From 51d426f01769008c1aba0432e89b8113a6f7a0a6 Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Dec 2019 16:34:14 -0800 Subject: [PATCH 01/45] AH Schema naming --- .../advanced-hunting-alertevents-table.md | 8 ++++---- .../advanced-hunting-best-practices.md | 18 ++++++++--------- ...=> advanced-hunting-deviceevents-table.md} | 18 ++++++++--------- ...dvanced-hunting-devicefileevents-table.md} | 18 ++++++++--------- ...ed-hunting-deviceimageloadevents-table.md} | 18 ++++++++--------- ...d => advanced-hunting-deviceinfo-table.md} | 20 +++++++++---------- ...vanced-hunting-devicelogonevents-table.md} | 20 +++++++++---------- ...nced-hunting-devicenetworkevents-table.md} | 18 ++++++++--------- ...vanced-hunting-devicenetworkinfo-table.md} | 18 ++++++++--------- ...nced-hunting-deviceprocessevents-table.md} | 18 ++++++++--------- ...ced-hunting-deviceregistryevents-table.md} | 18 ++++++++--------- .../advanced-hunting-query-language.md | 18 ++++++++--------- .../advanced-hunting-schema-reference.md | 18 ++++++++--------- ...nced-hunting-tvm-configassessment-table.md | 4 ++-- ...ced-hunting-tvm-softwareinventory-table.md | 4 ++-- .../microsoft-defender-atp/api-power-bi.md | 2 +- .../attack-surface-reduction.md | 2 +- .../controlled-folders.md | 2 +- .../custom-detection-rules.md | 14 ++++++------- .../exploit-protection.md | 2 +- .../exposed-apis-full-sample-powershell.md | 2 +- .../information-protection-investigation.md | 2 +- .../investigate-behind-proxy.md | 6 +++--- .../network-protection.md | 2 +- .../microsoft-defender-atp/preview.md | 2 +- .../run-advanced-query-api.md | 2 +- .../run-advanced-query-sample-powershell.md | 2 +- .../run-advanced-query-sample-python.md | 2 +- .../threat-and-vuln-mgt-scenarios.md | 8 ++++---- 29 files changed, 143 insertions(+), 143 deletions(-) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-miscevents-table.md => advanced-hunting-deviceevents-table.md} (84%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-filecreationevents-table.md => advanced-hunting-devicefileevents-table.md} (86%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-imageloadevents-table.md => advanced-hunting-deviceimageloadevents-table.md} (83%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-machineinfo-table.md => advanced-hunting-deviceinfo-table.md} (75%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-logonevents-table.md => advanced-hunting-devicelogonevents-table.md} (82%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-networkcommunicationevents-table.md => advanced-hunting-devicenetworkevents-table.md} (83%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-machinenetworkinfo-table.md => advanced-hunting-devicenetworkinfo-table.md} (77%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-processcreationevents-table.md => advanced-hunting-deviceprocessevents-table.md} (88%) rename windows/security/threat-protection/microsoft-defender-atp/{advanced-hunting-registryevents-table.md => advanced-hunting-deviceregistryevents-table.md} (85%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index 84eb799e45..b5e080a33e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -33,9 +33,9 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Column name | Data type | Description | |-------------|-----------|-------------| | AlertId | string | Unique identifier for the alert | -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | | Category | string | Type of threat indicator or breach activity identified by the alert | | Title | string | Title of the alert | @@ -43,7 +43,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | SHA1 | string | SHA-1 of the file that the recorded action was applied to | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | | RemoteIP | string | IP address that was being connected to | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | Table | string | Table that contains the details of the event | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index bb1e594c49..deb89add9d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -41,14 +41,14 @@ Apply these recommendations to get results faster and avoid timeouts while runni ## Query tips and pitfalls ### Queries with process IDs -Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). +Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. ``` -NetworkCommunicationEvents -| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4) -| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName +DeviceNetworkEvents +| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4) +| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName | where RemoteIPCount > 10 ``` @@ -70,17 +70,17 @@ The following examples show various ways to construct a query that looks for the ``` // Non-durable query - do not use -ProcessCreationEvents +DeviceProcessEvents | where ProcessCommandLine == "net stop MpsSvc" | limit 10 // Better query - filters on filename, does case-insensitive matches -ProcessCreationEvents -| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" +DeviceProcessEvents +| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc" // Best query also ignores quotes -ProcessCreationEvents -| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") +DeviceProcessEvents +| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") | extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine) | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md similarity index 84% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 2e6c3ad70f..1acdf557bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -1,6 +1,6 @@ --- -title: MiscEvents table in the advanced hunting schema -description: Learn about antivirus, firewall, and other event types in the miscellaneous events (MiscEvents) table of the Advanced hunting schema +title: DeviceEvents table in the advanced hunting schema +description: Learn about antivirus, firewall, and other event types in the miscellaneous events (DeviceEvents) table of the Advanced hunting schema keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# MiscEvents +# DeviceEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The miscellaneous events or MiscEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The miscellaneous events or DeviceEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -45,7 +45,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | AccountName |string | User name of the account | | AccountSid | string | Security Identifier (SID) of the account | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | -| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | +| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | | ProcessId | int | Process ID (PID) of the newly created process | | ProcessCommandLine | string | Command line used to create the new process | | ProcessCreationTime | datetime | Date and time the process was created | @@ -76,7 +76,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | | InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md similarity index 86% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 957282b72c..08c61045ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -1,7 +1,7 @@ --- -title: FileCreationEvents table in the Advanced hunting schema -description: Learn about file-related events in the FileCreationEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, files, path, hash, sha1, sha256, md5 +title: DeviceFileEvents table in the Advanced hunting schema +description: Learn about file-related events in the DeviceFileEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# FileCreationEvents +# DeviceFileEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The FileCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. +The DeviceFileEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -66,7 +66,7 @@ For information on other tables in the Advanced hunting schema, see [the Advanc | RequestAccountName | string | User name of account used to remotely initiate the activity | | RequestAccountDomain | string | Domain of the account used to remotely initiate the activity | | RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | | SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md similarity index 83% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index 68ceff1055..ebfd8dd80a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -1,7 +1,7 @@ --- -title: ImageLoadEvents table in the Advanced hunting schema -description: Learn about DLL loading events in the ImageLoadEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DLL loading, library, file image +title: DeviceImageLoadEvents table in the Advanced hunting schema +description: Learn about DLL loading events in the DeviceImageLoadEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# ImageLoadEvents +# DeviceImageLoadEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. +The DeviceImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -55,7 +55,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md similarity index 75% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index a986602549..7d8fb7823b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,7 +1,7 @@ --- -title: MachineInfo table in the Advanced hunting schema -description: Learn about OS, computer name, and other machine information in the MachineInfo table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, device, machine, OS, platform, users +title: DeviceInfo table in the Advanced hunting schema +description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# MachineInfo +# DeviceInfo **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The DeviceInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ClientVersion | string | Version of the endpoint agent or sensor running on the machine | | PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy | | OSArchitecture | string | Architecture of the operating system running on the machine | @@ -42,8 +42,8 @@ For information on other tables in the Advanced hunting schema, see [the Advance | OSBuild | string | Build version of the operating system running on the machine | | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | -| RegistryMachineTag | string | Machine tag added through the registry | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| RegistryDeviceTag | string | Machine tag added through the registry | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | OSVersion | string | Version of the operating system running on the machine | | MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md similarity index 82% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index eb6044fda7..196bdde977 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -1,7 +1,7 @@ --- -title: LogonEvents table in the Advanced hunting schema -description: Learn about authentication or sign-in events in the LogonEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, authentication, logon, sign in +title: DeviceLogonEvents table in the Advanced hunting schema +description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# LogonEvents +# DeviceLogonEvents **Applies to:** @@ -26,22 +26,22 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The LogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. +The DeviceLogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string |Type of activity that triggered the event | | AccountDomain | string | Domain of the account | | AccountName | string | User name of the account | | AccountSid | string | Security Identifier (SID) of the account | | LogonType | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | +| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | | RemoteIP | string | IP address that was being connected to | | RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | RemotePort | int | TCP port on the remote device that was being connected to | @@ -62,7 +62,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md similarity index 83% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 5485d2b86e..581b173d15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -1,7 +1,7 @@ --- -title: NetworkCommunicationEvents table in the Advanced hunting schema -description: Learn about network connection events you can query from the NetworkCommunicationEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, networkcommunicationevents, network connection, remote ip, local ip +title: DeviceNetworkEvents table in the Advanced hunting schema +description: Learn about network connection events you can query from the DeviceNetworkEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# NetworkCommunicationEvents +# DeviceNetworkEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The NetworkCommunicationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. +The DeviceNetworkEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | RemoteIP | string | IP address that was being connected to | | RemotePort | int | TCP port on the remote device that was being connected to | @@ -59,7 +59,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md similarity index 77% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index a09d2619f2..66f0663d23 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -1,7 +1,7 @@ --- -title: MachineNetworkInfo table in the Advanced hunting schema -description: Learn about network configuration information in the MachineNetworkInfo table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel +title: DeviceNetworkInfo table in the Advanced hunting schema +description: Learn about network configuration information in the DeviceNetworkInfo table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# MachineNetworkInfo +# DeviceNetworkInfo **Applies to:** @@ -26,16 +26,16 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The MachineNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The DeviceNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | NetworkAdapterName | string | Name of the network adapter | | MacAddress | string | MAC address of the network adapter | | NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md similarity index 88% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 43746ac557..42ed9a3829 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -1,7 +1,7 @@ --- -title: ProcessCreationEvents table in the Advanced hunting schema -description: Learn about the process spawning or creation events in the ProcessCreationEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, process id, command line +title: DeviceProcessEvents table in the Advanced hunting schema +description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# ProcessCreationEvents +# DeviceProcessEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The ProcessCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. +The DeviceProcessEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | FileName | string | Name of the file that the recorded action was applied to | | FolderPath | string | Folder containing the file that the recorded action was applied to | @@ -67,7 +67,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md similarity index 85% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index 05c6b7386b..fee6397cd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -1,7 +1,7 @@ --- -title: RegistryEvents table in the Advanced hunting schema -description: Learn about registry events you can query from the RegistryEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, key, subkey, value +title: DeviceRegistryEvents table in the Advanced hunting schema +description: Learn about registry events you can query from the DeviceRegistryEvents table of the Advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# RegistryEvents +# DeviceRegistryEvents **Applies to:** @@ -26,15 +26,15 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The RegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. +The DeviceRegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| EventTime | datetime | Date and time when the event was recorded | -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Timestamp | datetime | Date and time when the event was recorded | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | ActionType | string | Type of activity that triggered the event | | RegistryKey | string | Registry key that the recorded action was applied to | | RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | @@ -57,7 +57,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | | InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 405215c2aa..33817ad10f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -33,16 +33,16 @@ In Microsoft Defender Security Center, go to **Advanced hunting** to run your fi ```kusto // Finds PowerShell execution events that could involve a download. -ProcessCreationEvents -| where EventTime > ago(7d) +DeviceProcessEvents +| where Timestamp > ago(7d) | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine contains "http:" -| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine -| top 100 by EventTime +| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by Timestamp ``` This is how it will look like in Advanced hunting. @@ -54,16 +54,16 @@ The query starts with a short comment describing what it is for. This helps if y ```kusto // Finds PowerShell execution events that could involve a download. -ProcessCreationEvents +DeviceProcessEvents ``` -The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `ProcessCreationEvents` and add piped elements as needed. +The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed. ### Set the time range The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. ```kusto -| where EventTime > ago(7d) +| where Timestamp > ago(7d) ``` ### Search for specific executable files The time range is immediately followed by a search for files representing the PowerShell application. @@ -85,8 +85,8 @@ Afterwards, the query looks for command lines that are typically used with Power Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process. ```kusto -| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine -| top 100 by EventTime +| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine +| top 100 by Timestamp ``` Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 1ee69ec5ad..ad7829bfa9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -38,15 +38,15 @@ Table and column names are also listed within the Microsoft Defender Security Ce | Table name | Description | |------------|-------------| | **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center | -| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information | -| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains | -| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events | -| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events | -| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events | -| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries | -| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events | -| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events | -| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information | +| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains | +| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events | +| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events | +| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events | +| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries | +| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events | +| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | +| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | | **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory | | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory | | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md index 736db7d11f..3fd747d1c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -34,8 +34,8 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Column name | Data type | Description | |-------------|-----------|-------------| -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| | Timestamp | datetime |Date and time when the record was generated | | ConfigurationId | string | Unique identifier for a specific configuration | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md index dc92507b8e..63fa5e1590 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -35,8 +35,8 @@ For information on other tables in the Advanced hunting schema, see [the Advance | Column name | Data type | Description | |-------------|-----------|-------------| -| MachineId | string | Unique identifier for the machine in the service | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| DeviceId | string | Unique identifier for the machine in the service | +| DeviceName | string | Fully qualified domain name (FQDN) of the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | OSVersion | string | Version of the operating system running on the machine | | OSArchitecture | string | Architecture of the operating system running on the machine | diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index 2eaa43daee..cd73aee642 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -43,7 +43,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a ``` let - AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'", + AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'", HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries", diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 772ce99ae9..84f22f9ef0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -51,7 +51,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-h Here is an example query: ```PowerShell -MiscEvents +DeviceEvents | where ActionType startswith 'Asr' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index b751dd036f..44d145c9e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -56,7 +56,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query ```PowerShell -MiscEvents +DeviceEvents | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked') ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index fb3a52f9f4..854e4f2e9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -34,17 +34,17 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. #### Required columns in the query results -To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. +To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. -There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine. +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. -The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. +The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ``` -MiscEvents -| where EventTime > ago(7d) +DeviceEvents +| where Timestamp > ago(7d) | where ActionType == "AntivirusDetection" -| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId +| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId | where count_ > 5 ``` @@ -76,7 +76,7 @@ Whenever a rule runs, similar detections on the same machine could be aggregated Your custom detection rule can automatically take actions on files or machines that are returned by the query. #### Actions on machines -These actions are applied to machines in the `MachineId` column of the query results: +These actions are applied to machines in the `DeviceId` column of the query results: - **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network) - **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) - **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index e47d2c93c1..2642c7655d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -54,7 +54,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query: ```PowerShell -MiscEvents +DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index e1397a16e7..e66b4eade4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -99,7 +99,7 @@ Foreach($alert in $alerts) $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') -$query = "NetworkCommunicationEvents +$query = "DeviceNetworkEvents | where MachineId in ($commaSeparatedMachines) | where RemoteUrl == `"$suspiciousUrl`" | summarize ConnectionsCount = count() by MachineId" diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md index 7578bad95e..6f16b9a43a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md @@ -59,4 +59,4 @@ Learn how to use data sensitivity labels to prioritize incident investigation. >[!TIP] ->These data points are also exposed through the ‘FileCreationEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. \ No newline at end of file +>These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 487d24f359..4e7758c7da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -60,12 +60,12 @@ Event's information: ## Hunt for connection events using advanced hunting -All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type. +All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the DeviceNetworkEvents table under the `ConnecionSuccess` action type. Using this simple query will show you all the relevant events: ``` -NetworkCommunicationEvents +DeviceNetworkEvents | where ActionType == "ConnectionSuccess" | take 10 ``` @@ -77,7 +77,7 @@ You can also filter out events that are related to connection to the proxy itse Use the following query to filter out the connections to the proxy: ``` -NetworkCommunicationEvents +DeviceNetworkEvents | where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP" | take 10 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 6c0c0b5d21..b1a6786f57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -57,7 +57,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query ```PowerShell -MiscEvents +DeviceEvents | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked') ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 7173007d17..07e1d96848 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -46,7 +46,7 @@ The following features are included in the preview release: - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). -- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table)
You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. +- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table)
You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 8dc833cda8..bece592d00 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -81,7 +81,7 @@ Here is an example of the request. POST https://api.securitycenter.windows.com/api/advancedqueries/run Content-type: application/json { - "Query":"ProcessCreationEvents + "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | where ProcessCommandLine contains \"appdata\" | project EventTime, FileName, InitiatingProcessFileName diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index e33a799eb0..15aded57d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -70,7 +70,7 @@ where Run the following query: ``` -$query = 'RegistryEvents | limit 10' # Paste your own query here +$query = 'DeviceRegistryEvents | limit 10' # Paste your own query here $url = "https://api.securitycenter.windows.com/api/advancedqueries/run" $headers = @{ diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index f8b07f534c..6c4831e501 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -73,7 +73,7 @@ where Run the following query: ``` -query = 'RegistryEvents | limit 10' # Paste your own query here +query = 'DeviceRegistryEvents | limit 10' # Paste your own query here url = "https://api.securitycenter.windows.com/api/advancedqueries/run" headers = { diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 13b98ef44d..93c0a3388e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -173,11 +173,11 @@ DeviceTvmSoftwareInventoryVulnerabilities | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId | where IsExploitAvailable == 1 and CvssScore >= 7 | summarize NumOfVulnerabilities=dcount(CveId), -ComputerName=any(ComputerName) by MachineId -| join kind =inner(AlertEvents) on MachineId +DeviceName=any(DeviceName) by DeviceId +| join kind =inner(AlertEvents) on DeviceId | summarize NumOfVulnerabilities=any(NumOfVulnerabilities), -ComputerName=any(ComputerName) by MachineId, AlertId -| project ComputerName, NumOfVulnerabilities, AlertId +DeviceName=any(DeviceName) by DeviceId, AlertId +| project DeviceName, NumOfVulnerabilities, AlertId | order by NumOfVulnerabilities desc ``` From 7b7d43e9d340c7cf91386461d22e03cd846cd5f1 Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Dec 2019 16:37:49 -0800 Subject: [PATCH 02/45] Update advanced-hunting-deviceevents-table.md --- .../advanced-hunting-deviceevents-table.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 1acdf557bf..3f640784e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -1,6 +1,6 @@ --- title: DeviceEvents table in the advanced hunting schema -description: Learn about antivirus, firewall, and other event types in the miscellaneous events (DeviceEvents) table of the Advanced hunting schema +description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the Advanced hunting schema keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The miscellaneous events or DeviceEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The miscellaneous device events or DeviceEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). From 2eb85ee3aaf78841d0acbd19d30e09d90fdfd56f Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Dec 2019 17:06:53 -0800 Subject: [PATCH 03/45] TOC & redir for ah schema change --- .openpublishing.redirection.json | 55 ++++++++++++++++++++--- windows/security/threat-protection/TOC.md | 18 ++++---- 2 files changed, 59 insertions(+), 14 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 551ce8b897..4852c7c178 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -956,6 +956,11 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview", "redirect_document_id": false @@ -966,6 +971,51 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table", +"redirect_document_id": true +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1657,11 +1707,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview", -"redirect_document_id": true -}, -{ "source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score", "redirect_document_id": true diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1df34b54fd..d3f9b8cf3b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -114,15 +114,15 @@ #### [Advanced hunting schema reference]() ##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md) ##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md) -##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md) -##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md) -##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md) -##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md) -##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md) -##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md) -##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) -##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) -##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md) +##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md) +##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md) +##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md) +##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md) +##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md) +##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md) +##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md) +##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md) +##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md) ##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md) ##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md) ##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) From 3325a4ea9ea5cb0ead75e3eb4d80ce30e922f79e Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Dec 2019 17:31:13 -0800 Subject: [PATCH 04/45] Undo changes to API topics --- .../exposed-apis-full-sample-powershell.md | 4 ++-- .../microsoft-defender-atp/run-advanced-query-api.md | 2 +- .../run-advanced-query-sample-powershell.md | 2 +- .../run-advanced-query-sample-python.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index e66b4eade4..6314bce713 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -32,7 +32,7 @@ In this section we share PowerShell samples to >**Prerequisite**: You first need to [create an app](apis-intro.md). -## Preparation Instructions +## Preparation instructions - Open a PowerShell window. - If your policy does not allow you to run the PowerShell commands, you can run the below command: @@ -99,7 +99,7 @@ Foreach($alert in $alerts) $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') -$query = "DeviceNetworkEvents +$query = "NetworkCommunicationEvents | where MachineId in ($commaSeparatedMachines) | where RemoteUrl == `"$suspiciousUrl`" | summarize ConnectionsCount = count() by MachineId" diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index bece592d00..8dc833cda8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -81,7 +81,7 @@ Here is an example of the request. POST https://api.securitycenter.windows.com/api/advancedqueries/run Content-type: application/json { - "Query":"DeviceProcessEvents + "Query":"ProcessCreationEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | where ProcessCommandLine contains \"appdata\" | project EventTime, FileName, InitiatingProcessFileName diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index 15aded57d0..e33a799eb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -70,7 +70,7 @@ where Run the following query: ``` -$query = 'DeviceRegistryEvents | limit 10' # Paste your own query here +$query = 'RegistryEvents | limit 10' # Paste your own query here $url = "https://api.securitycenter.windows.com/api/advancedqueries/run" $headers = @{ diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index 6c4831e501..f8b07f534c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -73,7 +73,7 @@ where Run the following query: ``` -query = 'DeviceRegistryEvents | limit 10' # Paste your own query here +query = 'RegistryEvents | limit 10' # Paste your own query here url = "https://api.securitycenter.windows.com/api/advancedqueries/run" headers = { From 2e8f3bd8986fd7811f1104d5d5c4a85d5be25c73 Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Dec 2019 18:16:52 -0800 Subject: [PATCH 05/45] Name capping and backticks --- windows/security/threat-protection/TOC.md | 2 +- .../advanced-hunting-alertevents-table.md | 34 +++--- .../advanced-hunting-best-practices.md | 4 +- .../advanced-hunting-deviceevents-table.md | 101 +++++++++--------- ...advanced-hunting-devicefileevents-table.md | 88 +++++++-------- ...ced-hunting-deviceimageloadevents-table.md | 60 +++++------ .../advanced-hunting-deviceinfo-table.md | 38 +++---- ...dvanced-hunting-devicelogonevents-table.md | 76 ++++++------- ...anced-hunting-devicenetworkevents-table.md | 68 ++++++------ ...dvanced-hunting-devicenetworkinfo-table.md | 40 +++---- ...anced-hunting-deviceprocessevents-table.md | 84 +++++++-------- ...nced-hunting-deviceregistryevents-table.md | 64 +++++------ .../advanced-hunting-overview.md | 14 +-- .../advanced-hunting-query-language.md | 22 ++-- .../advanced-hunting-schema-reference.md | 20 ++-- .../advanced-hunting-shared-queries.md | 8 +- ...nced-hunting-tvm-configassessment-table.md | 26 ++--- ...vanced-hunting-tvm-secureconfigkb-table.md | 28 ++--- ...ced-hunting-tvm-softwareinventory-table.md | 28 ++--- ...hunting-tvm-softwarevulnerability-table.md | 24 ++--- .../attack-surface-reduction.md | 2 +- .../controlled-folders.md | 2 +- .../custom-detection-rules.md | 4 +- .../microsoft-defender-atp/evaluation-lab.md | 2 +- .../exploit-protection.md | 2 +- .../network-protection.md | 2 +- .../overview-custom-detections.md | 4 +- .../microsoft-defender-atp/preview.md | 2 +- .../threat-and-vuln-mgt-scenarios.md | 4 +- .../whats-new-in-microsoft-defender-atp.md | 4 +- 30 files changed, 429 insertions(+), 428 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index d3f9b8cf3b..01d818fb3c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -128,7 +128,7 @@ ##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) ##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) -#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) +#### [Stream advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) #### [Custom detections]() ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index b5e080a33e..e2792a2fb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -1,6 +1,6 @@ --- -title: AlertEvents table in the Advanced hunting schema -description: Learn about alert generation events in the AlertEvents table of the Advanced hunting schema +title: AlertEvents table in the advanced hunting schema +description: Learn about alert generation events in the AlertEvents table of the advanced hunting schema keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,25 +26,25 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The AlertEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. +The `AlertEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| AlertId | string | Unique identifier for the alert | -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | -| Category | string | Type of threat indicator or breach activity identified by the alert | -| Title | string | Title of the alert | -| FileName | string | Name of the file that the recorded action was applied to | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to | -| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | -| RemoteIP | string | IP address that was being connected to | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| Table | string | Table that contains the details of the event | +| `AlertId` | string | Unique identifier for the alert | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | +| `Category` | string | Type of threat indicator or breach activity identified by the alert | +| `Title` | string | Title of the alert | +| `FileName` | string | Name of the file that the recorded action was applied to | +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | +| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | +| `RemoteIP` | string | IP address that was being connected to | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `Table` | string | Table that contains the details of the event | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index deb89add9d..5c0384c664 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -1,6 +1,6 @@ --- -title: Query best practices for Advanced hunting -description: Learn how to construct fast, efficient, and error-free threat hunting queries when using Advanced hunting +title: Query best practices for advanced hunting +description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 3f640784e5..aed7f010df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -1,7 +1,7 @@ --- title: DeviceEvents table in the advanced hunting schema -description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard +description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,58 +26,59 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The miscellaneous device events or DeviceEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The miscellaneous device events or `DeviceEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ActionType | string | Type of activity that triggered the event | -| FileName | string | Name of the file that the recorded action was applied to | -| FolderPath | string | Folder containing the file that the recorded action was applied to | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to | -| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available | -| MD5 | string | MD5 hash of the file that the recorded action was applied to | -| AccountDomain | string | Domain of the account | -| AccountName |string | User name of the account | -| AccountSid | string | Security Identifier (SID) of the account | -| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | -| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | -| ProcessId | int | Process ID (PID) of the newly created process | -| ProcessCommandLine | string | Command line used to create the new process | -| ProcessCreationTime | datetime | Date and time the process was created | -| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | -| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| RegistryKey | string | Registry key that the recorded action was applied to | -| RegistryValueName | string | Name of the registry value that the recorded action was applied to | -| RegistryValueData | string | Data of the registry value that the recorded action was applied to | -| RemoteIP | string | IP address that was being connected to | -| RemotePort | int | TCP port on the remote device that was being connected to | -| LocalIP | string | IP address assigned to the local machine used during communication | -| LocalPort | int | TCP port on the local machine used during communication | -| FileOriginUrl | string | URL where the file was downloaded from | -| FileOriginIP | string | IP address where the file was downloaded from | -| AdditionalFields | string | Additional information about the event in JSON array format | -| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ActionType` | string | Type of activity that triggered the event | +| `FileName` | string | Name of the file that the recorded action was applied to | +| `FolderPath` | string | Folder containing the file that the recorded action was applied to | +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | +| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available | +| `MD5` | string | MD5 hash of the file that the recorded action was applied to | +| `AccountDomain` | string | Domain of the account | +| `AccountName |string | User name of the account | +| `AccountSid` | string | Security Identifier (SID) of the account | +| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | +| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | +| `ProcessId` | int | Process ID (PID) of the newly created process | +| `ProcessCommandLine` | string | Command line used to create the new process | +| `ProcessCreationTime` | datetime | Date and time the process was created | +| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `RegistryKey` | string | Registry key that the recorded action was applied to | +| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to | +| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to | +| `RemoteIP` | string | IP address that was being connected to | +| `RemotePort` | int | TCP port on the remote device that was being connected to | +| `LocalIP` | string | IP address assigned to the local machine used during communication | +| `LocalPort` | int | TCP port on the local machine used during communication | +| `FileOriginUrl` | string | URL where the file was downloaded from | +| `FileOriginIP` | string | IP address where the file was downloaded from | +| `AdditionalFields` | string | Additional information about the event in JSON array format | +| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | +| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | +| `InitiatingProcessFileName` | string | Name of the process that initiated the event | +| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | +| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | +| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | +| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | +| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | +| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | +| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | +| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | +| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | + ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 08c61045ad..7e519fa914 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -1,7 +1,7 @@ --- -title: DeviceFileEvents table in the Advanced hunting schema -description: Learn about file-related events in the DeviceFileEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5 +title: DeviceFileEvents table in the advanced hunting schema +description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,51 +26,51 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceFileEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. +The `DeviceFileEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ActionType | string | Type of activity that triggered the event | -| FileName | string | Name of the file that the recorded action was applied to | -| FolderPath | string | Folder containing the file that the recorded action was applied to | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to | -| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available | -| MD5 | string | MD5 hash of the file that the recorded action was applied to | -| FileOriginUrl | string | URL where the file was downloaded from | -| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | -| FileOriginIP | string | IP address where the file was downloaded from | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS | -| ShareName | string | Name of shared folder containing the file | -| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity | -| RequestSourcePort | string | Source port on the remote device that initiated the activity | -| RequestAccountName | string | User name of account used to remotely initiate the activity | -| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity | -| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | -| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | -| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | -| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ActionType` | string | Type of activity that triggered the event | +| `FileName` | string | Name of the file that the recorded action was applied to | +| `FolderPath` | string | Folder containing the file that the recorded action was applied to | +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | +| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available | +| `MD5` | string | MD5 hash of the file that the recorded action was applied to | +| `FileOriginUrl` | string | URL where the file was downloaded from | +| `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file | +| `FileOriginIP` | string | IP address where the file was downloaded from | +| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | +| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | +| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | +| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | +| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | +| `InitiatingProcessFileName` | string | Name of the process that initiated the event | +| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | +| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | +| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | +| `InitiatingProcessIntegrityLevel` | string` | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | +| `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS | +| `ShareName` | string | Name of shared folder containing the file | +| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity | +| `RequestSourcePort` | string | Source port on the remote device that initiated the activity | +| `RequestAccountName` | string | User name of account used to remotely initiate the activity | +| `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity | +| `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity | +| `ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection | +| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | +| `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index ebfd8dd80a..e8acfd67d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -1,7 +1,7 @@ --- -title: DeviceImageLoadEvents table in the Advanced hunting schema -description: Learn about DLL loading events in the DeviceImageLoadEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image +title: DeviceImageLoadEvents table in the advanced hunting schema +description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,37 +26,37 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. +The `DeviceImageLoadEvents table` in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ActionType | string | Type of activity that triggered the event | -| FileName | string | Name of the file that the recorded action was applied to | -| FolderPath | string | Folder containing the file that the recorded action was applied to | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to | -| MD5 | string | MD5 hash of the file that the recorded action was applied to | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ActionType` | string | Type of activity that triggered the event | +| `FileName` | string | Name of the file that the recorded action was applied to | +| `FolderPath` | string | Folder containing the file that the recorded action was applied to | +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | +| `MD5` | string | MD5 hash of the file that the recorded action was applied to | +| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | +| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | +| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | +| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | +| `InitiatingProcessFileName` | string | Name of the process that initiated the event | +| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | +| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | +| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | +| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | +| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index 7d8fb7823b..16a90f67ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,7 +1,7 @@ --- -title: DeviceInfo table in the Advanced hunting schema -description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users +title: DeviceInfo table in the advanced hunting schema +description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,26 +26,26 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The `DeviceInfo` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ClientVersion | string | Version of the endpoint agent or sensor running on the machine | -| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy | -| OSArchitecture | string | Architecture of the operating system running on the machine | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | -| OSBuild | string | Build version of the operating system running on the machine | -| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | -| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | -| RegistryDeviceTag | string | Machine tag added through the registry | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| OSVersion | string | Version of the operating system running on the machine | -| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine | +| `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy | +| `OSArchitecture` | string | Architecture of the operating system running on the machine | +| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | +| `OSBuild` | string | Build version of the operating system running on the machine | +| `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | +| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format | +| `RegistryDeviceTag` | string | Machine tag added through the registry | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `OSVersion` | string | Version of the operating system running on the machine | +| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 196bdde977..8177e49c74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -1,7 +1,7 @@ --- -title: DeviceLogonEvents table in the Advanced hunting schema -description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in +title: DeviceLogonEvents table in the advanced hunting schema +description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,45 +26,45 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceLogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. +The `DeviceLogonEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ActionType | string |Type of activity that triggered the event | -| AccountDomain | string | Domain of the account | -| AccountName | string | User name of the account | -| AccountSid | string | Security Identifier (SID) of the account | -| LogonType | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| -| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| RemoteDeviceName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | -| RemoteIP | string | IP address that was being connected to | -| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | -| RemotePort | int | TCP port on the remote device that was being connected to | -| AdditionalFields | string | Additional information about the event in JSON array format | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | -| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | -| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ActionType` | string |Type of activity that triggered the event | +| `AccountDomain` | string | Domain of the account | +| `AccountName` | string | User name of the account | +| `AccountSid` | string | Security Identifier (SID) of the account | +| `LogonType` | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | +| `RemoteIP` | string | IP address that was being connected to | +| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | +| `RemotePort` | int | TCP port on the remote device that was being connected to | +| `AdditionalFields` | string | Additional information about the event in JSON array format | +| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | +| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | +| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | +| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | +| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | +| `InitiatingProcessFileName` | string | Name of the process that initiated the event | +| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | +| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | +| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | +| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | +| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 581b173d15..0fe9b537f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -1,7 +1,7 @@ --- -title: DeviceNetworkEvents table in the Advanced hunting schema -description: Learn about network connection events you can query from the DeviceNetworkEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip +title: DeviceNetworkEvents table in the advanced hunting schema +description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,41 +26,41 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceNetworkEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. +The `DeviceNetworkEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ActionType | string | Type of activity that triggered the event | -| RemoteIP | string | IP address that was being connected to | -| RemotePort | int | TCP port on the remote device that was being connected to | -| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | -| LocalIP | string | IP address assigned to the local machine used during communication | -| LocalPort | int | TCP port on the local machine used during communication | -| Protocol | string | IP protocol used, whether TCP or UDP | -| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | -| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | -| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ActionType` | string | Type of activity that triggered the event | +| `RemoteIP` | string | IP address that was being connected to | +| `RemotePort` | int | TCP port on the remote device that was being connected to | +| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | +| `LocalIP` | string | IP address assigned to the local machine used during communication | +| `LocalPort` | int | TCP port on the local machine used during communication | +| `Protocol` | string | IP protocol used, whether TCP or UDP | +| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | +| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | +| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | +| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | +| `InitiatingProcessFileName` | string | Name of the process that initiated the event | +| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | +| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | +| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | +| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | +| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | +| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | +| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | +| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 66f0663d23..e202a842bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -1,7 +1,7 @@ --- -title: DeviceNetworkInfo table in the Advanced hunting schema -description: Learn about network configuration information in the DeviceNetworkInfo table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel +title: DeviceNetworkInfo table in the advanced hunting schema +description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,27 +26,27 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The `DeviceNetworkInfo` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| NetworkAdapterName | string | Name of the network adapter | -| MacAddress | string | MAC address of the network adapter | -| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) | -| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) | -| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | -| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet | -| DnsAddresses | string | DNS server addresses in JSON array format | -| IPv4Dhcp | string | IPv4 address of DHCP server | -| IPv6Dhcp | string | IPv6 address of DHCP server | -| DefaultGateways | string | Default gateway addresses in JSON array format | -| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `NetworkAdapterName` | string | Name of the network adapter | +| `MacAddress` | string | MAC address of the network adapter | +| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) | +| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) | +| `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | +| `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet | +| `DnsAddresses` | string | DNS server addresses in JSON array format | +| `IPv4Dhcp` | string | IPv4 address of DHCP server | +| `IPv6Dhcp` | string | IPv6 address of DHCP server | +| `DefaultGateways` | string | Default gateway addresses in JSON array format | +| `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 42ed9a3829..71177a6205 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -1,7 +1,7 @@ --- -title: DeviceProcessEvents table in the Advanced hunting schema -description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line +title: DeviceProcessEvents table in the advanced hunting schema +description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,49 +26,49 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceProcessEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. +The `DeviceProcessEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ActionType | string | Type of activity that triggered the event | -| FileName | string | Name of the file that the recorded action was applied to | -| FolderPath | string | Folder containing the file that the recorded action was applied to | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to | -| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | -| MD5 | string | MD5 hash of the file that the recorded action was applied to | -| ProcessId | int | Process ID (PID) of the newly created process | -| ProcessCommandLine | string | Command line used to create the new process | -| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources | -| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | -| ProcessCreationTime | datetime | Date and time the process was created | -| AccountDomain | string | Domain of the account | -| AccountName | string | User name of the account | -| AccountSid | string | Security Identifier (SID) of the account | -| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | -| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ActionType` | string | Type of activity that triggered the event | +| `FileName` | string | Name of the file that the recorded action was applied to | +| `FolderPath` | string | Folder containing the file that the recorded action was applied to | +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | +| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | +| `MD5` | string | MD5 hash of the file that the recorded action was applied to | +| `ProcessId` | int | Process ID (PID) of the newly created process | +| `ProcessCommandLine` | string | Command line used to create the new process | +| `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources | +| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | +| `ProcessCreationTime` | datetime | Date and time the process was created | +| `AccountDomain` | string | Domain of the account | +| `AccountName` | string | User name of the account | +| `AccountSid` | string | Security Identifier (SID) of the account | +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | +| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | +| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | +| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | +| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | +| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | +| `InitiatingProcessFileName` | string | Name of the process that initiated the event | +| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | +| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | +| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | +| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | +| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index fee6397cd2..396feb40c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -1,7 +1,7 @@ --- -title: DeviceRegistryEvents table in the Advanced hunting schema -description: Learn about registry events you can query from the DeviceRegistryEvents table of the Advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value +title: DeviceRegistryEvents table in the advanced hunting schema +description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,39 +26,39 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The DeviceRegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. +The `DeviceRegistryEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| Timestamp | datetime | Date and time when the event was recorded | -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| ActionType | string | Type of activity that triggered the event | -| RegistryKey | string | Registry key that the recorded action was applied to | -| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | -| RegistryValueName | string | Name of the registry value that the recorded action was applied to | -| RegistryValueData | string | Data of the registry value that the recorded action was applied to | -| PreviousRegistryValueName | string | Original name of the registry value before it was modified | -| PreviousRegistryValueData | string | Original data of the registry value before it was modified | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `ActionType` | string | Type of activity that triggered the event | +| `RegistryKey` | string | Registry key that the recorded action was applied to | +| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | +| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to | +| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to | +| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified | +| `PreviousRegistryValueData` | string | Original data of the registry value before it was modified | +| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | +| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | +| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | +| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | +| `InitiatingProcessFileName` | string | Name of the process that initiated the event | +| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | +| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | +| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | +| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event | +| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | +| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | +| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | +| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 33df9bb93f..7211e19c61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -1,5 +1,5 @@ --- -title: Overview of Advanced hunting +title: Overview of advanced hunting description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto search.product: eADQiWindows 10XVcnh @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# Proactively hunt for threats with Advanced hunting +# Proactively hunt for threats with advanced hunting **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -28,9 +28,9 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. -## Get started with Advanced hunting +## Get started with advanced hunting -We recommend going through several steps to quickly get up and running with Advanced hunting. +We recommend going through several steps to quickly get up and running with advanced hunting. | Learning goal | Description | Resource | |--|--|--| @@ -41,7 +41,7 @@ We recommend going through several steps to quickly get up and running with Adva ## Get help as you write queries Take advantage of the following functionality to write queries faster: -- **Autosuggest** — as you write queries, Advanced hunting provides suggestions. +- **Autosuggest** — as you write queries, advanced hunting provides suggestions. - **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor. ## Drilldown from query results @@ -54,14 +54,14 @@ Right-click a value in the result set to quickly enhance your query. You can use - Exclude the selected value from the query (`!=`) - Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with` -![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png) +![Image of Microsoft Defender ATP advanced hunting result set](images/atp-advanced-hunting-results-filter.png) ## Filter the query results The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances. Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude. -![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png) +![Image of advanced hunting filter](images/atp-filter-advanced-hunting.png) Once you apply the filter to modify the query and then run the query, the results are updated accordingly. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 33817ad10f..0b30e86cd8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -1,6 +1,6 @@ --- -title: Learn the Advanced hunting query language -description: Create your first threat hunting query and learn about common operators and other aspects of the Advanced hunting query language +title: Learn the advanced hunting query language +description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,14 +18,14 @@ ms.topic: article ms.date: 10/08/2019 --- -# Learn the Advanced hunting query language +# Learn the advanced hunting query language **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query. +Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query. ## Try your first query @@ -45,9 +45,9 @@ DeviceProcessEvents | top 100 by Timestamp ``` -This is how it will look like in Advanced hunting. +This is how it will look like in advanced hunting. -![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png) +![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png) ### Describe the query and specify the table to search The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization. @@ -91,9 +91,9 @@ Now that your query clearly identifies the data you want to locate, you can add Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results. -## Learn common query operators for Advanced hunting +## Learn common query operators for advanced hunting -Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones. +Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. | Operator | Description and usage | |--|--| @@ -108,11 +108,11 @@ Now that you've run your first query and have a general idea of its components, | **makeset** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. | | **find** | Find rows that match a predicate across a set of tables. | -To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page. +To see a live example of these operators, run them from the **Get started** section of the advanced hunting page. ## Understand data types -Data in Advanced hunting tables are generally classified into the following data types. +Data in advanced hunting tables are generally classified into the following data types. | Data type | Description and query implications | |--|--| @@ -126,7 +126,7 @@ Data in Advanced hunting tables are generally classified into the following data The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them. -![Image of Advanced hunting window](images/atp-advanced-hunting.png) +![Image of advanced hunting window](images/atp-advanced-hunting.png) > [!NOTE] > Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index ad7829bfa9..8fd07c3b19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -1,6 +1,6 @@ --- -title: Advanced hunting schema reference -description: Learn about the tables in the Advanced hunting schema to understand the data you can run threat hunting queries on +title: advanced hunting schema reference +description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, data search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# Understand the Advanced hunting schema +# Understand the advanced hunting schema **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -27,13 +27,13 @@ ms.date: 10/08/2019 [!include[Prerelease information](../../includes/prerelease.md)] -The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. +The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. ## Schema tables -The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table. +The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table. -Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen. +Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen. | Table name | Description | |------------|-------------| @@ -47,10 +47,10 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events | | **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | -| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory | -| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory | -| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information | -| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks | +| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | +| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | +| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | +| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index d32a485fd7..c086fd1418 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -1,5 +1,5 @@ --- -title: Use shared queries in Advanced hunting +title: Use shared queries in advanced hunting description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization. keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries search.product: eADQiWindows 10XVcnh @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/08/2019 --- -# Use shared queries in Advanced hunting +# Use shared queries in advanced hunting **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -54,10 +54,10 @@ You can save a new or existing query so that it is only accessible to you or sha 2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query. ## Access queries in the GitHub repository -Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). +Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/). >[!TIP] ->Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center. +>Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center. ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md index 3fd747d1c7..ba92db654a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -1,6 +1,6 @@ --- -title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. +title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -28,21 +28,21 @@ ms.date: 11/12/2019 [!include[Prerelease information](../../includes/prerelease.md)] -Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant. +Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| -| Timestamp | datetime |Date and time when the record was generated | -| ConfigurationId | string | Unique identifier for a specific configuration | -| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | -| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | -| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | -| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| `Timestamp` | datetime |Date and time when the record was generated | +| `ConfigurationId` | string | Unique identifier for a specific configuration | +| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | +| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | +| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md index 5da1e8e986..9ea78ad918 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md @@ -1,6 +1,6 @@ --- -title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema -description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. +title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema +description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the advanced hunting schema. keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -28,22 +28,22 @@ ms.date: 11/12/2019 [!include[Prerelease information](../../includes/prerelease.md)] -The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. +The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| ConfigurationId | string | Unique identifier for a specific configuration | -| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | -| ConfigurationName | string | Display name of the configuration | -| ConfigurationDescription | string | Description of the configuration | -| RiskDescription | string | Description of the associated risk | -| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| -| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | -| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration | -| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration | -| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration | +| `ConfigurationId` | string | Unique identifier for a specific configuration | +| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | +| `ConfigurationName` | string | Display name of the configuration | +| `ConfigurationDescription` | string | Description of the configuration | +| `RiskDescription` | string | Description of the associated risk | +| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration | +| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration | +| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md index 63fa5e1590..ff9eac991d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -1,6 +1,6 @@ --- -title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema -description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the Advanced hunting schema. +title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema +description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema. keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -29,22 +29,22 @@ ms.date: 11/12/2019 [!include[Prerelease information](../../includes/prerelease.md)] -The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. +The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| DeviceId | string | Unique identifier for the machine in the service | -| DeviceName | string | Fully qualified domain name (FQDN) of the machine | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| OSVersion | string | Version of the operating system running on the machine | -| OSArchitecture | string | Architecture of the operating system running on the machine | -| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | -| SoftwareName | string | Name of the software product | -| SoftwareVersion | string | Version number of the software product | -| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | -| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| `OSVersion` | string | Version of the operating system running on the machine | +| `OSArchitecture` | string | Architecture of the operating system running on the machine | +| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| `SoftwareName` | string | Name of the software product | +| `SoftwareVersion` | string | Version number of the software product | +| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md index 754894ddbf..902684edc0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md @@ -1,6 +1,6 @@ --- -title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema -description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema. +title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema +description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -28,20 +28,20 @@ ms.date: 11/12/2019 [!include[Prerelease information](../../includes/prerelease.md)] -The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table. +The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table. -For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | -| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | -| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available | -| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | -| LastModifiedTime | datetime | Date and time the item or related metadata was last modified | -| PublishedDate | datetime | Date vulnerability was disclosed to public | -| VulnerabilityDescription | string | Description of vulnerability and associated risks | -| AffectedSoftware | string | List of all software products affected by the vulnerability | +| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | +| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available | +| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified | +| `PublishedDate` | datetime | Date vulnerability was disclosed to public | +| `VulnerabilityDescription` | string | Description of vulnerability and associated risks | +| `AffectedSoftware` | string | List of all software products affected by the vulnerability | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 84f22f9ef0..e4e202f76f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -46,7 +46,7 @@ For information about configuring attack surface reduction rules, see [Enable at Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 44d145c9e9..ae15f3e5c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -51,7 +51,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. Here is an example query diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 854e4f2e9b..90c461b3d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -117,7 +117,7 @@ You can also take the following actions on the rule from this page: - **Run** — run the rule immediately. This also resets the interval for the next run. - **Edit** — modify the rule without changing the query -- **Modify query** — edit the query in Advanced hunting +- **Modify query** — edit the query in advanced hunting - **Turn on** / **Turn off** — enable the rule or stop it from running - **Delete** — turn off the rule and remove it @@ -127,5 +127,5 @@ You can also take the following actions on the rule from this page: ## Related topic - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the Advanced hunting query language](advanced-hunting-query-language.md) +- [Learn the advanced hunting query language](advanced-hunting-query-language.md) - [View and organize alerts](alerts-queue.