From 62f5569966db08ae22effeffe01dead07efc3f60 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 26 May 2017 13:07:52 -0700 Subject: [PATCH] fix table --- ...ows-defender-advanced-threat-protection.md | 348 +++++++++--------- 1 file changed, 174 insertions(+), 174 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index 1401726779..0a60cde8d8 100644 --- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -29,236 +29,236 @@ Field numbers match the numbers in the images below. - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + +
Portal labelSIEM field nameArcSight fieldExample valueDescriptionPortal labelSIEM field nameArcSight fieldExample valueDescription
1AlertTitlenameA dll was unexpectedly loaded into a high integrity process without a UAC promptValue available for every alert.1AlertTitlenameA dll was unexpectedly loaded into a high integrity process without a UAC promptValue available for every alert.
2SeveritydeviceSeverityMediumValue available for every alert.2SeveritydeviceSeverityMediumValue available for every alert.
3CategorydeviceEventCategoryPrivilege EscalationValue available for every alert.3CategorydeviceEventCategoryPrivilege EscalationValue available for every alert.
4SourcesourceServiceNameWindowsDefenderATPWindows Defender Antivirus or Windows Defender ATP. Value available for every alert.4SourcesourceServiceNameWindowsDefenderATPWindows Defender Antivirus or Windows Defender ATP. Value available for every alert.
5MachineNamesourceHostNameliz-beanValue available for every alert.5MachineNamesourceHostNameliz-beanValue available for every alert.
6FileNamefileNameRobocopy.exeAvailable for alerts associated with a file or process.6FileNamefileNameRobocopy.exeAvailable for alerts associated with a file or process.
7FilePathfilePathC:\Windows\System32\Robocopy.exeAvailable for alerts associated with a file or process. \7FilePathfilePathC:\Windows\System32\Robocopy.exeAvailable for alerts associated with a file or process. \
8UserDomainsourceNtDomaincontosoThe domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.8UserDomainsourceNtDomaincontosoThe domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.
9UserNamesourceUserNameliz-beanThe user context running the activity, available for Windows Defender ATP behavioral based alerts.9UserNamesourceUserNameliz-beanThe user context running the activity, available for Windows Defender ATP behavioral based alerts.
10Sha1fileHash5b4b3985339529be3151d331395f667e1d5b7f35Available for alerts associated with a file or process.10Sha1fileHash5b4b3985339529be3151d331395f667e1d5b7f35Available for alerts associated with a file or process.
11Md5deviceCustomString555394b85cb5edddff551f6f3faa9d8ebAvailable for Windows Defender AV alerts.11Md5deviceCustomString555394b85cb5edddff551f6f3faa9d8ebAvailable for Windows Defender AV alerts.
12Sha256deviceCustomString69987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5Available for Windows Defender AV alerts.12Sha256deviceCustomString69987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5Available for Windows Defender AV alerts.
13ThreatNameeviceCustomString1Trojan:Win32/Skeeyah.A!bitAvailable for Windows Defender AV alerts.13ThreatNameeviceCustomString1Trojan:Win32/Skeeyah.A!bitAvailable for Windows Defender AV alerts.
14IpAddresssourceAddress218.90.204.141Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.14IpAddresssourceAddress218.90.204.141Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.
15UrlrequestUrldown.esales360.cnAvailabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.15UrlrequestUrldown.esales360.cnAvailabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.
16RemediationIsSuccessdeviceCustomNumber2TRUEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.16RemediationIsSuccessdeviceCustomNumber2TRUEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
17WasExecutingWhileDetecteddeviceCustomNumber1FALSEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.17WasExecutingWhileDetecteddeviceCustomNumber1FALSEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
18AlertIdexternalId636210704265059241_673569822Value available for every alert.18AlertIdexternalId636210704265059241_673569822Value available for every alert.
19LinkToWDATPflexString1https://securitycenter.windows.com/alert/636210704265059241_673569822Value available for every alert.19LinkToWDATPflexString1https://securitycenter.windows.com/alert/636210704265059241_673569822Value available for every alert.
20AlertTimedeviceReceiptTime2017-05-07T01:56:59.3191352ZThe time the activity relevant to the alert occurred. Value available for every alert.20AlertTimedeviceReceiptTime2017-05-07T01:56:59.3191352ZThe time the activity relevant to the alert occurred. Value available for every alert.
21MachineDomainsourceDnsDomaincontoso.comDomain name not relevant for AAD joined machines. Value available for every alert.21MachineDomainsourceDnsDomaincontoso.comDomain name not relevant for AAD joined machines. Value available for every alert.
22ActordeviceCustomString4Available for alerts related to a known actor group.22ActordeviceCustomString4Available for alerts related to a known actor group.
21+5ComputerDnsNameNo mappingliz-bean.contoso.comThe machine fully qualified domain name. Value available for every alert.21+5ComputerDnsNameNo mappingliz-bean.contoso.comThe machine fully qualified domain name. Value available for every alert.
LogOnUserssourceUserIdcontoso\liz-bean; contoso\jay-hardeeThe domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.LogOnUserssourceUserIdcontoso\liz-bean; contoso\jay-hardeeThe domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.
Internal fieldLastProcessedTimeUtcNo mapping2017-05-07T01:56:58.9936648ZTime when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.Internal fieldLastProcessedTimeUtcNo mapping2017-05-07T01:56:58.9936648ZTime when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.
Not part of the schemadeviceVendorStatic value in the ArcSight mapping - 'Microsoft'.Not part of the schemadeviceVendorStatic value in the ArcSight mapping - 'Microsoft'.
Not part of the schemadeviceProductStatic value in the ArcSight mapping - 'Windows Defender ATP'.Not part of the schemadeviceProductStatic value in the ArcSight mapping - 'Windows Defender ATP'.
Not part of the schemadeviceVersionStatic value in the ArcSight mapping - '2.0', used to identify the mapping versions.Not part of the schemadeviceVersionStatic value in the ArcSight mapping - '2.0', used to identify the mapping versions.