mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
Name capping and backticks
This commit is contained in:
lomayor
@ -128,7 +128,7 @@
|
|||||||
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
|
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
|
||||||
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
|
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
|
||||||
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
|
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
|
||||||
#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
|
#### [Stream advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
|
||||||
|
|
||||||
#### [Custom detections]()
|
#### [Custom detections]()
|
||||||
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
|
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: AlertEvents table in the Advanced hunting schema
|
title: AlertEvents table in the advanced hunting schema
|
||||||
description: Learn about alert generation events in the AlertEvents table of the Advanced hunting schema
|
description: Learn about alert generation events in the AlertEvents table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -26,25 +26,25 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The AlertEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
|
The `AlertEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| AlertId | string | Unique identifier for the alert |
|
| `AlertId` | string | Unique identifier for the alert |
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
|
| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
|
||||||
| Category | string | Type of threat indicator or breach activity identified by the alert |
|
| `Category` | string | Type of threat indicator or breach activity identified by the alert |
|
||||||
| Title | string | Title of the alert |
|
| `Title` | string | Title of the alert |
|
||||||
| FileName | string | Name of the file that the recorded action was applied to |
|
| `FileName` | string | Name of the file that the recorded action was applied to |
|
||||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
|
||||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||||
| RemoteIP | string | IP address that was being connected to |
|
| `RemoteIP` | string | IP address that was being connected to |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| Table | string | Table that contains the details of the event |
|
| `Table` | string | Table that contains the details of the event |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Query best practices for Advanced hunting
|
title: Query best practices for advanced hunting
|
||||||
description: Learn how to construct fast, efficient, and error-free threat hunting queries when using Advanced hunting
|
description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceEvents table in the advanced hunting schema
|
title: DeviceEvents table in the advanced hunting schema
|
||||||
description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the Advanced hunting schema
|
description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,58 +26,59 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The miscellaneous device events or DeviceEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
|
The miscellaneous device events or `DeviceEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ActionType | string | Type of activity that triggered the event |
|
| `ActionType` | string | Type of activity that triggered the event |
|
||||||
| FileName | string | Name of the file that the recorded action was applied to |
|
| `FileName` | string | Name of the file that the recorded action was applied to |
|
||||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
|
||||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
|
||||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
|
| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
|
||||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
|
||||||
| AccountDomain | string | Domain of the account |
|
| `AccountDomain` | string | Domain of the account |
|
||||||
| AccountName |string | User name of the account |
|
| `AccountName |string | User name of the account |
|
||||||
| AccountSid | string | Security Identifier (SID) of the account |
|
| `AccountSid` | string | Security Identifier (SID) of the account |
|
||||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||||
| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
|
| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
|
||||||
| ProcessId | int | Process ID (PID) of the newly created process |
|
| `ProcessId` | int | Process ID (PID) of the newly created process |
|
||||||
| ProcessCommandLine | string | Command line used to create the new process |
|
| `ProcessCommandLine` | string | Command line used to create the new process |
|
||||||
| ProcessCreationTime | datetime | Date and time the process was created |
|
| `ProcessCreationTime` | datetime | Date and time the process was created |
|
||||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
||||||
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
||||||
| RegistryKey | string | Registry key that the recorded action was applied to |
|
| `RegistryKey` | string | Registry key that the recorded action was applied to |
|
||||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
|
| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
|
||||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
|
| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
|
||||||
| RemoteIP | string | IP address that was being connected to |
|
| `RemoteIP` | string | IP address that was being connected to |
|
||||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
| `RemotePort` | int | TCP port on the remote device that was being connected to |
|
||||||
| LocalIP | string | IP address assigned to the local machine used during communication |
|
| `LocalIP` | string | IP address assigned to the local machine used during communication |
|
||||||
| LocalPort | int | TCP port on the local machine used during communication |
|
| `LocalPort` | int | TCP port on the local machine used during communication |
|
||||||
| FileOriginUrl | string | URL where the file was downloaded from |
|
| `FileOriginUrl` | string | URL where the file was downloaded from |
|
||||||
| FileOriginIP | string | IP address where the file was downloaded from |
|
| `FileOriginIP` | string | IP address where the file was downloaded from |
|
||||||
| AdditionalFields | string | Additional information about the event in JSON array format |
|
| `AdditionalFields` | string | Additional information about the event in JSON array format |
|
||||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
|
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||||
|
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceFileEvents table in the Advanced hunting schema
|
title: DeviceFileEvents table in the advanced hunting schema
|
||||||
description: Learn about file-related events in the DeviceFileEvents table of the Advanced hunting schema
|
description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,51 +26,51 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceFileEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
|
The `DeviceFileEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ActionType | string | Type of activity that triggered the event |
|
| `ActionType` | string | Type of activity that triggered the event |
|
||||||
| FileName | string | Name of the file that the recorded action was applied to |
|
| `FileName` | string | Name of the file that the recorded action was applied to |
|
||||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
|
||||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
|
||||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
|
| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
|
||||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
|
||||||
| FileOriginUrl | string | URL where the file was downloaded from |
|
| `FileOriginUrl` | string | URL where the file was downloaded from |
|
||||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
|
| `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
|
||||||
| FileOriginIP | string | IP address where the file was downloaded from |
|
| `FileOriginIP` | string | IP address where the file was downloaded from |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
| `InitiatingProcessIntegrityLevel` | string` | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
|
| `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
|
||||||
| ShareName | string | Name of shared folder containing the file |
|
| `ShareName` | string | Name of shared folder containing the file |
|
||||||
| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity |
|
| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
|
||||||
| RequestSourcePort | string | Source port on the remote device that initiated the activity |
|
| `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
|
||||||
| RequestAccountName | string | User name of account used to remotely initiate the activity |
|
| `RequestAccountName` | string | User name of account used to remotely initiate the activity |
|
||||||
| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity |
|
| `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
|
||||||
| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity |
|
| `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
||||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||||
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
|
| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
|
||||||
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
|
| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
|
||||||
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
|
| `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceImageLoadEvents table in the Advanced hunting schema
|
title: DeviceImageLoadEvents table in the advanced hunting schema
|
||||||
description: Learn about DLL loading events in the DeviceImageLoadEvents table of the Advanced hunting schema
|
description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,37 +26,37 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
|
The `DeviceImageLoadEvents table` in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ActionType | string | Type of activity that triggered the event |
|
| `ActionType` | string | Type of activity that triggered the event |
|
||||||
| FileName | string | Name of the file that the recorded action was applied to |
|
| `FileName` | string | Name of the file that the recorded action was applied to |
|
||||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
|
||||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
|
||||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceInfo table in the Advanced hunting schema
|
title: DeviceInfo table in the advanced hunting schema
|
||||||
description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the Advanced hunting schema
|
description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,26 +26,26 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
|
The `DeviceInfo` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
|
| `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine |
|
||||||
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
|
| `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
|
||||||
| OSArchitecture | string | Architecture of the operating system running on the machine |
|
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
|
||||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
|
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
|
||||||
| OSBuild | string | Build version of the operating system running on the machine |
|
| `OSBuild` | string | Build version of the operating system running on the machine |
|
||||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
|
| `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
|
||||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
|
| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format |
|
||||||
| RegistryDeviceTag | string | Machine tag added through the registry |
|
| `RegistryDeviceTag` | string | Machine tag added through the registry |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
||||||
| OSVersion | string | Version of the operating system running on the machine |
|
| `OSVersion` | string | Version of the operating system running on the machine |
|
||||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
|
| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceLogonEvents table in the Advanced hunting schema
|
title: DeviceLogonEvents table in the advanced hunting schema
|
||||||
description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the Advanced hunting schema
|
description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,45 +26,45 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceLogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
|
The `DeviceLogonEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ActionType | string |Type of activity that triggered the event |
|
| `ActionType` | string |Type of activity that triggered the event |
|
||||||
| AccountDomain | string | Domain of the account |
|
| `AccountDomain` | string | Domain of the account |
|
||||||
