Updates

Author: schmurky

defender-xdr/custom-detection-rules.md

@@ -75,7 +75,7 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
 
 
 To create a custom detection rule, the query must return the following columns:
-1. `Timestamp` - Used to set the timestamp for generated alerts
+1. `Timestamp` - This column is used to set the timestamp for generated alerts. The `Timestamp` that is returned from the query should not have been manipulated in the query and should be returned exactly as it appears in the raw event.
 2. A column or combination of columns that uniquely identify the event in Defender XDR tables:
       - For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
       - For Alert* tables, `Timestamp` must appear in the event
@@ -99,7 +99,7 @@ To create a custom detection rule, the query must return the following columns:
 > [!NOTE]
 > Support for more entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
 
-The `Timestamp` that is returned from the query should not have been manipulated in the query and should be returned exactly as it appears in the raw event.
+
 
 Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.