deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Updated advanced-hunting-reference-windows-defender-advanced-threat-protection.md

Browse Source
This commit is contained in:
Louie Mayor 2019-04-10 23:57:27 +00:00
parent c7f9498cd5
commit 57eea3cb3b
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -42,6 +42,8 @@ To effectively build queries that span multiple tables, you need to understand t
| AdditionalFields | string | Additional information about the event in JSON array format | | AdditionalFields | string | Additional information about the event in JSON array format |
| AlertId | string | Unique identifier for the alert | | AlertId | string | Unique identifier for the alert |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| Category | string | Type of threat indicator or breach activity identified by the alert |
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine | | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if its connected publicly to the internet. | | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if its connected publicly to the internet. |
| DefaultGateways | string | Default gateway addresses in JSON array format | | DefaultGateways | string | Default gateway addresses in JSON array format |
@ -89,6 +91,7 @@ To effectively build queries that span multiple tables, you need to understand t
| OSArchitecture | string | Architecture of the operating system running on the machine | | OSArchitecture | string | Architecture of the operating system running on the machine |
| OSBuild | string | Build version of the operating system running on the machine | | OSBuild | string | Build version of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| OsVersion | string | Version of the operating system running on the machine |
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified | | PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
| PreviousRegistryValueData | string | Original data of the registry value before it was modified | | PreviousRegistryValueData | string | Original data of the registry value before it was modified |
| PreviousRegistryValueName | string | Original name of the registry value before it was modified | | PreviousRegistryValueName | string | Original name of the registry value before it was modified |
@ -110,8 +113,10 @@ To effectively build queries that span multiple tables, you need to understand t
| RemotePort | int | TCP port on the remote device that was being connected to | | RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to | | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| RegistryMachineTag | string | Machine tag added through the registry |
| Table | string | Table that contains the details of the event | | Table | string | Table that contains the details of the event |
| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | | TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |