html table

2025-05-14 14:27:22 +00:00 · 2017-05-24 19:55:05 -07:00 · 2017-05-24 19:55:05 -07:00 · 7d6c5eddea
commit 7d6c5eddea
parent 174e938e0c
1 changed files with 257 additions and 0 deletions
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@ -26,6 +26,263 @@ Understand what data fields are exposed as part of the alerts API and how they m

 ##	Alert API fields and portal mapping
 Field numbers match the numbers in the images below.
+
+<table class="tg">
+  <tr>
+    <th class="tg-yw4l">Portal label</th>
+    <th class="tg-yw4l">SIEM field name</th>
+    <th class="tg-yw4l">ArcSight field</th>
+    <th class="tg-yw4l">Example value</th>
+    <th class="tg-yw4l">Description</th>
+    <th class="tg-yw4l"></th>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">1</td>
+    <td class="tg-yw4l">AlertTitle</td>
+    <td class="tg-yw4l">name</td>
+    <td class="tg-yw4l">A dll was unexpectedly loaded into a high integrity process without a UAC prompt</td>
+    <td class="tg-yw4l">Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">2</td>
+    <td class="tg-yw4l">Severity</td>
+    <td class="tg-yw4l">deviceSeverity</td>
+    <td class="tg-yw4l">Medium</td>
+    <td class="tg-yw4l">Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">3</td>
+    <td class="tg-yw4l">Category</td>
+    <td class="tg-yw4l">deviceEventCategory</td>
+    <td class="tg-yw4l">Privilege Escalation</td>
+    <td class="tg-yw4l">Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">4</td>
+    <td class="tg-yw4l">Source</td>
+    <td class="tg-yw4l">sourceServiceName</td>
+    <td class="tg-yw4l">WindowsDefenderATP</td>
+    <td class="tg-yw4l">Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">5</td>
+    <td class="tg-yw4l">MachineName</td>
+    <td class="tg-yw4l">sourceHostName</td>
+    <td class="tg-yw4l">liz-bean</td>
+    <td class="tg-yw4l">Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">6</td>
+    <td class="tg-yw4l">FileName</td>
+    <td class="tg-yw4l">fileName</td>
+    <td class="tg-yw4l">Robocopy.exe</td>
+    <td class="tg-yw4l">Available for alerts associated with a file or process.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">7</td>
+    <td class="tg-yw4l">FilePath</td>
+    <td class="tg-yw4l">filePath</td>
+    <td class="tg-yw4l">C:\Windows\System32\Robocopy.exe</td>
+    <td class="tg-yw4l">Available for alerts associated with a file or process. \</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">8</td>
+    <td class="tg-yw4l">UserDomain</td>
+    <td class="tg-yw4l">sourceNtDomain</td>
+    <td class="tg-yw4l">contoso</td>
+    <td class="tg-yw4l">The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">9</td>
+    <td class="tg-yw4l">UserName</td>
+    <td class="tg-yw4l">sourceUserName</td>
+    <td class="tg-yw4l">liz-bean</td>
+    <td class="tg-yw4l">The user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">10</td>
+    <td class="tg-yw4l">Sha1</td>
+    <td class="tg-yw4l">fileHash</td>
+    <td class="tg-yw4l">5b4b3985339529be3151d331395f667e1d5b7f35</td>
+    <td class="tg-yw4l">Available for alerts associated with a file or process.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">11</td>
+    <td class="tg-yw4l">Md5</td>
+    <td class="tg-yw4l">deviceCustomString5</td>
+    <td class="tg-yw4l">55394b85cb5edddff551f6f3faa9d8eb</td>
+    <td class="tg-yw4l">Available for Windows Defender AV alerts.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">12</td>
+    <td class="tg-yw4l">Sha256</td>
+    <td class="tg-yw4l">deviceCustomString6</td>
+    <td class="tg-yw4l">9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5</td>
+    <td class="tg-yw4l">Available for Windows Defender AV alerts.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">13</td>
+    <td class="tg-yw4l">ThreatName</td>
+    <td class="tg-yw4l">eviceCustomString1</td>
+    <td class="tg-yw4l">Trojan:Win32/Skeeyah.A!bit</td>
+    <td class="tg-yw4l">Available for Windows Defender AV alerts.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">14</td>
+    <td class="tg-yw4l">IpAddress</td>
+    <td class="tg-yw4l">sourceAddress</td>
+    <td class="tg-yw4l">218.90.204.141</td>
+    <td class="tg-yw4l">Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">15</td>
+    <td class="tg-yw4l">Url</td>
+    <td class="tg-yw4l">requestUrl</td>
+    <td class="tg-yw4l">down.esales360.cn</td>
+    <td class="tg-yw4l">Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">16</td>
+    <td class="tg-yw4l">RemediationIsSuccess</td>
+    <td class="tg-yw4l">deviceCustomNumber2</td>
+    <td class="tg-yw4l">TRUE</td>
+    <td class="tg-yw4l">Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">17</td>
+    <td class="tg-yw4l">WasExecutingWhileDetected</td>
+    <td class="tg-yw4l">deviceCustomNumber1</td>
+    <td class="tg-yw4l">FALSE</td>
+    <td class="tg-yw4l">Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">18</td>
+    <td class="tg-yw4l">AlertId</td>
+    <td class="tg-yw4l">externalId</td>
+    <td class="tg-yw4l">636210704265059241_673569822</td>
+    <td class="tg-yw4l">Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">19</td>
+    <td class="tg-yw4l">LinkToWDATP</td>
+    <td class="tg-yw4l">flexString1</td>
+    <td class="tg-yw4l">https://securitycenter.windows.com/alert/636210704265059241_673569822</td>
+    <td class="tg-yw4l">Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">20</td>
+    <td class="tg-yw4l">AlertTime</td>
+    <td class="tg-yw4l">deviceReceiptTime</td>
+    <td class="tg-yw4l">2017-05-07T01:56:59.3191352Z</td>
+    <td class="tg-yw4l">The time the activity relevant to the alert occurred. Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">21</td>
+    <td class="tg-yw4l">MachineDomain</td>
+    <td class="tg-yw4l">sourceDnsDomain</td>
+    <td class="tg-yw4l">contoso.com</td>
+    <td class="tg-yw4l">Domain name not relevant for AAD joined machines. Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">22</td>
+    <td class="tg-yw4l">Actor</td>
+    <td class="tg-yw4l">deviceCustomString4</td>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">Available for alerts related to a known actor group.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">21+5</td>
+    <td class="tg-yw4l">ComputerDnsName</td>
+    <td class="tg-yw4l">No mapping</td>
+    <td class="tg-yw4l">liz-bean.contoso.com</td>
+    <td class="tg-yw4l">The machine fully qualified domain name. Value available for every alert.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">LogOnUsers</td>
+    <td class="tg-yw4l">sourceUserId</td>
+    <td class="tg-yw4l">contoso\liz-bean; contoso\jay-hardee</td>
+    <td class="tg-yw4l">The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l">Internal field</td>
+    <td class="tg-yw4l">LastProcessedTimeUtc</td>
+    <td class="tg-yw4l">No mapping</td>
+    <td class="tg-yw4l">2017-05-07T01:56:58.9936648Z</td>
+    <td class="tg-yw4l">Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">Not part of the schema</td>
+    <td class="tg-yw4l">deviceVendor</td>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">Static value in the ArcSight mapping - 'Microsoft'.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">Not part of the schema</td>
+    <td class="tg-yw4l">deviceProduct</td>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">Static value in the ArcSight mapping - 'Windows Defender ATP'.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+  <tr>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">Not part of the schema</td>
+    <td class="tg-yw4l">deviceVersion</td>
+    <td class="tg-yw4l"></td>
+    <td class="tg-yw4l">Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.</td>
+    <td class="tg-yw4l"></td>
+  </tr>
+</table>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 Portal label | SIEM field name  | ArcSight field| Example value | Description
 :---|:---|:---|:---|:---