From 8776ce74a20a4c16a0dda37145243d515af1b839 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Tue, 22 Feb 2022 13:22:12 -0800
Subject: [PATCH] Updating query example 2 for 6283

---
 ...-control-events-centrally-using-advanced-hunting.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 7887ecbbbd..24c4d8dfd2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -82,15 +82,15 @@ DeviceEvents
 | where Timestamp > ago(7d)
 |project DeviceId,                               // the device ID where the audit block happened
 FileName,                                        // The audit blocked app's filename
-FolderPath,                                      // The audit blocked app's device path
+FolderPath,                                      // The audit blocked app's system path without the FileName
 InitiatingProcessFileName,                       // The file name of the parent process loading the executable
 InitiatingProcessVersionInfoCompanyName,         // The company name of the parent process loading the executable
 InitiatingProcessVersionInfoOriginalFileName,    // The original file name of the parent process loading the executable
 InitiatingProcessVersionInfoProductName,         // The product name of the parent process loading the executable
-InitiatingProcessSHA256,                         // The SHA256 of the parent process loading the executable
-Timestamp,                                       // The timestamp
-ReportId,                                        // The report ID
+InitiatingProcessSHA256,                         // The SHA256 flat hash of the parent process loading the executable
+Timestamp,                                       // The event creation timestamp
+ReportId,                                        // The report ID - randomly generated by MDE AH
 InitiatingProcessVersionInfoProductVersion,      // The product version of the parent process loading the executable
 InitiatingProcessVersionInfoFileDescription,     // The file description of the parent process loading the executable
-AdditionalFields
+AdditionalFields                                 // Additional fields contains FQBN for signed binaries.  These contain the CN of the leaf certificate, product name, original filename and version of the audited binary
 ```