| AccountName | string | User name of the account |
|
| `AccountName` | string | User name of the account |
|
||||||
| AccountSid | string | Security Identifier (SID) of the account |
|
| `AccountSid` | string | Security Identifier (SID) of the account |
|
||||||
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
|
| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
|
||||||
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
||||||
| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
|
| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
|
||||||
| RemoteIP | string | IP address that was being connected to |
|
| `RemoteIP` | string | IP address that was being connected to |
|
||||||
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
| `RemotePort` | int | TCP port on the remote device that was being connected to |
|
||||||
| AdditionalFields | string | Additional information about the event in JSON array format |
|
| `AdditionalFields` | string | Additional information about the event in JSON array format |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
||||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||||
| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
|
| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceNetworkEvents table in the Advanced hunting schema
|
title: DeviceNetworkEvents table in the advanced hunting schema
|
||||||
description: Learn about network connection events you can query from the DeviceNetworkEvents table of the Advanced hunting schema
|
description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,41 +26,41 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceNetworkEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
|
The `DeviceNetworkEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ActionType | string | Type of activity that triggered the event |
|
| `ActionType` | string | Type of activity that triggered the event |
|
||||||
| RemoteIP | string | IP address that was being connected to |
|
| `RemoteIP` | string | IP address that was being connected to |
|
||||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
| `RemotePort` | int | TCP port on the remote device that was being connected to |
|
||||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||||
| LocalIP | string | IP address assigned to the local machine used during communication |
|
| `LocalIP` | string | IP address assigned to the local machine used during communication |
|
||||||
| LocalPort | int | TCP port on the local machine used during communication |
|
| `LocalPort` | int | TCP port on the local machine used during communication |
|
||||||
| Protocol | string | IP protocol used, whether TCP or UDP |
|
| `Protocol` | string | IP protocol used, whether TCP or UDP |
|
||||||
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||||
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceNetworkInfo table in the Advanced hunting schema
|
title: DeviceNetworkInfo table in the advanced hunting schema
|
||||||
description: Learn about network configuration information in the DeviceNetworkInfo table of the Advanced hunting schema
|
description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,27 +26,27 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
|
The `DeviceNetworkInfo` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| NetworkAdapterName | string | Name of the network adapter |
|
| `NetworkAdapterName` | string | Name of the network adapter |
|
||||||
| MacAddress | string | MAC address of the network adapter |
|
| `MacAddress` | string | MAC address of the network adapter |
|
||||||
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
|
| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
|
||||||
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
|
| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
|
||||||
| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
|
| `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
|
||||||
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
|
| `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
|
||||||
| DnsAddresses | string | DNS server addresses in JSON array format |
|
| `DnsAddresses` | string | DNS server addresses in JSON array format |
|
||||||
| IPv4Dhcp | string | IPv4 address of DHCP server |
|
| `IPv4Dhcp` | string | IPv4 address of DHCP server |
|
||||||
| IPv6Dhcp | string | IPv6 address of DHCP server |
|
| `IPv6Dhcp` | string | IPv6 address of DHCP server |
|
||||||
| DefaultGateways | string | Default gateway addresses in JSON array format |
|
| `DefaultGateways` | string | Default gateway addresses in JSON array format |
|
||||||
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
|
| `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceProcessEvents table in the Advanced hunting schema
|
title: DeviceProcessEvents table in the advanced hunting schema
|
||||||
description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the Advanced hunting schema
|
description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,49 +26,49 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceProcessEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
|
The `DeviceProcessEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ActionType | string | Type of activity that triggered the event |
|
| `ActionType` | string | Type of activity that triggered the event |
|
||||||
| FileName | string | Name of the file that the recorded action was applied to |
|
| `FileName` | string | Name of the file that the recorded action was applied to |
|
||||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
|
||||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
|
||||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
|
| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
|
||||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
|
||||||
| ProcessId | int | Process ID (PID) of the newly created process |
|
| `ProcessId` | int | Process ID (PID) of the newly created process |
|
||||||
| ProcessCommandLine | string | Command line used to create the new process |
|
| `ProcessCommandLine` | string | Command line used to create the new process |
|
||||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
|
| `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
|
||||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
||||||
| ProcessCreationTime | datetime | Date and time the process was created |
|
| `ProcessCreationTime` | datetime | Date and time the process was created |
|
||||||
| AccountDomain | string | Domain of the account |
|
| `AccountDomain` | string | Domain of the account |
|
||||||
| AccountName | string | User name of the account |
|
| `AccountName` | string | User name of the account |
|
||||||
| AccountSid | string | Security Identifier (SID) of the account |
|
| `AccountSid` | string | Security Identifier (SID) of the account |
|
||||||
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
||||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: DeviceRegistryEvents table in the Advanced hunting schema
|
title: DeviceRegistryEvents table in the advanced hunting schema
|
||||||
description: Learn about registry events you can query from the DeviceRegistryEvents table of the Advanced hunting schema
|
description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
@ -26,39 +26,39 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||||
|
|
||||||
The DeviceRegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
|
The `DeviceRegistryEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| Timestamp | datetime | Date and time when the event was recorded |
|
| `Timestamp` | datetime | Date and time when the event was recorded |
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| ActionType | string | Type of activity that triggered the event |
|
| `ActionType` | string | Type of activity that triggered the event |
|
||||||
| RegistryKey | string | Registry key that the recorded action was applied to |
|
| `RegistryKey` | string | Registry key that the recorded action was applied to |
|
||||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
|
| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
|
||||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
|
| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
|
||||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
|
| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
|
||||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
|
| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
|
||||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
|
| `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
|
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
|
||||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
title: Overview of Advanced hunting
|
title: Overview of advanced hunting
|
||||||
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
|
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
@ -18,7 +18,7 @@ ms.topic: article
|
|||||||
ms.date: 10/08/2019
|
ms.date: 10/08/2019
|
||||||
---
|
---
|
||||||
|
|
||||||
# Proactively hunt for threats with Advanced hunting
|
# Proactively hunt for threats with advanced hunting
|
||||||
**Applies to:**
|
**Applies to:**
|
||||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||||
|
|
||||||
@ -28,9 +28,9 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t
|
|||||||
|
|
||||||
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
|
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
|
||||||
|
|
||||||
## Get started with Advanced hunting
|
## Get started with advanced hunting
|
||||||
|
|
||||||
We recommend going through several steps to quickly get up and running with Advanced hunting.
|
We recommend going through several steps to quickly get up and running with advanced hunting.
|
||||||
|
|
||||||
| Learning goal | Description | Resource |
|
| Learning goal | Description | Resource |
|
||||||
|--|--|--|
|
|--|--|--|
|
||||||
@ -41,7 +41,7 @@ We recommend going through several steps to quickly get up and running with Adva
|
|||||||
|
|
||||||
## Get help as you write queries
|
## Get help as you write queries
|
||||||
Take advantage of the following functionality to write queries faster:
|
Take advantage of the following functionality to write queries faster:
|
||||||
- **Autosuggest** — as you write queries, Advanced hunting provides suggestions.
|
- **Autosuggest** — as you write queries, advanced hunting provides suggestions.
|
||||||
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
|
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
|
||||||
|
|
||||||
## Drilldown from query results
|
## Drilldown from query results
|
||||||
@ -54,14 +54,14 @@ Right-click a value in the result set to quickly enhance your query. You can use
|
|||||||
- Exclude the selected value from the query (`!=`)
|
- Exclude the selected value from the query (`!=`)
|
||||||
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
|
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Filter the query results
|
## Filter the query results
|
||||||
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
|
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
|
||||||
|
|
||||||
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
|
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
|
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
|
||||||
|
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Learn the Advanced hunting query language
|
title: Learn the advanced hunting query language
|
||||||
description: Create your first threat hunting query and learn about common operators and other aspects of the Advanced hunting query language
|
description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -18,14 +18,14 @@ ms.topic: article
|
|||||||
ms.date: 10/08/2019
|
ms.date: 10/08/2019
|
||||||
---
|
---
|
||||||
|
|
||||||
# Learn the Advanced hunting query language
|
# Learn the advanced hunting query language
|
||||||
|
|
||||||
**Applies to:**
|
**Applies to:**
|
||||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||||
|
|
||||||
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
|
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
|
||||||
|
|
||||||
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
|
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query.
|
||||||
|
|
||||||
## Try your first query
|
## Try your first query
|
||||||
|
|
||||||
@ -45,9 +45,9 @@ DeviceProcessEvents
|
|||||||
| top 100 by Timestamp
|
| top 100 by Timestamp
|
||||||
```
|
```
|
||||||
|
|
||||||
This is how it will look like in Advanced hunting.
|
This is how it will look like in advanced hunting.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Describe the query and specify the table to search
|
### Describe the query and specify the table to search
|
||||||
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
|
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
|
||||||
@ -91,9 +91,9 @@ Now that your query clearly identifies the data you want to locate, you can add
|
|||||||
|
|
||||||
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
|
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
|
||||||
|
|
||||||
## Learn common query operators for Advanced hunting
|
## Learn common query operators for advanced hunting
|
||||||
|
|
||||||
Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones.
|
Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
|
||||||
|
|
||||||
| Operator | Description and usage |
|
| Operator | Description and usage |
|
||||||
|--|--|
|
|--|--|
|
||||||
@ -108,11 +108,11 @@ Now that you've run your first query and have a general idea of its components,
|
|||||||
| **makeset** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
|
| **makeset** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
|
||||||
| **find** | Find rows that match a predicate across a set of tables. |
|
| **find** | Find rows that match a predicate across a set of tables. |
|
||||||
|
|
||||||
To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page.
|
To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
|
||||||
|
|
||||||
## Understand data types
|
## Understand data types
|
||||||
|
|
||||||
Data in Advanced hunting tables are generally classified into the following data types.
|
Data in advanced hunting tables are generally classified into the following data types.
|
||||||
|
|
||||||
| Data type | Description and query implications |
|
| Data type | Description and query implications |
|
||||||
|--|--|
|
|--|--|
|
||||||
@ -126,7 +126,7 @@ Data in Advanced hunting tables are generally classified into the following data
|
|||||||
|
|
||||||
The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
|
The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
|
> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Advanced hunting schema reference
|
title: advanced hunting schema reference
|
||||||
description: Learn about the tables in the Advanced hunting schema to understand the data you can run threat hunting queries on
|
description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, data
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, data
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -18,7 +18,7 @@ ms.topic: article
|
|||||||
ms.date: 10/08/2019
|
ms.date: 10/08/2019
|
||||||
---
|
---
|
||||||
|
|
||||||
# Understand the Advanced hunting schema
|
# Understand the advanced hunting schema
|
||||||
|
|
||||||
**Applies to:**
|
**Applies to:**
|
||||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||||
@ -27,13 +27,13 @@ ms.date: 10/08/2019
|
|||||||
|
|
||||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
|
The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
|
||||||
|
|
||||||
## Schema tables
|
## Schema tables
|
||||||
|
|
||||||
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
|
The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
|
||||||
|
|
||||||
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
|
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
|
||||||
|
|
||||||
| Table name | Description |
|
| Table name | Description |
|
||||||
|------------|-------------|
|
|------------|-------------|
|
||||||
@ -47,10 +47,10 @@ Table and column names are also listed within the Microsoft Defender Security Ce
|
|||||||
| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
|
| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
|
||||||
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
|
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
|
||||||
| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
|
| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
|
||||||
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory |
|
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
|
||||||
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory |
|
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
|
||||||
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information |
|
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
|
||||||
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks |
|
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
title: Use shared queries in Advanced hunting
|
title: Use shared queries in advanced hunting
|
||||||
description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
|
description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
@ -18,7 +18,7 @@ ms.topic: article
|
|||||||
ms.date: 10/08/2019
|
ms.date: 10/08/2019
|
||||||
---
|
---
|
||||||
|
|
||||||
# Use shared queries in Advanced hunting
|
# Use shared queries in advanced hunting
|
||||||
|
|
||||||
**Applies to:**
|
**Applies to:**
|
||||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||||
@ -54,10 +54,10 @@ You can save a new or existing query so that it is only accessible to you or sha
|
|||||||
2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
|
2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
|
||||||
|
|
||||||
## Access queries in the GitHub repository
|
## Access queries in the GitHub repository
|
||||||
Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
|
Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
|
||||||
|
|
||||||
>[!TIP]
|
>[!TIP]
|
||||||
>Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
|
>Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema
|
title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
|
||||||
description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information.
|
description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information.
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -28,21 +28,21 @@ ms.date: 11/12/2019
|
|||||||
|
|
||||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
|
Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
|
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
|
||||||
| Timestamp | datetime |Date and time when the record was generated |
|
| `Timestamp` | datetime |Date and time when the record was generated |
|
||||||
| ConfigurationId | string | Unique identifier for a specific configuration |
|
| `ConfigurationId` | string | Unique identifier for a specific configuration |
|
||||||
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
|
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
|
||||||
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
|
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
|
||||||
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
|
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
|
||||||
| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured |
|
| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
|
||||||
|
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema
|
title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
|
||||||
description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
|
description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the advanced hunting schema.
