diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1762f3ee06..3e55222065 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -121,6 +121,7 @@ ##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md) ##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md) ##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md) +##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md) ##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md) ##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md) ##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index 4d241c4a55..c7fd28fc75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. +The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md new file mode 100644 index 0000000000..17a7a62033 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md @@ -0,0 +1,59 @@ +--- +title: DeviceFileCertificateInfoBeta table in the advanced hunting schema +description: Learn about file signing information in the DeviceFileCertificateInfoBeta table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfoBeta +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 01/14/2020 +--- + +# AlertEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceFileCertificateInfoBeta` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. + +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `Timestamp` | datetime | Date and time when the event was recorded +| `DeviceId` | string | Unique identifier for the machine in the service +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to +| `IsSigned` | boolean | Indicates whether the file is signed +| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file +| `Signer` | string | Information about the signer of the file +| `SignerHash` | string | Unique hash value identifying the signer +| `Issuer` | string | Information about the issuing certificate authority (CA) +| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) +| `CrlDistributionPointUrls` | string | URL of the network share that contains certificates and the certificate revocation list (CRL) +| `CertificateCreationTime` | datetime | Date and time the certificate was created +| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire +| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned +| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes +| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. + + +## Related topics +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index e1cbdc7933..85f9a0c799 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -23,8 +23,7 @@ ms.date: 10/08/2019 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query. @@ -141,5 +140,4 @@ For detailed information about the query language, see [Kusto query language doc - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 7c64003218..8eb7542ce5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 +ms.date: 01/14/2020 --- # Understand the advanced hunting schema @@ -47,6 +47,7 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events | | **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceFileCertificateInfoBeta](advanced-hunting-devicefilecertificateinfobeta-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints | | **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |