From 51d426f01769008c1aba0432e89b8113a6f7a0a6 Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Dec 2019 16:34:14 -0800 Subject: [PATCH] AH Schema naming --- .../advanced-hunting-alertevents-table.md | 8 ++++---- .../advanced-hunting-best-practices.md | 18 ++++++++--------- ...=> advanced-hunting-deviceevents-table.md} | 18 ++++++++--------- ...dvanced-hunting-devicefileevents-table.md} | 18 ++++++++--------- ...ed-hunting-deviceimageloadevents-table.md} | 18 ++++++++--------- ...d => advanced-hunting-deviceinfo-table.md} | 20 +++++++++---------- ...vanced-hunting-devicelogonevents-table.md} | 20 +++++++++---------- ...nced-hunting-devicenetworkevents-table.md} | 18 ++++++++--------- ...vanced-hunting-devicenetworkinfo-table.md} | 18 ++++++++--------- ...nced-hunting-deviceprocessevents-table.md} | 18 ++++++++--------- ...ced-hunting-deviceregistryevents-table.md} | 18 ++++++++--------- .../advanced-hunting-query-language.md | 18 ++++++++--------- .../advanced-hunting-schema-reference.md | 18 ++++++++--------- ...nced-hunting-tvm-configassessment-table.md | 4 ++-- ...ced-hunting-tvm-softwareinventory-table.md | 4 ++-- .../microsoft-defender-atp/api-power-bi.md | 2 +- .../attack-surface-reduction.md | 2 +- .../controlled-folders.md | 2 +- .../custom-detection-rules.md | 14 ++++++------- .../exploit-protection.md | 2 +- .../exposed-apis-full-sample-powershell.md | 2 +- .../information-protection-investigation.md | 2 +- .../investigate-behind-proxy.md | 6 +++--- .../network-protection.md | 2 +- .../microsoft-defender-atp/preview.md | 2 +- .../run-advanced-query-api.md | 2 +- .../run-advanced-query-sample-powershell.md | 2 +- .../run-advanced-query-sample-python.md | 2 +- .../threat-and-vuln-mgt-scenarios.md | 8 ++++---- 29 files changed, 143 insertions(+), 143 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-miscevents-table.md => advanced-hunting-deviceevents-table.md} (84%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-filecreationevents-table.md => advanced-hunting-devicefileevents-table.md} (86%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-imageloadevents-table.md => advanced-hunting-deviceimageloadevents-table.md} (83%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-machineinfo-table.md => advanced-hunting-deviceinfo-table.md} (75%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-logonevents-table.md => advanced-hunting-devicelogonevents-table.md} (82%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-networkcommunicationevents-table.md => advanced-hunting-devicenetworkevents-table.md} (83%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-machinenetworkinfo-table.md => advanced-hunting-devicenetworkinfo-table.md} (77%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-processcreationevents-table.md => advanced-hunting-deviceprocessevents-table.md} (88%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-registryevents-table.md => advanced-hunting-deviceregistryevents-table.md} (85%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index 84eb799e45..b5e080a33e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -33,9 +33,9 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Column name | Data type | Description | |-------------|-----------|-------------| | AlertId | string | Unique identifier for the alert | -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | | Category | string | Type of threat indicator or breach activity identified by the alert | | Title | string | Title of the alert | @@ -43,7 +43,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | SHA1 | string | SHA-1 of the file that the recorded action was applied to | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | | RemoteIP | string | IP address that was being connected to | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | Table | string | Table that contains the details of the event | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index bb1e594c49..deb89add9d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -41,14 +41,14 @@ Apply these recommendations to get results faster and avoid timeouts while runni ## Query tips and pitfalls ### Queries with process IDs -Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). +Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. ``` -NetworkCommunicationEvents -| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4) -| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName +DeviceNetworkEvents +| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4) +| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName | where RemoteIPCount > 10 ``` @@ -70,17 +70,17 @@ The following examples show various ways to construct a query that looks for the ``` // Non-durable query - do not use -ProcessCreationEvents +DeviceProcessEvents | where ProcessCommandLine == "net stop MpsSvc" | limit 10 // Better query - filters on filename, does case-insensitive matches -ProcessCreationEvents -| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" +DeviceProcessEvents +| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" // Best query also ignores quotes -ProcessCreationEvents -| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") +DeviceProcessEvents +| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") | extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine) | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md similarity index 84% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 2e6c3ad70f..1acdf557bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -1,6 +1,6 @@ --- -title: MiscEvents table in the advanced hunting schema -description: Learn about antivirus, firewall, and other event types in the miscellaneous events (MiscEvents) table of the Advanced hunting schema +title: DeviceEvents table in the advanced hunting schema +description: Learn about antivirus, firewall, and other event types in the miscellaneous events (DeviceEvents) table of the Advanced hunting schema keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# MiscEvents +# DeviceEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The miscellaneous events or MiscEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The miscellaneous events or DeviceEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -45,7 +45,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AccountName |string | User name of the account | | AccountSid | string | Security Identifier (SID) of the account | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | -| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | +| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | | ProcessId | int | Process ID (PID) of the newly created process | | ProcessCommandLine | string | Command line used to create the new process | | ProcessCreationTime | datetime | Date and time the process was created | @@ -76,7 +76,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | | InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md similarity index 86% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 957282b72c..08c61045ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -1,7 +1,7 @@ --- -title: FileCreationEvents table in the Advanced hunting schema -description: Learn about file-related events in the FileCreationEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, files, path, hash, sha1, sha256, md5 +title: DeviceFileEvents table in the Advanced hunting schema +description: Learn about file-related events in the DeviceFileEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# FileCreationEvents +# DeviceFileEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The FileCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. +The DeviceFileEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -66,7 +66,7 @@ For information on other tables in the Advanced hunting schema, see [the Advanc | RequestAccountName | string | User name of account used to remotely initiate the activity | | RequestAccountDomain | string | Domain of the account used to remotely initiate the activity | | RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | | SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md similarity index 83% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index 68ceff1055..ebfd8dd80a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -1,7 +1,7 @@ --- -title: ImageLoadEvents table in the Advanced hunting schema -description: Learn about DLL loading events in the ImageLoadEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DLL loading, library, file image +title: DeviceImageLoadEvents table in the Advanced hunting schema +description: Learn about DLL loading events in the DeviceImageLoadEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# ImageLoadEvents +# DeviceImageLoadEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. +The DeviceImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -55,7 +55,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md similarity index 75% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index a986602549..7d8fb7823b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,7 +1,7 @@ --- -title: MachineInfo table in the Advanced hunting schema -description: Learn about OS, computer name, and other machine information in the MachineInfo table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, device, machine, OS, platform, users +title: DeviceInfo table in the Advanced hunting schema +description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# MachineInfo +# DeviceInfo **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The DeviceInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ClientVersion | string | Version of the endpoint agent or sensor running on the machine | | PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy | | OSArchitecture | string | Architecture of the operating system running on the machine | @@ -42,8 +42,8 @@ For information on other tables in the Advanced hunting schema, see [the Advance | OSBuild | string | Build version of the operating system running on the machine | | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | -| RegistryMachineTag | string | Machine tag added through the registry | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| RegistryDeviceTag | string | Machine tag added through the registry | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | OSVersion | string | Version of the operating system running on the machine | | MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md similarity index 82% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index eb6044fda7..196bdde977 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -1,7 +1,7 @@ --- -title: LogonEvents table in the Advanced hunting schema -description: Learn about authentication or sign-in events in the LogonEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, authentication, logon, sign in +title: DeviceLogonEvents table in the Advanced hunting schema +description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# LogonEvents +# DeviceLogonEvents **Applies to:** @@ -26,22 +26,22 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The LogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. +The DeviceLogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string |Type of activity that triggered the event | | AccountDomain | string | Domain of the account | | AccountName | string | User name of the account | | AccountSid | string | Security Identifier (SID) of the account | | LogonType | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | +| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | | RemoteIP | string | IP address that was being connected to | | RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | RemotePort | int | TCP port on the remote device that was being connected to | @@ -62,7 +62,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md similarity index 83% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 5485d2b86e..581b173d15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -1,7 +1,7 @@ --- -title: NetworkCommunicationEvents table in the Advanced hunting schema -description: Learn about network connection events you can query from the NetworkCommunicationEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, networkcommunicationevents, network connection, remote ip, local ip +title: DeviceNetworkEvents table in the Advanced hunting schema +description: Learn about network connection events you can query from the DeviceNetworkEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# NetworkCommunicationEvents +# DeviceNetworkEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The NetworkCommunicationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. +The DeviceNetworkEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | RemoteIP | string | IP address that was being connected to | | RemotePort | int | TCP port on the remote device that was being connected to | @@ -59,7 +59,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md similarity index 77% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index a09d2619f2..66f0663d23 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -1,7 +1,7 @@ --- -title: MachineNetworkInfo table in the Advanced hunting schema -description: Learn about network configuration information in the MachineNetworkInfo table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel +title: DeviceNetworkInfo table in the Advanced hunting schema +description: Learn about network configuration information in the DeviceNetworkInfo table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# MachineNetworkInfo +# DeviceNetworkInfo **Applies to:** @@ -26,16 +26,16 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The DeviceNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | NetworkAdapterName | string | Name of the network adapter | | MacAddress | string | MAC address of the network adapter | | NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md similarity index 88% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 43746ac557..42ed9a3829 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -1,7 +1,7 @@ --- -title: ProcessCreationEvents table in the Advanced hunting schema -description: Learn about the process spawning or creation events in the ProcessCreationEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, process id, command line +title: DeviceProcessEvents table in the Advanced hunting schema +description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# ProcessCreationEvents +# DeviceProcessEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ProcessCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. +The DeviceProcessEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -67,7 +67,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md similarity index 85% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index 05c6b7386b..fee6397cd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -1,7 +1,7 @@ --- -title: RegistryEvents table in the Advanced hunting schema -description: Learn about registry events you can query from the RegistryEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, key, subkey, value +title: DeviceRegistryEvents table in the Advanced hunting schema +description: Learn about registry events you can query from the DeviceRegistryEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# RegistryEvents +# DeviceRegistryEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The RegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. +The DeviceRegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | RegistryKey | string | Registry key that the recorded action was applied to | | RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | @@ -57,7 +57,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 405215c2aa..33817ad10f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -33,16 +33,16 @@ In Microsoft Defender Security Center, go to **Advanced hunting** to run your fi ```kusto // Finds PowerShell execution events that could involve a download. -ProcessCreationEvents -| where EventTime > ago(7d) +DeviceProcessEvents +| where Timestamp > ago(7d) | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine contains "http:" -| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine -| top 100 by EventTime +| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by Timestamp ``` This is how it will look like in Advanced hunting. @@ -54,16 +54,16 @@ The query starts with a short comment describing what it is for. This helps if y ```kusto // Finds PowerShell execution events that could involve a download. -ProcessCreationEvents +DeviceProcessEvents ``` -The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `ProcessCreationEvents` and add piped elements as needed. +The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed. ### Set the time range The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. ```kusto -| where EventTime > ago(7d) +| where Timestamp > ago(7d) ``` ### Search for specific executable files The time range is immediately followed by a search for files representing the PowerShell application. @@ -85,8 +85,8 @@ Afterwards, the query looks for command lines that are typically used with Power Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process. ```kusto -| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine -| top 100 by EventTime +| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by Timestamp ``` Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 1ee69ec5ad..ad7829bfa9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -38,15 +38,15 @@ Table and column names are also listed within the Microsoft Defender Security Ce | Table name | Description | |------------|-------------| | **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center | -| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information | -| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains | -| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events | -| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events | -| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events | -| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries | -| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events | -| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events | -| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information | +| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains | +| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events | +| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events | +| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events | +| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries | +| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events | +| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | +| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | | **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory | | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory | | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md index 736db7d11f..3fd747d1c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -34,8 +34,8 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Column name | Data type | Description | |-------------|-----------|-------------| -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| | Timestamp | datetime |Date and time when the record was generated | | ConfigurationId | string | Unique identifier for a specific configuration | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md index dc92507b8e..63fa5e1590 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -35,8 +35,8 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Column name | Data type | Description | |-------------|-----------|-------------| -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | OSVersion | string | Version of the operating system running on the machine | | OSArchitecture | string | Architecture of the operating system running on the machine | diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index 2eaa43daee..cd73aee642 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -43,7 +43,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a ``` let - AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'", + AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'", HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries", diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 772ce99ae9..84f22f9ef0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -51,7 +51,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-h Here is an example query: ```PowerShell -MiscEvents +DeviceEvents | where ActionType startswith 'Asr' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index b751dd036f..44d145c9e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -56,7 +56,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query ```PowerShell -MiscEvents +DeviceEvents | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked') ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index fb3a52f9f4..854e4f2e9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -34,17 +34,17 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. #### Required columns in the query results -To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. +To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. -There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine. +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. -The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. +The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ``` -MiscEvents -| where EventTime > ago(7d) +DeviceEvents +| where Timestamp > ago(7d) | where ActionType == "AntivirusDetection" -| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId +| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId | where count_ > 5 ``` @@ -76,7 +76,7 @@ Whenever a rule runs, similar detections on the same machine could be aggregated Your custom detection rule can automatically take actions on files or machines that are returned by the query. #### Actions on machines -These actions are applied to machines in the `MachineId` column of the query results: +These actions are applied to machines in the `DeviceId` column of the query results: - **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network) - **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) - **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index e47d2c93c1..2642c7655d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -54,7 +54,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query: ```PowerShell -MiscEvents +DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index e1397a16e7..e66b4eade4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -99,7 +99,7 @@ Foreach($alert in $alerts) $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') -$query = "NetworkCommunicationEvents +$query = "DeviceNetworkEvents | where MachineId in ($commaSeparatedMachines) | where RemoteUrl == `"$suspiciousUrl`" | summarize ConnectionsCount = count() by MachineId" diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md index 7578bad95e..6f16b9a43a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md @@ -59,4 +59,4 @@ Learn how to use data sensitivity labels to prioritize incident investigation. >[!TIP] ->These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. \ No newline at end of file +>These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 487d24f359..4e7758c7da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -60,12 +60,12 @@ Event's information: ## Hunt for connection events using advanced hunting -All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type. +All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the DeviceNetworkEvents table under the `ConnecionSuccess` action type. Using this simple query will show you all the relevant events: ``` -NetworkCommunicationEvents +DeviceNetworkEvents | where ActionType == "ConnectionSuccess" | take 10 ``` @@ -77,7 +77,7 @@ You can also filter out events that are related to connection to the proxy itse Use the following query to filter out the connections to the proxy: ``` -NetworkCommunicationEvents +DeviceNetworkEvents | where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP" | take 10 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 6c0c0b5d21..b1a6786f57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -57,7 +57,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query ```PowerShell -MiscEvents +DeviceEvents | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked') ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 7173007d17..07e1d96848 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -46,7 +46,7 @@ The following features are included in the preview release: - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). -- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table)
You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. +- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table)
You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 8dc833cda8..bece592d00 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -81,7 +81,7 @@ Here is an example of the request. POST https://api.securitycenter.windows.com/api/advancedqueries/run Content-type: application/json { - "Query":"ProcessCreationEvents + "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | where ProcessCommandLine contains \"appdata\" | project EventTime, FileName, InitiatingProcessFileName diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index e33a799eb0..15aded57d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -70,7 +70,7 @@ where Run the following query: ``` -$query = 'RegistryEvents | limit 10' # Paste your own query here +$query = 'DeviceRegistryEvents | limit 10' # Paste your own query here $url = "https://api.securitycenter.windows.com/api/advancedqueries/run" $headers = @{ diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index f8b07f534c..6c4831e501 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -73,7 +73,7 @@ where Run the following query: ``` -query = 'RegistryEvents | limit 10' # Paste your own query here +query = 'DeviceRegistryEvents | limit 10' # Paste your own query here url = "https://api.securitycenter.windows.com/api/advancedqueries/run" headers = { diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 13b98ef44d..93c0a3388e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -173,11 +173,11 @@ DeviceTvmSoftwareInventoryVulnerabilities | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId | where IsExploitAvailable == 1 and CvssScore >= 7 | summarize NumOfVulnerabilities=dcount(CveId), -ComputerName=any(ComputerName) by MachineId -| join kind =inner(AlertEvents) on MachineId +DeviceName=any(DeviceName) by DeviceId +| join kind =inner(AlertEvents) on DeviceId | summarize NumOfVulnerabilities=any(NumOfVulnerabilities), -ComputerName=any(ComputerName) by MachineId, AlertId -| project ComputerName, NumOfVulnerabilities, AlertId +DeviceName=any(DeviceName) by DeviceId, AlertId +| project DeviceName, NumOfVulnerabilities, AlertId | order by NumOfVulnerabilities desc ```