From 2824a5ea3e054c2430c86b68a4ed6630eb77b595 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 20 May 2020 16:16:45 -0700 Subject: [PATCH] First set of doc updates - machine-->device --- .../advanced-features.md | 26 ++++++++--------- .../advanced-hunting-best-practices.md | 2 +- ...dvanced-hunting-devicealertevents-table.md | 4 +-- .../advanced-hunting-deviceevents-table.md | 14 +++++----- ...hunting-devicefilecertificateinfo-table.md | 4 +-- ...advanced-hunting-devicefileevents-table.md | 4 +-- ...ced-hunting-deviceimageloadevents-table.md | 4 +-- .../advanced-hunting-deviceinfo-table.md | 28 +++++++++---------- ...dvanced-hunting-devicelogonevents-table.md | 12 ++++---- ...anced-hunting-devicenetworkevents-table.md | 8 +++--- ...dvanced-hunting-devicenetworkinfo-table.md | 8 +++--- ...anced-hunting-deviceprocessevents-table.md | 8 +++--- ...nced-hunting-deviceregistryevents-table.md | 4 +-- ...etvmsecureconfigurationassessment-table.md | 8 +++--- ...msoftwareinventoryvulnerabilities-table.md | 10 +++---- .../advanced-hunting-overview.md | 2 +- .../advanced-hunting-schema-reference.md | 6 ++-- ...lerts-queue-endpoint-detection-response.md | 8 +++--- .../microsoft-defender-atp/alerts-queue.md | 24 ++++++++-------- .../microsoft-defender-atp/alerts.md | 4 +-- .../api-microsoft-flow.md | 8 +++--- .../api-portal-mapping.md | 8 +++--- .../microsoft-defender-atp/apis-intro.md | 6 ++-- 23 files changed, 105 insertions(+), 105 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index c372c8f63a..32708b1921 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -35,7 +35,7 @@ Turn on this feature to take advantage of the automated investigation and remedi ## Live response -Turn on this feature so that users with the appropriate permissions can start a live response session on machines. +Turn on this feature so that users with the appropriate permissions can start a live response session on devices. For more information about role assignments, see [Create and manage roles](user-roles.md). @@ -52,7 +52,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga >[!NOTE] > ->- The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine. +>- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device. >- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. ## Allow or block file @@ -62,7 +62,7 @@ Blocking is only available if your organization fulfills these requirements: - Uses Windows Defender Antivirus as the active antimalware solution and, - The cloud-based protection feature is enabled -This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization. +This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on devices in your organization. To turn **Allow or block** files on: @@ -80,7 +80,7 @@ After turning on this feature, you can [block files](respond-file-alerts.md#allo Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list. -To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). +To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). For more information, see [Manage indicators](manage-indicators.md). @@ -93,7 +93,7 @@ Turn on this feature so that you can see user details stored in Azure Active Dir - Security operations dashboard - Alert queue -- Machine details page +- Device details page For more information, see [Investigate a user account](investigate-user.md). @@ -102,11 +102,11 @@ For more information, see [Investigate a user account](investigate-user.md). Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. >[!NOTE] -> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode. +> When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode. ## Azure Advanced Threat Protection integration -The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view. +The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view. >[!NOTE] >You'll need to have the appropriate license to enable this feature. @@ -117,7 +117,7 @@ Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microso ### Enable the Microsoft Defender ATP integration from the Azure ATP portal -To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. +To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. 1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. @@ -125,18 +125,18 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab 3. Toggle the Integration setting to **On** and click **Save**. -After completing the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page. +After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page. ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. -When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows machines. +When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices. >[!NOTE] >You'll need to have the appropriate license to enable this feature. -To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). ## Microsoft Threat Experts @@ -150,11 +150,11 @@ Out of the two Microsoft Threat Expert components, targeted attack notification Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. >[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. ## Azure Information Protection -Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. +Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings. ## Microsoft Intune connection diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 7209a654db..67da553c47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -40,7 +40,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni ## Query tips and pitfalls ### Queries with process IDs -Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). +Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index 50d1242878..a0c33bb68a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -34,8 +34,8 @@ For information on other tables in the advanced hunting schema, see [the advance |-------------|-----------|-------------| | `AlertId` | string | Unique identifier for the alert | | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | | `Category` | string | Type of threat indicator or breach activity identified by the alert | | `Title` | string | Title of the alert | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 8956d5c3a9..878d1fd636 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | @@ -44,19 +44,19 @@ For information on other tables in the advanced hunting schema, see [the advance | `AccountName` |string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | -| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | +| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | | `ProcessId` | int | Process ID (PID) of the newly created process | | `ProcessCommandLine` | string | Command line used to create the new process | | `ProcessCreationTime` | datetime | Date and time the process was created | | `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | -| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts | | `RegistryKey` | string | Registry key that the recorded action was applied to | | `RegistryValueName` | string | Name of the registry value that the recorded action was applied to | | `RegistryValueData` | string | Data of the registry value that the recorded action was applied to | | `RemoteIP` | string | IP address that was being connected to | | `RemotePort` | int | TCP port on the remote device that was being connected to | -| `LocalIP` | string | IP address assigned to the local machine used during communication | -| `LocalPort` | int | TCP port on the local machine used during communication | +| `LocalIP` | string | IP address assigned to the local device used during communication | +| `LocalPort` | int | TCP port on the local device used during communication | | `FileOriginUrl` | string | URL where the file was downloaded from | | `FileOriginIP` | string | IP address where the file was downloaded from | | `AdditionalFields` | string | Additional information about the event in JSON array format | @@ -74,7 +74,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | +| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index 4d1315f233..4c54f0a6d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -33,8 +33,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `SHA1` | string | SHA-1 of the file that the recorded action was applied to | | `IsSigned` | boolean | Indicates whether the file is signed | | `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 53faa19f58..351be8cfc8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advanc | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index b9c338f0c1..2327ce1a4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index e51b88cf9a..cc3663977a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,7 +1,7 @@ --- title: DeviceInfo table in the advanced hunting schema -description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo +description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,25 +25,25 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine | -| `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy | -| `OSArchitecture` | string | Architecture of the operating system running on the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | -| `OSBuild` | string | Build version of the operating system running on the machine | -| `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | -| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format | -| `RegistryDeviceTag` | string | Machine tag added through the registry | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | +| `ClientVersion` | string | Version of the endpoint agent or sensor running on the device | +| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Microsoft Defender ATP service. This could be the IP address of the device itself, a NAT device, or a proxy | +| `OSArchitecture` | string | Architecture of the operating system running on the device | +| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | +| `OSBuild` | string | Build version of the operating system running on the device | +| `IsAzureADJoined` | boolean | Boolean indicator of whether device is joined to the Azure Active Directory | +| `LoggedOnUsers` | string | List of all users that are logged on the device at the time of the event in JSON array format | +| `RegistryDeviceTag` | string | Device tag added through the registry | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| `OSVersion` | string | Version of the operating system running on the machine | +| `OSVersion` | string | Version of the operating system running on the device | | `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 9814bdbe14..f48045b11f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -32,15 +32,15 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string |Type of activity that triggered the event | | `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | -| `LogonType` | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| -| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | +| `LogonType` | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the device using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts | +| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | | `RemoteIP` | string | IP address that was being connected to | | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemotePort` | int | TCP port on the remote device that was being connected to | @@ -63,7 +63,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | -| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine | +| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the device | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 17ba4f7f0d..3defded189 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -32,14 +32,14 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `RemoteIP` | string | IP address that was being connected to | | `RemotePort` | int | TCP port on the remote device that was being connected to | | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | -| `LocalIP` | string | IP address assigned to the local machine used during communication | -| `LocalPort` | int | TCP port on the local machine used during communication | +| `LocalIP` | string | IP address assigned to the local device used during communication | +| `LocalPort` | int | TCP port on the local device used during communication | | `Protocol` | string | IP protocol used, whether TCP or UDP | | `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 2e84b08364..82d860e259 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -1,7 +1,7 @@ --- title: DeviceNetworkInfo table in the advanced hunting schema description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,15 +25,15 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `NetworkAdapterName` | string | Name of the network adapter | | `MacAddress` | string | MAC address of the network adapter | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 6fdba4c948..4c9e3d2d15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | @@ -48,11 +48,11 @@ For information on other tables in the advanced hunting schema, see [the advance | `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | -| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts | | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | +| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. | | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index c0b36b2df8..bff256d499 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `RegistryKey` | string | Registry key that the recorded action was applied to | | `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index d58f79d5f1..507af8bb7b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -1,6 +1,6 @@ --- title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -34,9 +34,9 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | +| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| | `Timestamp` | datetime |Date and time when the record was generated | | `ConfigurationId` | string | Unique identifier for a specific configuration | | `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index 384b79a65a..c70518d2e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -35,11 +35,11 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| `OSVersion` | string | Version of the operating system running on the machine | -| `OSArchitecture` | string | Architecture of the operating system running on the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | +| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| `OSVersion` | string | Version of the operating system running on the device | +| `OSArchitecture` | string | Architecture of the operating system running on the device | | `SoftwareVendor` | string | Name of the software vendor | | `SoftwareName` | string | Name of the software product | | `SoftwareVersion` | string | Version number of the software product | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 0a28ea14cd..4ce2ee1fd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -25,7 +25,7 @@ ms.topic: article Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. -You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. +You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured devices. ## Get started with advanced hunting Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 99bd62562e..ef026d2f2b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -27,7 +27,7 @@ ms.date: 01/14/2020 [!include[Prerelease information](../../includes/prerelease.md)] -The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. +The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. ## Schema tables @@ -38,8 +38,8 @@ Table and column names are also listed within the Microsoft Defender Security Ce | Table name | Description | |------------|-------------| | **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center | -| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information | -| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains | +| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Device information, including OS information | +| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains | | **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events | | **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events | | **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events | diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 0f5c27cc7e..4a29f349d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -20,7 +20,7 @@ ms.date: 09/03/2018 --- # Alerts queue in Microsoft Defender Security Center -Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as machines, files, or user accounts. +Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts. ## In this section @@ -30,9 +30,9 @@ Topic | Description [Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert. [Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. [Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event. -[Investigate machines](investigate-machines.md)| Investigate the details of a machine associated with a specific alert, behaviour, or event. -[Investigate an IP address](investigate-ip.md) | Examine possible communication between machines in your network and external internet protocol (IP) addresses. -[Investigate a domain](investigate-domain.md) | Investigate a domain to see if machines and servers in your network have been communicating with a known malicious domain. +[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behaviour, or event. +[Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses. +[Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain. [Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index a039772386..197c69c663 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -26,10 +26,10 @@ ms.date: 03/27/2020 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) -The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. +The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. >[!NOTE] ->The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). +>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). There are several options you can choose from to customize the alerts queue view. @@ -51,7 +51,7 @@ You can apply the following filters to limit the list of alerts and get a more f Alert severity | Description :---|:--- -High
(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on machines. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. +High
(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. Medium
(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack. Low
(Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization. Informational
(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues. @@ -60,15 +60,15 @@ Informational
(Grey) | Alerts that might not be considered harmful to the n Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. -The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. +The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected. -The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. +The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage. -- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. -- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. #### Understanding alert categories @@ -118,16 +118,16 @@ You can choose between showing alerts that are assigned to you or automation. Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. >[!NOTE] ->The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product. +>The Windows Defender Antivirus filter will only appear if devices are using Windows Defender Antivirus as the default real-time protection antimalware product. ### OS platform Limit the alerts queue view by selecting the OS platform that you're interested in investigating. -### Machine group +### Device group -If you have specific machine groups that you're interested in checking, you can select the groups to limit the alerts queue view. +If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view. ### Associated threat @@ -138,7 +138,7 @@ Use this filter to focus on alerts that are related to high profile threats. You - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 5508ee20b8..e8811269cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -45,8 +45,8 @@ id | String | Alert ID. title | String | Alert title. description | String | Alert description. alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created. -lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine. -firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. +lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device. +firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device. lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated. resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index c093fcacb7..b629251bda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -48,8 +48,8 @@ The following example demonstrates how you can create a Flow that will be trigge ![Image of edit credentials](images/api-flow-3.png) All you need to do now, is to choose your next steps. -Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it. -The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities. +Lets, for example, Isolate the device if the Severity of the Alert is **High** and mail about it. +The Alert trigger gives us only the Alert ID and the Device ID. We can use the Connector to expand these entities. ### Get the Alert entity using the connector @@ -61,13 +61,13 @@ The Alert trigger gives us only the Alert ID and the Machine ID. We can use the ![Image of edit credentials](images/api-flow-4.png) -### Isolate the machine if the Alert's severity is High +### Isolate the device if the Alert's severity is High - Add **Condition** as a new step . - Check if Alert severity equals to **High**. -- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment. +- If yes, add Microsoft Defender ATP - Isolate device action with the Device Id and a comment. ![Image of edit credentials](images/api-flow-5.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 3b57273926..a649d44766 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -29,7 +29,7 @@ Understand what data fields are exposed as part of the detections API and how th >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details. +>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details. ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. @@ -62,10 +62,10 @@ Field numbers match the numbers in the images below. > | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. | > | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. | > | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. | -> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every Detection. | +> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. | > | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. | -> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every Detection. | -> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. | +> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. | +> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index 1c6f356099..fcb5d20e0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -2,7 +2,7 @@ title: Access the Microsoft Defender Advanced Threat Protection APIs ms.reviewer: description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities -keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query +keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -43,7 +43,7 @@ You can access Microsoft Defender ATP API with **Application Context** or **User Steps that need to be taken to access Microsoft Defender ATP API with application context: 1. Create an AAD Web-Application. - 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. + 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Devices'. 3. Create a key for this Application. 4. Get token using the application with its key. 5. Use the token to access Microsoft Defender ATP API @@ -56,7 +56,7 @@ You can access Microsoft Defender ATP API with **Application Context** or **User Steps that needs to be taken to access Microsoft Defender ATP API with application context: 1. Create AAD Native-Application. - 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. + 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Devices' etc. 3. Get token using the application with user credentials. 4. Use the token to access Microsoft Defender ATP API