microsoft Sentinel, go to the **Functions** tab and scroll until you find the function that you want. Double-click the function name to insert the function in the query editor. 
-
-You can also select the vertical ellipses ( ![kebab icon](/defender/media/ah-kebab.png) ) to the right of the function and select **Insert to query** to insert the function into a query in the query editor. 
-
-Other options include:
-- **View details** – opens the function side pane containing its details
-- **Load function code** – opens a new tab containing the function code
-
-For editable functions, more options are available when you select the vertical ellipses:
-- **Edit details** – opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions)
-- **Delete** – deletes the function
-
-
-## Use saved queries
-
-To use a saved query from Microsoft Sentinel, go to the **Queries** tab and scroll until you find the query that you want. Double-click the query name to load the query in the query editor. For more options, select the vertical ellipses ( ![kebab icon](/defender/media/ah-kebab.png) ) to the right of the query. From here, you can perform the following actions:
-
-- **Run query** – loads the query in the query editor and runs it automatically
-- **Open in query editor** – loads the query in the query editor
-- **View details** – opens the query details side pane where you can inspect the query, run the query, or open the query in the editor
-
-   :::image type="content" source="/defender/media/advanced-hunting-unified-view-details.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-view-details.png":::
-
-
-For editable queries, more options are available:
-
-- **Edit details** – opens the query details side pane with the option to edit the details like description (if applicable) and the query itself; only the folder names (location) of Microsoft Sentinel queries can't be edited
-- **Delete** – deletes the query
-- **Rename** – allows you to modify the query name
-
-## Create custom analytics and detection rules
-
-To help discover threats and anomalous behaviors in your environment, you can create custom detection policies. 
-
-For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
-
-:::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
-
-The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
-
-You can also create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information. 
-
-If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between **Create custom detection** and **Create analytics rule**.
-
-
-## Explore results
-
-Results of queries that were run appear in the **Results** tab. You can export the results to a CSV file by selecting **Export**. 
-
-:::image type="content" source="/defender/media/advanced-hunting-unified-results.png" alt-text="Screenshot of advanced hunting results with options to expand result rows in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-results.png":::
-
-You can also explore the results in-line with the following features:
-
-- Expand a result by selecting the dropdown arrow at the left of each result
-- Where applicable, expand details for results that are in JSON or array format by selecting the dropdown arrow at the left of applicable result row for added readability
-- Open the side pane to see a record's details (concurrent with expanded rows)
-
-You can also right-click on any result value in a row so that you can use it to:
-- Add more filters to the existing query
-- Copy the value for use in further investigation
-- Update the query to extend a JSON field to a new column
-
-For Microsoft Defender XDR data, you can take further action by selecting the checkboxes to the left of each result row. Select **Link to incident** to link the selected results to an incident (read [Link query results to an incident](advanced-hunting-link-to-incident.md)) or **Take actions** to open the Take actions wizard (read [Take action on advanced hunting query results](advanced-hunting-take-action.md)).
-
 ## Known issues
 
 - The `IdentityInfo table` from [Microsoft Sentinel](/azure/sentinel/ueba-reference#identityinfo-table) isn't available, as the `IdentityInfo` table remains as is in Defender XDR. Microsoft Sentinel features like analytics rules that query this table aren't impacted as they're querying the Log Analytics workspace directly.
 - The Microsoft Sentinel `SecurityAlert` table is replaced by `AlertInfo` and `AlertEvidence` tables, which both contain all the data on alerts. While SecurityAlert isn't available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made so as not to break existing queries from Microsoft Sentinel that use this table. 
-- Guided hunting mode, links to incidents, and take actions capabilities are supported for Defender XDR data only.
+- Guided hunting mode and take actions capabilities are supported for Defender XDR data only.
 - Custom detections have the following limitations:
     - Custom detections are not available for KQL queries that do not include Defender XDR data.
     - Near real-time detection frequency is not available for detections that include Microsoft Sentinel data. 
     - Custom functions that were created and saved in Microsoft Sentinel are not supported.
     - Defining entities from Sentinel data is not yet supported in custom detections.
-- Bookmarks aren't supported in the advanced hunting experience. They're supported in the **Microsoft Sentinel > Threat management > Hunting** feature.
+- Bookmarks aren't supported in the advanced hunting experience. They're supported in the **Microsoft Sentinel > Threat management > Hunting** feature. 
 - If you're streaming Defender XDR tables to Log Analytics, there might be a difference between the`Timestamp` and `TimeGenerated` columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion to `now()`. Therefore, to get the actual time the event happened, we recommend relying on the `Timestamp` column.
 - When prompting [Copilot for Security](advanced-hunting-security-copilot.md) for advanced hunting queries, you might find that not all Microsoft Sentinel tables are currently supported. However, support for these tables can be expected in the future.
 
 
+## See also
 
-
+- [Use advanced hunting functions, saved queries, and custom rules](advanced-hunting-defender-use-custom-rules.md)
+- [Explore advanced hunting results with Microsoft Sentinel data](advanced-hunting-defender-results.md)

defender-xdr/whats-new.md

@@ -29,9 +29,11 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+
 ## October 2024
 
 - [Microsoft Unified RBAC roles](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability.
+- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries-preview), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
 
 ## September 2024
 
@@ -105,7 +107,7 @@ You can also get product updates and important notifications through the [messag
 
 - (Preview) You can now query Microsoft Sentinel data using the [advanced hunting query API](/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http&preserve-view=true). You can use the `timespan` parameter to query Defender XDR and Microsoft Sentinel data that have longer data retention than the Defender XDR default of 30 days.
 
-- (Preview) In the unified Microsoft Defender portal, you can now create custom detections in querying data that spans Microsoft Sentinel and Defender XDR tables. Read [Create custom analytics and detection rules](advanced-hunting-microsoft-defender.md#create-custom-analytics-and-detection-rules) for more information.
+- (Preview) In the unified Microsoft Defender portal, you can now create custom detections in querying data that spans Microsoft Sentinel and Defender XDR tables. Read [Create custom analytics and detection rules](advanced-hunting-defender-use-custom-rules.md) for more information.
 
 - Updated [troubleshooting steps for Microsoft Defender Experts app permissions in Microsoft Teams](teams-restrictions-dexapp.md).