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -28,22 +28,22 @@ ms.date: 11/12/2019
|
|||||||
|
|
||||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
|
The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| ConfigurationId | string | Unique identifier for a specific configuration |
|
| `ConfigurationId` | string | Unique identifier for a specific configuration |
|
||||||
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
|
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
|
||||||
| ConfigurationName | string | Display name of the configuration |
|
| `ConfigurationName` | string | Display name of the configuration |
|
||||||
| ConfigurationDescription | string | Description of the configuration |
|
| `ConfigurationDescription` | string | Description of the configuration |
|
||||||
| RiskDescription | string | Description of the associated risk |
|
| `RiskDescription` | string | Description of the associated risk |
|
||||||
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
|
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
|
||||||
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
|
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
|
||||||
| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration |
|
| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
|
||||||
| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration |
|
| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
|
||||||
| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration |
|
| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema
|
title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
|
||||||
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the Advanced hunting schema.
|
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -29,22 +29,22 @@ ms.date: 11/12/2019
|
|||||||
|
|
||||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
|
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| DeviceId | string | Unique identifier for the machine in the service |
|
| `DeviceId` | string | Unique identifier for the machine in the service |
|
||||||
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
|
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
|
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
|
||||||
| OSVersion | string | Version of the operating system running on the machine |
|
| `OSVersion` | string | Version of the operating system running on the machine |
|
||||||
| OSArchitecture | string | Architecture of the operating system running on the machine |
|
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
|
||||||
| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
||||||
| SoftwareName | string | Name of the software product |
|
| `SoftwareName` | string | Name of the software product |
|
||||||
| SoftwareVersion | string | Version number of the software product |
|
| `SoftwareVersion` | string | Version number of the software product |
|
||||||
| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
|
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
|
||||||
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema
|
title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
|
||||||
description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema.
|
description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
|
||||||
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
|
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -28,20 +28,20 @@ ms.date: 11/12/2019
|
|||||||
|
|
||||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||||
|
|
||||||
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
|
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
|
||||||
|
|
||||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
|
||||||
|
|
||||||
| Column name | Data type | Description |
|
| Column name | Data type | Description |
|
||||||
|-------------|-----------|-------------|
|
|-------------|-----------|-------------|
|
||||||
| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
|
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
|
||||||
| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
|
| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
|
||||||
| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available |
|
| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
|
||||||
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
||||||
| LastModifiedTime | datetime | Date and time the item or related metadata was last modified |
|
| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
|
||||||
| PublishedDate | datetime | Date vulnerability was disclosed to public |
|
| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
|
||||||
| VulnerabilityDescription | string | Description of vulnerability and associated risks |
|
| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
|
||||||
| AffectedSoftware | string | List of all software products affected by the vulnerability |
|
| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
|
|||||||
@ -46,7 +46,7 @@ For information about configuring attack surface reduction rules, see [Enable at
|
|||||||
|
|
||||||
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
|
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
|
||||||
|
|
||||||
You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment.
|
You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
|
||||||
|
|
||||||
Here is an example query:
|
Here is an example query:
|
||||||
|
|
||||||
|
|||||||
@ -51,7 +51,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
|
|||||||
|
|
||||||
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
|
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
|
||||||
|
|
||||||
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
|
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
|
||||||
|
|
||||||
Here is an example query
|
Here is an example query
|
||||||
|
|
||||||
|
|||||||
@ -117,7 +117,7 @@ You can also take the following actions on the rule from this page:
|
|||||||
|
|
||||||
- **Run** — run the rule immediately. This also resets the interval for the next run.
|
- **Run** — run the rule immediately. This also resets the interval for the next run.
|
||||||
- **Edit** — modify the rule without changing the query
|
- **Edit** — modify the rule without changing the query
|
||||||
- **Modify query** — edit the query in Advanced hunting
|
- **Modify query** — edit the query in advanced hunting
|
||||||
- **Turn on** / **Turn off** — enable the rule or stop it from running
|
- **Turn on** / **Turn off** — enable the rule or stop it from running
|
||||||
- **Delete** — turn off the rule and remove it
|
- **Delete** — turn off the rule and remove it
|
||||||
|
|
||||||
@ -127,5 +127,5 @@ You can also take the following actions on the rule from this page:
|
|||||||
## Related topic
|
## Related topic
|
||||||
- [Custom detections overview](overview-custom-detections.md)
|
- [Custom detections overview](overview-custom-detections.md)
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
- [Learn the Advanced hunting query language](advanced-hunting-query-language.md)
|
- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
|
||||||
- [View and organize alerts](alerts-queue.md)
|
- [View and organize alerts](alerts-queue.md)
|
||||||
|
|||||||
@ -152,7 +152,7 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
|
|||||||
After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
|
After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
|
||||||
|
|
||||||
|
|
||||||
Hunt for attack evidence through Advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
|
Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
|
||||||
|
|
||||||
|
|
||||||
## Simulation results
|
## Simulation results
|
||||||
|
|||||||
@ -49,7 +49,7 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
|
|||||||
|
|
||||||
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
|
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
|
||||||
|
|
||||||
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
|
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment.
