Fix m365d/mde hunting query options (#702)

* fix unpassed time_column param in m365d_hunting * comment out unused start and end param in m365d/mde hunting * delete, not comment out --------- Co-authored-by: Ian Hellen <[email protected]>
microsoft · Sep 29, 2023 · aef43f2 · aef43f2
1 parent 900cefe
commit aef43f2
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 13 deletions.
diff --git a/msticpy/data/queries/m365d/kql_m365_hunting.yaml b/msticpy/data/queries/m365d/kql_m365_hunting.yaml
@@ -8,12 +8,6 @@ defaults:
   metadata:
     data_source: 'hunting_queries'
   parameters:
-      start:
-        description: Query start time
-        type: datetime
-      end:
-        description: Query end time
-        type: datetime
       add_query_items:
         description: Additional query clauses
         type: str
@@ -413,7 +407,7 @@ sources:
             makeset(Command), count(), min({time_column}) by
             AccountName, DeviceName, DeviceId
         | order by AccountName asc
-        | where min_Timestamp > ago(1d)
+        | where min_{time_column} > ago(1d)
         {add_query_items}'
       uri: "https://github.com/microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Lateral%20Movement/ServiceAccountsPerformingRemotePS.txt"
   accessibility_persistence:

diff --git a/msticpy/data/queries/mde/kql_mdatp_hunting.yaml b/msticpy/data/queries/mde/kql_mdatp_hunting.yaml
@@ -8,12 +8,6 @@ defaults:
   metadata:
     data_source: 'hunting_queries'
   parameters:
-      start:
-        description: Query start time
-        type: datetime
-      end:
-        description: Query end time
-        type: datetime
       add_query_items:
         description: Additional query clauses
         type: str