You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-defender-results.md
+9-10Lines changed: 9 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,16 +51,16 @@ You can use the link to incident feature to add advanced hunting query results t
51
51
### Link results to new or existing incidents
52
52
53
53
1. In the advanced hunting query pane, enter your query in the query field provided, then select **Run query** to get your results.
54
-
[IMAGE]
54
+
:::image type="content" source="/defender/media/advanced-hunting-results-link1.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link1.png":::
55
55
56
56
2. In the Results pane, select the events or records that are related to a new or current investigation you're working on, then select **Link to incident**.
57
-
[IMAGE]
57
+
:::image type="content" source="/defender/media/advanced-hunting-results-link2.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link2.png":::
58
58
59
59
3. In the **Alert details** section in the Link to incident pane, select **Create new incident** to convert the events to alerts and group them to a new incident:
60
60
[IMAGE]
61
61
62
62
You can also select **Link to an existing incident** to add the selected records to an existing one. Choose the related incident from the dropdown list of existing incidents. You can also enter the first few characters of the incident name or ID to find the existing incident.
63
-
[IMAGE]
63
+
:::image type="content" source="/defender/media/advanced-hunting-results-link4.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link4.png":::
64
64
4. For either selection, provide the following details, then select **Next**:
65
65
- **Alert title** - a descriptive title for the results that your incident responders can understand; this descriptive title becomes the alert title
66
66
- **Severity** - choose the severity applicable to the group of alerts
@@ -101,11 +101,11 @@ You can use the link to incident feature to add advanced hunting query results t
101
101
102
102
After selecting the identifier, select a column from the query results’ that contains the selected identifier. You can click on the schema icon to open the schema reference and read the description on every column, to make sure you chose the right column that matches the selected identifier.
103
103
104
-
[IMAGE]
104
+
:::image type="content" source="/defender/media/advanced-hunting-results-link5.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link5.png":::
105
105
106
106
In our example, we used a query to find events related to a possible email exfiltration incident, therefore the recipient’s mailbox and recipient’s account are the impacted entities, and the sender’s IP as well as mail message are related evidence.
107
107
108
-
[IMAGE]
108
+
:::image type="content" source="/defender/media/advanced-hunting-results-link6.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link6.png":::
109
109
110
110
A different alert is created for each record with a unique combination of impacted entities. In our example, if there are three different recipients mailboxes and recipient object ids combinations, for instance, then three alerts are created and linked to the chosen incident.
111
111
@@ -116,20 +116,19 @@ You can use the link to incident feature to add advanced hunting query results t
116
116
### View linked records in the incident
117
117
You can click on the generated link from the summary step of the wizard or select the incident name from the incidents’ queue, to view the incident that the events are linked to.
118
118
119
-
[IMAGE]
119
+
:::image type="content" source="/defender/media/advanced-hunting-results-link8.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link8.png":::
120
120
121
121
In our example, the three alerts, representing the three selected events, were linked successfully to a new incident.
122
122
In each of the alert pages, you can find the complete information on the event or events in timeline view (if available) and query results view.
123
123
124
124
You can also select the event from the timeline view or from the query results view to open the Inspect record pane.
125
-
126
-
[IMAGE]
125
+
126
+
:::image type="content" source="/defender/media/advanced-hunting-results-link2.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link2.png":::
127
127
128
128
### Filter for events added using advanced hunting
129
129
You can view which alerts were generated from advanced hunting by filtering the Incidents queue and Alerts queue by Manual detection source
130
130
131
-
[IMAGE]
132
-
131
+
:::image type="content" source="/defender/media/advanced-hunting-results-link9.png" alt-text="Screenshot of the options available in saved queries in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-results-link9.png":::
0 commit comments