|
||||||
|
|
||||||
Here is an example query:
|
Here is an example query:
|
||||||
|
|
||||||
|
|||||||
@ -52,7 +52,7 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](..
|
|||||||
|
|
||||||
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
|
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
|
||||||
|
|
||||||
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
|
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
|
||||||
|
|
||||||
Here is an example query
|
Here is an example query
|
||||||
|
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: Overview of custom detections in Microsoft Defender ATP
|
title: Overview of custom detections in Microsoft Defender ATP
|
||||||
ms.reviewer:
|
ms.reviewer:
|
||||||
description: Understand how you can use Advanced hunting to create custom detections and generate alerts
|
description: Understand how you can use advanced hunting to create custom detections and generate alerts
|
||||||
keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
|
keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
|
||||||
search.product: eADQiWindows 10XVcnh
|
search.product: eADQiWindows 10XVcnh
|
||||||
search.appverid: met150
|
search.appverid: met150
|
||||||
@ -28,7 +28,7 @@ With custom detections, you can proactively monitor for and respond to various e
|
|||||||
Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
|
Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
|
||||||
|
|
||||||
Custom detections provide:
|
Custom detections provide:
|
||||||
- Alerts for rule-based detections built from Advanced hunting queries
|
- Alerts for rule-based detections built from advanced hunting queries
|
||||||
- Automatic response actions that apply to files and machines
|
- Automatic response actions that apply to files and machines
|
||||||
|
|
||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
|
|||||||
@ -46,7 +46,7 @@ The following features are included in the preview release:
|
|||||||
|
|
||||||
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
|
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
|
||||||
|
|
||||||
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table) <BR> You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
|
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table) <BR> You can now use the Threat & Vulnerability Management tables in the advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
|
||||||
|
|
||||||
- [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR> You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
|
- [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR> You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
|
||||||
|
|
||||||
|
|||||||
@ -159,7 +159,7 @@ When an exception is created for a recommendation, the recommendation is no long
|
|||||||
6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
|
6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
|
||||||
|
|
||||||
|
|
||||||
## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit
|
## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
|
||||||
|
|
||||||
1. Go to **Advanced hunting** from the left-hand navigation pane.
|
1. Go to **Advanced hunting** from the left-hand navigation pane.
|
||||||
|
|
||||||
@ -193,5 +193,5 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
|
|||||||
- [Software inventory](tvm-software-inventory.md)
|
- [Software inventory](tvm-software-inventory.md)
|
||||||
- [Weaknesses](tvm-weaknesses.md)
|
- [Weaknesses](tvm-weaknesses.md)
|
||||||
- [Advanced hunting overview](overview-hunting.md)
|
- [Advanced hunting overview](overview-hunting.md)
|
||||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
- [All advanced hunting tables](advanced-hunting-reference.md)
|
||||||
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
|
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
|
||||||
|
|||||||
@ -94,7 +94,7 @@ For more information preview features, see [Preview features](https://docs.micro
|
|||||||
|
|
||||||
- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR> Controlled folder access is now supported on Windows Server 2019.
|
- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)<BR> Controlled folder access is now supported on Windows Server 2019.
|
||||||
|
|
||||||
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
|
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.
|
||||||
|
|
||||||
- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<BR> Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
|
- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<BR> Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
|
||||||
|
|
||||||
@ -120,7 +120,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe
|
|||||||
|
|
||||||
## March 2018
|
## March 2018
|
||||||
- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <BR>
|
- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <BR>
|
||||||
Query data using Advanced hunting in Microsoft Defender ATP.
|
Query data using advanced hunting in Microsoft Defender ATP.
|
||||||
|
|
||||||
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>
|
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>
|
||||||
New attack surface reduction rules:
|
New attack surface reduction rules:
|
||||||
|
|||||||
Reference in New Issue
Block a user