deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updated hunting reference to state Sha256 is usually not populated

Browse Source
This commit is contained in:
Tomer Alpert
2018-04-22 14:26:32 +00:00
parent 137eaa62ab
commit 0c6364170b
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -64,7 +64,7 @@ Use the following table to understand what the columns represent, its data type,
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. | | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. |
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. | | InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. |
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. | | InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. |
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. | | InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated - please use the SHA-1 field when available. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. | | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. |
| LocalIP | string | IP address assigned to the local machine used during communication. | | LocalIP | string | IP address assigned to the local machine used during communication. |
@ -97,7 +97,7 @@ Use the following table to understand what the columns represent, its data type,
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ReportIndex | long | Event identifier that is unique among the same event type. | | ReportIndex | long | Event identifier that is unique among the same event type. |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. | | SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated - please use the SHA-1 field when available.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)