deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #1878 from MicrosoftDocs/lomayor-ah-cert

Browse Source 
Update advanced-hunting-devicefilecertificateinfobeta-table.md
This commit is contained in:
Louie Mayor 2020-01-17 11:42:33 -08:00 committed by GitHub
commit 816d651935
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md
View File

@ -34,23 +34,24 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded
| `DeviceId` | string | Unique identifier for the machine in the service
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to
| `IsSigned` | boolean | Indicates whether the file is signed
| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file
| `Signer` | string | Information about the signer of the file
| `SignerHash` | string | Unique hash value identifying the signer
| `Issuer` | string | Information about the issuing certificate authority (CA)
| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA)
| `CrlDistributionPointUrls` | string | URL of the network share that contains certificates and the certificate revocation list (CRL)
| `CertificateCreationTime` | datetime | Date and time the certificate was created
| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire
| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned
| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes
| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `IsSigned` | boolean | Indicates whether the file is signed |
| `SignatureType` | string | Indicates whether signature information was read as embedded | content in the file itself or read from an external catalog file |
| `Signer` | string | Information about the signer of the file |
| `SignerHash` | string | Unique hash value identifying the signer |
| `Issuer` | string | Information about the issuing certificate authority (CA) |
| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) |
| `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) |
| `CrlDistributionPointUrls` | string | JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) |
| `CertificateCreationTime` | datetime | Date and time the certificate was created |
| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire |
| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned |
| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
## Related topics