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index c7ae3aac79..ccab9e8250 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -152,7 +152,7 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature. -Hunt for attack evidence through Advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics. +Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics. ## Simulation results diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index 2642c7655d..29df4eb11a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -49,7 +49,7 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment. Here is an example query: diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index b1a6786f57..cdcb26b8fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -52,7 +52,7 @@ Windows 10 version 1709 or later | [Windows Defender AV real-time protection](.. Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled. Here is an example query diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 03e0f5ca62..470e593502 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -1,7 +1,7 @@ --- title: Overview of custom detections in Microsoft Defender ATP ms.reviewer: -description: Understand how you can use Advanced hunting to create custom detections and generate alerts +description: Understand how you can use advanced hunting to create custom detections and generate alerts keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -28,7 +28,7 @@ With custom detections, you can proactively monitor for and respond to various e Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Custom detections provide: -- Alerts for rule-based detections built from Advanced hunting queries +- Alerts for rule-based detections built from advanced hunting queries - Automatic response actions that apply to files and machines >[!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 07e1d96848..a092af970c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -46,7 +46,7 @@ The following features are included in the preview release: - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). -- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table)
You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. +- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table)
You can now use the Threat & Vulnerability Management tables in the advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 93c0a3388e..df23634446 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -159,7 +159,7 @@ When an exception is created for a recommendation, the recommendation is no long 6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). ![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) -## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit +## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit 1. Go to **Advanced hunting** from the left-hand navigation pane. @@ -193,5 +193,5 @@ DeviceName=any(DeviceName) by DeviceId, AlertId - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Advanced hunting overview](overview-hunting.md) -- [All Advanced hunting tables](advanced-hunting-reference.md) +- [All advanced hunting tables](advanced-hunting-reference.md) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 7e542c0b65..252b58265c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -94,7 +94,7 @@ For more information preview features, see [Preview features](https://docs.micro - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
Controlled folder access is now supported on Windows Server 2019. -- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. +- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules. - [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. @@ -120,7 +120,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe ## March 2018 - [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
-Query data using Advanced hunting in Microsoft Defender ATP. +Query data using advanced hunting in Microsoft Defender ATP. - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
New attack surface reduction rules: From 461d264ccfc7659096504d240df21884eff1adb0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 15:19:16 -0800 Subject: [PATCH 06/45] Create why-use-microsoft-antivirus.md --- .../why-use-microsoft-antivirus.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md new file mode 100644 index 0000000000..9be9c9e46b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -0,0 +1,21 @@ +--- +title: Why you should use Windows Defender Antivirus +description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings. +keywords: windows defender, antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.date: 12/16/2019 +ms.reviewer: +manager: dansimp +--- + +# 10 good reasons to use Windows Defender Antivirus + From 292c733577dd0861301b851525ea2df78dfa957c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 15:20:13 -0800 Subject: [PATCH 07/45] Update TOC.md --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1df34b54fd..04fa998be4 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -42,6 +42,7 @@ #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +#### [10 good reasons to use Windows Defender Antivirus](windows-defender-antivirus/why-use-microsoft-antivirus.md) ### [Endpoint detection and response]() #### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md) From 29d4bd1b3c02fbcdb74b95604914b92a5d484bf6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 15:22:00 -0800 Subject: [PATCH 08/45] Update why-use-microsoft-antivirus.md --- .../why-use-microsoft-antivirus.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 9be9c9e46b..0f00488c07 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -1,5 +1,5 @@ --- -title: Why you should use Windows Defender Antivirus +title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings. keywords: windows defender, antivirus search.product: eADQiWindows 10XVcnh @@ -17,5 +17,7 @@ ms.reviewer: manager: dansimp --- -# 10 good reasons to use Windows Defender Antivirus +# 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection + + From a30c0bf942e3a403c744abd3a9bee24d33d61ee9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 15:28:35 -0800 Subject: [PATCH 09/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 0f00488c07..9d1b5915b0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -19,5 +19,7 @@ manager: dansimp # 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection +Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). Although you can integrate non-Microsoft antivirus offerings with Microsoft Defender ATP, there are at least 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender ATP. This article summarizes those reasons and provides links to additional information. + From 404485293ea8bcbcd6d7cdc9b9ac1d4873f91c8e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 15:40:56 -0800 Subject: [PATCH 10/45] Update why-use-microsoft-antivirus.md --- .../why-use-microsoft-antivirus.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 9d1b5915b0..55818c1fba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -19,7 +19,20 @@ manager: dansimp # 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection -Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). Although you can integrate non-Microsoft antivirus offerings with Microsoft Defender ATP, there are at least 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender ATP. This article summarizes those reasons and provides links to additional information. +Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). Although you can use a non-Microsoft antivirus offering with Microsoft Defender ATP, there are certain advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. + +The following table summarizes 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender ATP. + +|Item |Description | +|--|--| +|File recovery via OneDrive |If your device is attacked by ransomware and protection through Windows Defender Antivirus with Microsoft Defender ATP is in place, your files are protected and recoverable. | +|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. | +|File blocking |Your organization's security team can block specific files. | +|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus.) | +|Details about blocked malware | | + + + From bbb471f0915c0ccc32e55ffeb379efac7b14ccf4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 15:42:58 -0800 Subject: [PATCH 11/45] Update TOC.md --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 04fa998be4..b82183f8e1 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -42,7 +42,7 @@ #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -#### [10 good reasons to use Windows Defender Antivirus](windows-defender-antivirus/why-use-microsoft-antivirus.md) +#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) ### [Endpoint detection and response]() #### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md) From 9f80e7c29e334a753b8ce9685a048deda1cb6595 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 15:49:53 -0800 Subject: [PATCH 12/45] Update why-use-microsoft-antivirus.md --- .../why-use-microsoft-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 55818c1fba..3398562837 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -25,9 +25,9 @@ The following table summarizes 10 good reasons to use Windows Defender Antivirus |Item |Description | |--|--| -|File recovery via OneDrive |If your device is attacked by ransomware and protection through Windows Defender Antivirus with Microsoft Defender ATP is in place, your files are protected and recoverable. | -|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. | -|File blocking |Your organization's security team can block specific files. | +|File recovery via OneDrive |If you are using Office 365 and your device is attacked by ransomware, with Windows Defender Antivirus in place, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| +|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| +|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus.) | |Details about blocked malware | | From e3330282ee896d152d25f6b850f9d9d95676da1e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 16:03:06 -0800 Subject: [PATCH 13/45] Update why-use-microsoft-antivirus.md --- .../why-use-microsoft-antivirus.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 3398562837..1c30dcc1bc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -17,19 +17,22 @@ ms.reviewer: manager: dansimp --- -# 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection +# Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). Although you can use a non-Microsoft antivirus offering with Microsoft Defender ATP, there are certain advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. -The following table summarizes 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender ATP. +## Reasons to use Windows Defender Antivirus together with Microsoft Defender ATP |Item |Description | |--|--| -|File recovery via OneDrive |If you are using Office 365 and your device is attacked by ransomware, with Windows Defender Antivirus in place, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| +|File recovery via OneDrive |If you are using Windows Defender Antivirus together with Office 365, and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| |Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| |File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| -|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus.) | -|Details about blocked malware | | +|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | +|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. For example, NEED AN EXAMPLE HERE. [Understand malware & other threats](../intelligence/understanding-malware.md).| +| | | + +## Learn more From 98ca2ad318b5ccdd3e7f2a8445c65c5992d38637 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 16:08:39 -0800 Subject: [PATCH 14/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 1c30dcc1bc..705812e263 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -30,7 +30,7 @@ Windows Defender Antivirus is the next-generation protection component of [Micro |File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | |Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. For example, NEED AN EXAMPLE HERE. [Understand malware & other threats](../intelligence/understanding-malware.md).| -| | | +|Threat analytics and Secure Score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information than would be available with non-Microsoft antivirus offerings. | ## Learn more From 117de2dd4594e6285c630de94bfe3792e8c89fa8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 16:21:20 -0800 Subject: [PATCH 15/45] Update why-use-microsoft-antivirus.md --- .../why-use-microsoft-antivirus.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 705812e263..9bb5701701 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -30,7 +30,11 @@ Windows Defender Antivirus is the next-generation protection component of [Micro |File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | |Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. For example, NEED AN EXAMPLE HERE. [Understand malware & other threats](../intelligence/understanding-malware.md).| -|Threat analytics and Secure Score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information than would be available with non-Microsoft antivirus offerings. | +|Threat analytics and Secure Score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|Geographic location |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | +|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. | +|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. | +|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. | ## Learn more From fd5ea9a12e1731d76979662ed8f0239873592aeb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 16:34:54 -0800 Subject: [PATCH 16/45] Update why-use-microsoft-antivirus.md --- .../why-use-microsoft-antivirus.md | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 9bb5701701..76a9dc4531 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -21,23 +21,27 @@ manager: dansimp Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). Although you can use a non-Microsoft antivirus offering with Microsoft Defender ATP, there are certain advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. -## Reasons to use Windows Defender Antivirus together with Microsoft Defender ATP +## 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender ATP -|Item |Description | -|--|--| -|File recovery via OneDrive |If you are using Windows Defender Antivirus together with Office 365, and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| -|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| -|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| -|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | -|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. For example, NEED AN EXAMPLE HERE. [Understand malware & other threats](../intelligence/understanding-malware.md).| -|Threat analytics and Secure Score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | -|Geographic location |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | -|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. | -|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. | -|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. | +| |Item |Description | +|--|--|--| +|1|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise/), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| +|2|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| +|3|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| +|4|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | +|5|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. For example, NEED AN EXAMPLE HERE. [Understand malware & other threats](../intelligence/understanding-malware.md).| +|6|Threat analytics and Secure Score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|7|Geographic location |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | +|8|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| +|9|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | +|10|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | ## Learn more +[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) + +[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) + From 8e25b143b8f90103e8e4b755e735250fc135a316 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 16:35:24 -0800 Subject: [PATCH 17/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 76a9dc4531..37c4870a73 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -29,7 +29,7 @@ Windows Defender Antivirus is the next-generation protection component of [Micro |2|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| |3|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |4|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | -|5|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. For example, NEED AN EXAMPLE HERE. [Understand malware & other threats](../intelligence/understanding-malware.md).| +|5|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| |6|Threat analytics and Secure Score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | |7|Geographic location |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | |8|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| From 3e2a9b4403449438dab86dcecd4d9eb373157a78 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 16:36:49 -0800 Subject: [PATCH 18/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 37c4870a73..62477a4bd2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -19,6 +19,10 @@ manager: dansimp # Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). Although you can use a non-Microsoft antivirus offering with Microsoft Defender ATP, there are certain advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. ## 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender ATP From aab308ea39ec4f5ab559d64368f3a681040b525c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Dec 2019 16:37:42 -0800 Subject: [PATCH 19/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 62477a4bd2..f67ed7f3d9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -34,8 +34,8 @@ Windows Defender Antivirus is the next-generation protection component of [Micro |3|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |4|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | |5|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| -|6|Threat analytics and Secure Score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | -|7|Geographic location |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | +|6|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|7|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | |8|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| |9|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | |10|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | From 0c8e00a7c9c9e683d1c044ede5e0843187f9fa62 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Dec 2019 15:53:56 -0800 Subject: [PATCH 20/45] Update why-use-microsoft-antivirus.md Dan's edits --- .../why-use-microsoft-antivirus.md | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index f67ed7f3d9..453c51417a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -23,22 +23,25 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). Although you can use a non-Microsoft antivirus offering with Microsoft Defender ATP, there are certain advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. +Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). -## 10 good reasons to use Windows Defender Antivirus together with Microsoft Defender ATP +Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is it an excellent, next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as Endpoint Detection and Response and Automated Investigation and Remediation, you'll see better protection that's coordinated across products. + +## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP | |Item |Description | |--|--|--| -|1|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise/), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| -|2|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| -|3|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| -|4|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | -|5|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| -|6|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | -|7|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | -|8|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| -|9|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | -|10|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | +|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | +|2|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | +|3|Performance |Microsoft Defender ATP is designed to work with Windows Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| +|4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| +|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| +|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| +|7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | +|8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | +|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise/), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| +|10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | + ## Learn more From 29da149af497bad2915f28d4055df30b5dfab4d3 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 16:31:11 -0800 Subject: [PATCH 21/45] Create troubleshoot-event-id-41-restart.md --- .../troubleshoot-event-id-41-restart.md | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 windows/client-management/troubleshoot-event-id-41-restart.md diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md new file mode 100644 index 0000000000..36f16e5e74 --- /dev/null +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -0,0 +1,116 @@ +--- +title: Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" +description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue +author: Teresa-Motiv +ms.author: v-tea +ms.date: 12/26/2019 +ms.prod: W10 +ms.topic: article +ms.custom: +- CI 111437 +- CSSTroubleshooting +audience: ITPro +ms.localizationpriority: medium +keywords: +manager: kaushika + +--- + +# Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" + +> **Home users** +> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). + +The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. Then the operating system closes all files and notifies the running services and applications so that they can write any data to disk and flush any caches. + +If your computer shuts down unexpectedly, Windows logs an event that resembles the following the next time the computer starts: + +> Event ID: 41 +> Description: The system has rebooted without cleanly shutting down first. + +This event indicates that something unexpected happened that prevented Windows from shutting down correctly. Causes for such a shutdown include an interruption in the power supply or a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and, if they are present, includes them in the event data of Event ID 41. + +## How to use Event ID 41 when troubleshooting an unexpected shutdown or restart + +By itself, Event ID 41 might not contain sufficient information to explicitly define what happened. Typically, you have to also consider what was happening at the time of the unexpected shutdown (for example, whether the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: + +- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code +- [Scenario 2](#scen2): The computer restarts because you pressed and held the power button +- Scenario 3: The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information + +### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code + +When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example: + +> EventData +> BugcheckCode 159 +> BugcheckParameter1 0x3 +> BugcheckParameter2 0xfffffa80029c5060 +> BugcheckParameter3 0xfffff8000403d518 +> BugcheckParameter4 0xfffffa800208c010 +> SleepInProgress false +> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) + +> [!NOTE] +> Event ID 41 includes the bug check code in decimal format. Most documentation on Stop error codes reference the code as a hexadecimal value instead of a decimal value. To convert decimal to hexadecimal, follow these steps: +> +> 1. Select **Start**, and then type **calc** in the **Search** box. +> 1. In the Calculator window, select **View** > **Programmer**. +> 1. On the left side of calculator, make sure that **Dec** is selected. +> 1. Use the keyboard to enter the decimal value of the **BugcheckCode** parameter. +> 1. On the left side of the calculator, select **Hex**. +> The value that the calculator displays is now the hexadecimal code. +> +> In the case of the example event data in this article, "159" converts to 0x0000009f. When a BugcheckCode entry is converted to a hexadecimal format, it should have eight digits. For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. + +After you identify the hexadecimal value, use the following references to continue troubleshooting: + +- [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. +- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). + +### Scenario 2: The computer restarts because you pressed and held the power button + +Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the PowerButtonTimestamp entry. + +For help with troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." + +For more information about a specific situation in which a computer may stop responding, see KB 974476, [The computer stops responding when an USB device resumes from the USB Selective Suspend state in Windows 7 or in Windows Server 2008 R2](https://support.microsoft.com/help/974476/the-computer-stops-responding-when-an-usb-device-resumes-from-the-usb). + +### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero + +This scenario includes the following circumstances: + +- You shut off power to an unresponsive computer, then start it again. + To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also called a hard hang). +- The computer restarts, but does not generate Event ID 41. +- The computer restarts and generates Event ID 41, but the **BugcheckCode** and **PowerButtonTimestamp** values are zero. + +In such cases, something prevents Windows from generating error codes or from writing error codes to disk. Something might block write access to the disk (as in the case of an unresponsive computer) or the computer might shut down too quickly to write the error codes or even detect an error. + +The information in Event ID 41 provides some indication of where to start checking for problems: + +- **Event ID 41 is missing or the bug check code is zero**. This behavior might indicate a power supply problem. If the power supply to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41, or if it does, the bug check code is zero. Conditions such as the following might be the cause: + - In the case of a portable computer, the battery was removed or completely drained. + - In the case of a desktop computer, the computer was unplugged or was subject to a power outage. + - The power supply might be underpowered or faulty. + +- **The PowerButtonTimestamp value is zero**. This behavior might result if you disconnected power to a computer that was not responding to input. Conditions such as the following might be the cause: + - A Windows process blocked write access to the disk, and you shut down the computer by pressing and holding the power button for at least four seconds. + - You disconnected power to an unresponsive computer. + +Typically, the symptoms that this scenario describes indicate a hardware problem. To help isolate the problem, do the following: + +- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify whether the issue occurs when the system runs at the correct speed. +- **Check the memory**. Use a memory checker to verify the memory health and configuration. Verify that each memory chip is the same speed and that it is configured correctly in the system. +- **Check the power supply**. Make sure that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. +- **Overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. + +If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. + +> [!NOTE] +> If the computer reports a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps: +> +> 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. +> 1. In the **Startup and Recovery** section, select **Settings**. +> 1. Clear the **Automatically restart** checkbox. From 79e763b13bb1ae57ea051245d5e5ca936cbbc148 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 17:47:24 -0800 Subject: [PATCH 22/45] Metadata update, TOC edit --- windows/client-management/TOC.md | 1 + windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 8da971ed53..cb93e0fb3b 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -31,5 +31,6 @@ #### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md) #### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md) #### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) +#### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 36f16e5e74..7d3b955dcb 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -4,7 +4,7 @@ description: Describes the circumstances that cause a computer to generate Event author: Teresa-Motiv ms.author: v-tea ms.date: 12/26/2019 -ms.prod: W10 +ms.prod: w10 ms.topic: article ms.custom: - CI 111437 From 863411f8113a28fa8de8d30f41faa501a61f5bc6 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 17:50:26 -0800 Subject: [PATCH 23/45] Added listing --- .../client-management/change-history-for-client-management.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 8eabad806b..adb273d21f 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 12/13/2019 +ms.date: 12/27/2019 ms.reviewer: manager: dansimp ms.topic: article @@ -24,6 +24,7 @@ This topic lists new and updated topics in the [Client management](index.md) doc New or changed topic | Description --- | --- [Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New +[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New ## December 2018 From cc278df88d8b8153ad1c768304933e2a8bbb73bf Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 17:57:36 -0800 Subject: [PATCH 24/45] Added link to new topic --- .../advanced-troubleshooting-boot-problems.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index a9442e6fe9..5986263a1e 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -220,7 +220,6 @@ If Windows cannot load the system registry hive into memory, you must restore th If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. - ## Kernel Phase If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: @@ -228,8 +227,9 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - A Stop error appears after the splash screen (Windows Logo screen). - Specific error code is displayed. - For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. + - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) + - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) - The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. From 1aaff3631f82901a02ac158556c05eea63ae2de4 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 08:45:55 -0800 Subject: [PATCH 25/45] Link fix --- windows/client-management/troubleshoot-event-id-41-restart.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 7d3b955dcb..e6cb1aa7c9 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -36,7 +36,7 @@ By itself, Event ID 41 might not contain sufficient information to explicitly de - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- Scenario 3: The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information +- [Scenario 3](#scen2): The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information ### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code @@ -77,7 +77,7 @@ For help with troubleshooting an unresponsive computer, see [Windows Help](https For more information about a specific situation in which a computer may stop responding, see KB 974476, [The computer stops responding when an USB device resumes from the USB Selective Suspend state in Windows 7 or in Windows Server 2008 R2](https://support.microsoft.com/help/974476/the-computer-stops-responding-when-an-usb-device-resumes-from-the-usb). -### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero This scenario includes the following circumstances: From f6faca985df4a7deb2085af580a5ae53be2d5cdc Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 08:49:01 -0800 Subject: [PATCH 26/45] Link fix --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index e6cb1aa7c9..ce4051c23d 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -36,7 +36,7 @@ By itself, Event ID 41 might not contain sufficient information to explicitly de - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen2): The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information +- [Scenario 3](#scen2): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero ### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code From 7feda4b2d37c9b48bba7c289b710ad8a9421cb32 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 09:13:57 -0800 Subject: [PATCH 27/45] Edits --- .../troubleshoot-event-id-41-restart.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index ce4051c23d..b3cae5846a 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -30,6 +30,15 @@ If your computer shuts down unexpectedly, Windows logs an event that resembles t This event indicates that something unexpected happened that prevented Windows from shutting down correctly. Causes for such a shutdown include an interruption in the power supply or a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and, if they are present, includes them in the event data of Event ID 41. +> EventData +> BugcheckCode 159 +> BugcheckParameter1 0x3 +> BugcheckParameter2 0xfffffa80029c5060 +> BugcheckParameter3 0xfffff8000403d518 +> BugcheckParameter4 0xfffffa800208c010 +> SleepInProgress false +> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) + ## How to use Event ID 41 when troubleshooting an unexpected shutdown or restart By itself, Event ID 41 might not contain sufficient information to explicitly define what happened. Typically, you have to also consider what was happening at the time of the unexpected shutdown (for example, whether the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: @@ -48,8 +57,6 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter2 0xfffffa80029c5060 > BugcheckParameter3 0xfffff8000403d518 > BugcheckParameter4 0xfffffa800208c010 -> SleepInProgress false -> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) > [!NOTE] > Event ID 41 includes the bug check code in decimal format. Most documentation on Stop error codes reference the code as a hexadecimal value instead of a decimal value. To convert decimal to hexadecimal, follow these steps: From d0c92ecbeaf4ee9345e4e901cc2b2eea2f501f40 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 09:15:39 -0800 Subject: [PATCH 28/45] edits --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index b3cae5846a..01cf714e83 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -59,7 +59,7 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter4 0xfffffa800208c010 > [!NOTE] -> Event ID 41 includes the bug check code in decimal format. Most documentation on Stop error codes reference the code as a hexadecimal value instead of a decimal value. To convert decimal to hexadecimal, follow these steps: +> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refers the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > > 1. Select **Start**, and then type **calc** in the **Search** box. > 1. In the Calculator window, select **View** > **Programmer**. From 436e1e451e68f0860215891437bd21a0a208b1ae Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 09:39:35 -0800 Subject: [PATCH 29/45] edits --- .../troubleshoot-event-id-41-restart.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 01cf714e83..6ebfafc0fd 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -61,14 +61,14 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > [!NOTE] > Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refers the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > -> 1. Select **Start**, and then type **calc** in the **Search** box. +> 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**. > 1. In the Calculator window, select **View** > **Programmer**. -> 1. On the left side of calculator, make sure that **Dec** is selected. -> 1. Use the keyboard to enter the decimal value of the **BugcheckCode** parameter. +> 1. On the left side of calculator, make sure that **Dec** is highlighted. +> 1. Use the keyboard to enter the decimal value of the bug check code. > 1. On the left side of the calculator, select **Hex**. > The value that the calculator displays is now the hexadecimal code. > -> In the case of the example event data in this article, "159" converts to 0x0000009f. When a BugcheckCode entry is converted to a hexadecimal format, it should have eight digits. For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. +> When you convert a bug check code to hexadecimal format, make sure that it has eight digits (the value preceded by "0x" + enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. After you identify the hexadecimal value, use the following references to continue troubleshooting: @@ -78,7 +78,7 @@ After you identify the hexadecimal value, use the following references to contin ### Scenario 2: The computer restarts because you pressed and held the power button -Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the PowerButtonTimestamp entry. +Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the **PowerButtonTimestamp** entry. For help with troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." @@ -116,7 +116,7 @@ Typically, the symptoms that this scenario describes indicate a hardware problem If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. > [!NOTE] -> If the computer reports a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps: +> If you see a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps: > > 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. > 1. In the **Startup and Recovery** section, select **Settings**. From d9349086ba8b3d3ff3cdf29f3211c217a2d44d34 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 10:31:45 -0800 Subject: [PATCH 30/45] Edits --- .../troubleshoot-event-id-41-restart.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 6ebfafc0fd..ac4cc1afbc 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -3,7 +3,7 @@ title: Advanced troubleshooting for Event ID 41 "The system has rebooted without description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue author: Teresa-Motiv ms.author: v-tea -ms.date: 12/26/2019 +ms.date: 12/27/2019 ms.prod: w10 ms.topic: article ms.custom: @@ -11,7 +11,7 @@ ms.custom: - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium -keywords: +keywords: event id 41, reboot, restart, stop error, bug check code manager: kaushika --- @@ -45,7 +45,7 @@ By itself, Event ID 41 might not contain sufficient information to explicitly de - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen2): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero ### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code @@ -111,7 +111,7 @@ Typically, the symptoms that this scenario describes indicate a hardware problem - **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify whether the issue occurs when the system runs at the correct speed. - **Check the memory**. Use a memory checker to verify the memory health and configuration. Verify that each memory chip is the same speed and that it is configured correctly in the system. - **Check the power supply**. Make sure that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. -- **Overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. +- **Check for overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. @@ -120,4 +120,4 @@ If you perform these checks and still cannot isolate the problem, set the system > > 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. > 1. In the **Startup and Recovery** section, select **Settings**. -> 1. Clear the **Automatically restart** checkbox. +> 1. Clear the **Automatically restart** check box. From 12a2f0c37afe1c7564772c7bacd69802e74ebf3b Mon Sep 17 00:00:00 2001 From: Mike Eggers <49650192+v-miegge@users.noreply.github.com> Date: Mon, 30 Dec 2019 10:01:15 -0800 Subject: [PATCH 31/45] Editing changes added v-miegge added editing changes from v-jesits. --- .../troubleshoot-event-id-41-restart.md | 62 +++++++++---------- 1 file changed, 30 insertions(+), 32 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index ac4cc1afbc..00344d5d62 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -19,16 +19,16 @@ manager: kaushika # Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" > **Home users** -> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). +> This article is intended for use by support agents and IT professionals. If you're looking for more information about Stop code error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). -The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. Then the operating system closes all files and notifies the running services and applications so that they can write any data to disk and flush any caches. +The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. By using this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaveddata to disk and flush any active caches. -If your computer shuts down unexpectedly, Windows logs an event that resembles the following the next time the computer starts: +If your computer shuts down unexpectedly, Windows logs Event ID 41 entry that resembles the following the next time that the computer starts: > Event ID: 41 > Description: The system has rebooted without cleanly shutting down first. -This event indicates that something unexpected happened that prevented Windows from shutting down correctly. Causes for such a shutdown include an interruption in the power supply or a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and, if they are present, includes them in the event data of Event ID 41. +This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown may be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. > EventData > BugcheckCode 159 @@ -39,15 +39,15 @@ This event indicates that something unexpected happened that prevented Windows f > SleepInProgress false > PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) -## How to use Event ID 41 when troubleshooting an unexpected shutdown or restart +## How to use Event ID 41 when you troubleshoot an unexpected shutdown or restart -By itself, Event ID 41 might not contain sufficient information to explicitly define what happened. Typically, you have to also consider what was happening at the time of the unexpected shutdown (for example, whether the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: +By itself, Event ID 41 might not contain sufficient information to explicitly define what occured. Typically, you have to also consider what was occuring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: -- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code +- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry lists error code values of zero -### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code +### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error code When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example: @@ -59,59 +59,57 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter4 0xfffffa800208c010 > [!NOTE] -> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refers the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: +> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refer to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > > 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**. -> 1. In the Calculator window, select **View** > **Programmer**. -> 1. On the left side of calculator, make sure that **Dec** is highlighted. +> 1. In the **Calculator** window, select **View** > **Programmer**. +> 1. On the left side of calculator, verify that **Dec** is highlighted. > 1. Use the keyboard to enter the decimal value of the bug check code. > 1. On the left side of the calculator, select **Hex**. > The value that the calculator displays is now the hexadecimal code. > -> When you convert a bug check code to hexadecimal format, make sure that it has eight digits (the value preceded by "0x" + enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. +> When you convert a bug check code to hexadecimal format, verify that it has eight digits following the “0x” designation (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. After you identify the hexadecimal value, use the following references to continue troubleshooting: - [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). -- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). (This page lists links to documentation for different bug check codes.) - [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). ### Scenario 2: The computer restarts because you pressed and held the power button -Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the **PowerButtonTimestamp** entry. +Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, Event ID 41 occurs and includes a non-zero value for the **PowerButtonTimestamp** entry. -For help with troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." +For help to troubleshoot an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." -For more information about a specific situation in which a computer may stop responding, see KB 974476, [The computer stops responding when an USB device resumes from the USB Selective Suspend state in Windows 7 or in Windows Server 2008 R2](https://support.microsoft.com/help/974476/the-computer-stops-responding-when-an-usb-device-resumes-from-the-usb). - -### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry or lists error code values of zero This scenario includes the following circumstances: -- You shut off power to an unresponsive computer, then start it again. - To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also called a hard hang). -- The computer restarts, but does not generate Event ID 41. +- You shut off power to an unresponsive computer, and then you restart the computer. + To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also known as a *hard hang*). +- The computer restarts, but it does not generate Event ID 41. - The computer restarts and generates Event ID 41, but the **BugcheckCode** and **PowerButtonTimestamp** values are zero. In such cases, something prevents Windows from generating error codes or from writing error codes to disk. Something might block write access to the disk (as in the case of an unresponsive computer) or the computer might shut down too quickly to write the error codes or even detect an error. The information in Event ID 41 provides some indication of where to start checking for problems: -- **Event ID 41 is missing or the bug check code is zero**. This behavior might indicate a power supply problem. If the power supply to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41, or if it does, the bug check code is zero. Conditions such as the following might be the cause: +- **Event ID 41 is not recorded or the bug check code is zero**. This behavior might indicate a power supply problem. If the power to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41. Or, if it does, the bug check code is zero. Conditions such as the following might be the cause: - In the case of a portable computer, the battery was removed or completely drained. - - In the case of a desktop computer, the computer was unplugged or was subject to a power outage. - - The power supply might be underpowered or faulty. + - In the case of a desktop computer, the computer was unplugged or experienced a power outage. + - The power supply is underpowered or faulty. -- **The PowerButtonTimestamp value is zero**. This behavior might result if you disconnected power to a computer that was not responding to input. Conditions such as the following might be the cause: +- **The PowerButtonTimestamp value is zero**. This behavior might occur if you disconnected the power to a computer that was not responding to input. Conditions such as the following might be the cause: - A Windows process blocked write access to the disk, and you shut down the computer by pressing and holding the power button for at least four seconds. - - You disconnected power to an unresponsive computer. + - You disconnected the power to an unresponsive computer. -Typically, the symptoms that this scenario describes indicate a hardware problem. To help isolate the problem, do the following: +Typically, the symptoms described in this scenario indicate a hardware problem. To help isolate the problem, do the following: -- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify whether the issue occurs when the system runs at the correct speed. -- **Check the memory**. Use a memory checker to verify the memory health and configuration. Verify that each memory chip is the same speed and that it is configured correctly in the system. -- **Check the power supply**. Make sure that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. -- **Check for overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. +- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify that the issue occurs when the system runs at the correct speed. +- **Check the memory**. Use a memory checker to determine the memory health and configuration. Verify that all memory chips run at the same speed and that every chip is configured correctly in the system. +- **Check the power supply**. Verify that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because the power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. +- **Check for overheating**. Examine the internal temperature of the hardware and check for any overheating components. If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. From 01becd9a16a75a2ab5da6208c265392c1db2629c Mon Sep 17 00:00:00 2001 From: Mike Eggers <49650192+v-miegge@users.noreply.github.com> Date: Mon, 30 Dec 2019 11:10:19 -0800 Subject: [PATCH 32/45] Edit to title --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 00344d5d62..c982cc7835 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -1,5 +1,5 @@ --- -title: Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" +title: Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue author: Teresa-Motiv ms.author: v-tea From 0a7c062cad44e932bcb549054790751c48b01e4f Mon Sep 17 00:00:00 2001 From: Mike Eggers <49650192+v-miegge@users.noreply.github.com> Date: Mon, 30 Dec 2019 11:11:33 -0800 Subject: [PATCH 33/45] Update troubleshoot-event-id-41-restart.md --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index c982cc7835..3fbd3307c6 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -16,7 +16,7 @@ manager: kaushika --- -# Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" +# Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" > **Home users** > This article is intended for use by support agents and IT professionals. If you're looking for more information about Stop code error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). From 5c41d50767ba6f0d5a995ae653f1c3628de8db44 Mon Sep 17 00:00:00 2001 From: "v-tea@microsoft.com" <46357187+Teresa-Motiv@users.noreply.github.com> Date: Mon, 6 Jan 2020 10:31:00 -0800 Subject: [PATCH 34/45] Fixed metadata --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 3fbd3307c6..68298f3175 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -1,5 +1,5 @@ --- -title: Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" +title: Advanced troubleshooting for Event ID 41 - "The system has rebooted without cleanly shutting down first" description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue author: Teresa-Motiv ms.author: v-tea From 81315641d81d7ce1d3f59b201bea8158adeadd58 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 6 Jan 2020 14:26:58 -0800 Subject: [PATCH 35/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 453c51417a..3b2e7eacce 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 12/16/2019 +ms.date: 01/06/2020 ms.reviewer: manager: dansimp --- @@ -25,7 +25,7 @@ manager: dansimp Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). -Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is it an excellent, next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as Endpoint Detection and Response and Automated Investigation and Remediation, you'll see better protection that's coordinated across products. +Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you'll see better protection that's coordinated across products. ## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP From b6bac94d3ed4842c39e507774c50b4201ff4c7ae Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 6 Jan 2020 14:30:18 -0800 Subject: [PATCH 36/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 3b2e7eacce..f2397aea62 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -25,7 +25,7 @@ manager: dansimp Windows Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). -Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you'll see better protection that's coordinated across products. +Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. ## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP From 303966baca5bedd62e9cb2658536ac9d29eaa9a9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 6 Jan 2020 14:32:05 -0800 Subject: [PATCH 37/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index f2397aea62..26493afec7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -29,7 +29,7 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender ## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP -| |Item |Description | +| |Advantage |Why it matters | |--|--|--| |1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | |2|Threat analytics and your secure score |Windows Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [secure score](../microsoft-defender-atp/overview-secure-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | @@ -39,7 +39,7 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender |6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | |8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | -|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise/), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| +|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| |10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | From 0600439e86b4a0ed98a2d6b1c0dcecc56efb7d29 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 6 Jan 2020 14:53:57 -0800 Subject: [PATCH 38/45] Janauary HoloLens release note add Adding Jan release note. @scooley @yannisle --- devices/hololens/hololens-release-notes.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index 4d8b9c1a52..6f305a3b78 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -22,6 +22,10 @@ appliesto: > [!Note] > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). +### January Update - build 18362.1043 + +- Stability improvements for exclusive apps when working with HoloLens 2 emulator. + ### December Update - build 18362.1042 - Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update. From 19b015eb31b770200e3f0f1ba08153c3b54db804 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 6 Jan 2020 15:15:40 -0800 Subject: [PATCH 39/45] add note --- .../microsoft-defender-atp/configure-endpoints-vdi.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 5a8e0475ca..100bfd2636 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -69,6 +69,9 @@ The following steps will guide you through onboarding VDI machines and will high 4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**. + >[!NOTE] + >Domain Group Policy may also be used for onboarding non-persistent VDI machines. + 5. Depending on the method you'd like to implement, follow the appropriate steps:
**For single entry for each machine**:
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.

From 3e0238aba6b3bec2de5102d6a68164b52330c51b Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Mon, 6 Jan 2020 18:27:56 -0600 Subject: [PATCH 40/45] Update hololens-release-notes.md --- devices/hololens/hololens-release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index 6f305a3b78..aaf200a4b0 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -24,7 +24,7 @@ appliesto: ### January Update - build 18362.1043 -- Stability improvements for exclusive apps when working with HoloLens 2 emulator. +- Stability improvements for exclusive apps when working with the HoloLens 2 emulator. ### December Update - build 18362.1042 From 77cc958b52c111ac61437809b95a66ec90b80b9d Mon Sep 17 00:00:00 2001 From: lomayor Date: Mon, 6 Jan 2020 18:13:00 -0800 Subject: [PATCH 41/45] Fixed table rendering --- .../advanced-hunting-deviceevents-table.md | 4 ++-- .../advanced-hunting-devicefileevents-table.md | 4 ++-- .../advanced-hunting-deviceimageloadevents-table.md | 2 +- .../advanced-hunting-deviceinfo-table.md | 2 +- .../advanced-hunting-devicelogonevents-table.md | 2 +- .../advanced-hunting-devicenetworkevents-table.md | 2 +- .../advanced-hunting-devicenetworkinfo-table.md | 2 +- .../advanced-hunting-deviceprocessevents-table.md | 2 +- .../advanced-hunting-deviceregistryevents-table.md | 2 +- .../advanced-hunting-schema-reference.md | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index aed7f010df..9134afc574 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The miscellaneous device events or `DeviceEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. +The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). @@ -42,7 +42,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available | | `MD5` | string | MD5 hash of the file that the recorded action was applied to | | `AccountDomain` | string | Domain of the account | -| `AccountName |string | User name of the account | +| `AccountName` |string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | | `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 7e519fa914..221f3433e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceFileEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. +The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). @@ -66,7 +66,7 @@ For information on other tables in the advanced hunting schema, see [the advanc | `RequestAccountName` | string | User name of account used to remotely initiate the activity | | `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity | | `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity | -| `ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection | | `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index e8acfd67d4..d57a965bcf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceImageLoadEvents table` in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. +The `DeviceImageLoadEvents table` in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index 16a90f67ad..f05d8d0382 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceInfo` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 8177e49c74..689d68d6e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceLogonEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. +The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 0fe9b537f7..fb91c21fd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceNetworkEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. +The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index e202a842bc..ba7cf147bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceNetworkInfo` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 71177a6205..7b656947ec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceProcessEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. +The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index 396feb40c0..8dfc835e93 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceRegistryEvents` table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. +The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index e4367e6079..7c64003218 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -27,7 +27,7 @@ ms.date: 10/08/2019 [!include[Prerelease information](../../includes/prerelease.md)] -The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. +The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. ## Schema tables From bab0cd447a9b30757831eb0e5ecb9498dd5f7b0d Mon Sep 17 00:00:00 2001 From: lomayor Date: Mon, 6 Jan 2020 18:25:06 -0800 Subject: [PATCH 42/45] Update advanced-hunting-devicefileevents-table.md --- .../advanced-hunting-devicefileevents-table.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 221f3433e8..82bc19d642 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -54,7 +54,7 @@ For information on other tables in the advanced hunting schema, see [the advanc | `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started | -| `InitiatingProcessIntegrityLevel` | string` | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event | | `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event | From ce38383d58d126d423b4ff67624ae82e848fdce0 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Tue, 7 Jan 2020 09:47:43 -0800 Subject: [PATCH 43/45] Review of edits --- .../troubleshoot-event-id-41-restart.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 68298f3175..b774919abf 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -19,16 +19,16 @@ manager: kaushika # Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" > **Home users** -> This article is intended for use by support agents and IT professionals. If you're looking for more information about Stop code error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). +> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). -The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. By using this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaveddata to disk and flush any active caches. +The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. When you use this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaved data to disk and flush any active caches. -If your computer shuts down unexpectedly, Windows logs Event ID 41 entry that resembles the following the next time that the computer starts: +If your computer shuts down unexpectedly, Windows logs Event ID 41 the next time that the computer starts. The event text resembles the following: > Event ID: 41 > Description: The system has rebooted without cleanly shutting down first. -This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown may be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. +This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown might be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. > EventData > BugcheckCode 159 @@ -41,13 +41,13 @@ This event indicates that some unexpected activity prevented Windows from shutti ## How to use Event ID 41 when you troubleshoot an unexpected shutdown or restart -By itself, Event ID 41 might not contain sufficient information to explicitly define what occured. Typically, you have to also consider what was occuring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: +By itself, Event ID 41 might not contain sufficient information to explicitly define what occurred. Typically, you have to also consider what was occurring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry lists error code values of zero +- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not logged or the Event ID 41 entry lists error code values of zero -### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error code +### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example: @@ -59,7 +59,7 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter4 0xfffffa800208c010 > [!NOTE] -> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refer to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: +> Event ID 41 includes the bug check code in decimal format. Most documentation that describes bug check codes refers to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > > 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**. > 1. In the **Calculator** window, select **View** > **Programmer**. @@ -68,19 +68,19 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > 1. On the left side of the calculator, select **Hex**. > The value that the calculator displays is now the hexadecimal code. > -> When you convert a bug check code to hexadecimal format, verify that it has eight digits following the “0x” designation (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. +> When you convert a bug check code to hexadecimal format, verify that the “0x” designation is followed by eight digits (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. After you identify the hexadecimal value, use the following references to continue troubleshooting: - [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). -- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). (This page lists links to documentation for different bug check codes.) +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. - [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). ### Scenario 2: The computer restarts because you pressed and held the power button -Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, Event ID 41 occurs and includes a non-zero value for the **PowerButtonTimestamp** entry. +Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the computer logs an Event ID 41 that includes a non-zero value for the **PowerButtonTimestamp** entry. -For help to troubleshoot an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." +For help when troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." ### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry or lists error code values of zero From 05ef5b2b4fb0c19ffb187dcb7f98e7afc057f596 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 7 Jan 2020 10:06:56 -0800 Subject: [PATCH 44/45] Update why-use-microsoft-antivirus.md --- .../windows-defender-antivirus/why-use-microsoft-antivirus.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 26493afec7..392bc3f8e3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -9,10 +9,12 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium +audience: ITPro +ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/06/2020 +ms.date: 01/07/2020 ms.reviewer: manager: dansimp --- From 4590a32343c95a798f5e95e18c99771060b6be5a Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 7 Jan 2020 14:27:05 -0800 Subject: [PATCH 45/45] Add kusto languange name to AH code --- .../microsoft-defender-atp/advanced-hunting-best-practices.md | 4 ++-- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- .../microsoft-defender-atp/exploit-protection.md | 2 +- .../microsoft-defender-atp/network-protection.md | 2 +- .../microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 58f09d7eb7..7ce887afa8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -45,7 +45,7 @@ Process IDs (PIDs) are recycled in Windows and reused for new processes. On thei The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. -``` +```kusto DeviceNetworkEvents | where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4) | summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName @@ -68,7 +68,7 @@ To create more durable queries using command lines, apply the following practice The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: -``` +```kusto // Non-durable query - do not use DeviceProcessEvents | where ProcessCommandLine == "net stop MpsSvc" diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index e4e202f76f..363a0b815b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -50,7 +50,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-h Here is an example query: -```PowerShell +```kusto DeviceEvents | where ActionType startswith 'Asr' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 90c461b3d6..c5a436c489 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -40,7 +40,7 @@ There are various ways to ensure more complex queries return these columns. For The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. -``` +```kusto DeviceEvents | where Timestamp > ago(7d) | where ActionType == "AntivirusDetection" diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index 30e3eff1f4..c0073ce75e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -53,7 +53,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query: -```PowerShell +```kusto DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index cdcb26b8fd..3c6f9f6bc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -56,7 +56,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query -```PowerShell +```kusto DeviceEvents | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked') ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 2d623aad56..55ffb2b7ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -167,7 +167,7 @@ When an exception is created for a recommendation, the recommendation is no long 3. Enter the following queries: -``` +```kusto // Search for machines with High active alerts or Critical CVE public exploit DeviceTvmSoftwareInventoryVulnerabilities | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId