mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 12:53:38 +00:00
alphabetical table
This commit is contained in:
Joey Caparas
@ -157,67 +157,70 @@ Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advance
|
|||||||
## Advanced hunting table reference
|
## Advanced hunting table reference
|
||||||
|
|
||||||
| Column name | Column type | Description
|
| Column name | Column type | Description
|
||||||
:---|:--- |:---
|
:---|:--- |:---
|
||||||
| MachineId | string | Unique identifier for the machine in the service.
|
| AccountDomain | string | Domain of the account. |
|
||||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine.
|
| AccountName | string | User name of the account. |
|
||||||
| EventTime | datetime | Date and time when the event was recorded.
|
| AccountSid | string | Security Identifier (SID) of the account. |
|
||||||
| ActionType | string | Type of activity that triggered the event.
|
| ActionType | string | Type of activity that triggered the event. |
|
||||||
| ProviderId | | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log.
|
| AdditionalFields | | Additional information about the event in JSON array format. |
|
||||||
| EventId | | Unique identifier used by Event Tracing for Windows (ETW) for the event type.
|
| AlertId | string | Unique identifier for the alert. |
|
||||||
| EventType | string | Table where the record is stored.
|
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
|
||||||
| ReportIndex | | Event identifier that is unique among the same event type.
|
| EventId | | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
|
||||||
| FileName | string | Name of the file that the recorded action was applied to.
|
| EventTime | datetime | Date and time when the event was recorded. |
|
||||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to.
|
| EventType | string | Table where the record is stored. |
|
||||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to.
|
| FileName | string | Name of the file that the recorded action was applied to. |
|
||||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to.
|
| FileOriginIp | string | IP address where the file was downloaded from. |
|
||||||
| FolderPath | string | Folder containing the file that the recorded action was applied to.
|
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. |
|
||||||
| FileOriginUrl | string | URL where the file was downloaded from.
|
| FileOriginUrl | string | URL where the file was downloaded from. |
|
||||||
| FileOriginIp | string | IP address where the file was downloaded from.
|
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
|
||||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file.
|
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event.
|
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started.
|
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event.
|
| InitiatingProcessCommandLine | string | Path and command line arguments used to run the process that initiated the event. |
|
||||||
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event.
|
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
|
||||||
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event.
|
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
|
||||||
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event.
|
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
|
||||||
| InitiatingProcessCommandLine | string | Path and command line arguments used to run the process that initiated the event.
|
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event.
|
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event.
|
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event.
|
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was event was started. |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event.
|
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources.
|
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.
|
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was event was started.
|
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. |
|
||||||
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event.
|
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event.
|
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. |
|
||||||
| AdditionalFields | | Additional information about the event in JSON array format.
|
| LocalIP | string | IP address assigned to the local machine used during communication. |
|
||||||
| AccountName | string | User name of the account.
|
| LocalPort | int | TCP port on the local machine used during communication. |
|
||||||
| AccountDomain | string | Domain of the account.
|
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. |
|
||||||
| AccountSid | string | Security Identifier (SID) of the account.
|
|
||||||
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
|
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
|
||||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to.
|
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
|
||||||
| RemoteIP | string | IP address that was being connected to.
|
| MachineId | string | Unique identifier for the machine in the service. |
|
||||||
| RemotePort | int | TCP port on the remote device that was being connected to.
|
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
|
||||||
| LocalPort | int | TCP port on the local machine used during communication.
|
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. |
|
||||||
| LocalIP | string | IP address assigned to the local machine used during communication.
|
| OSArchitecture | string | Architecture of the operating system running on the machine. |
|
||||||
| ProcessCreationTime | datetime | Date and time the process was created.
|
| OSBuild | string | Build version of the operating system running on the machine. |
|
||||||
| RegistryKey | string | Registry key that the recorded action was applied to.
|
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such Windows 10 and Windows 7. |
|
||||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to.
|
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. |
|
||||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to.
|
| PreviousRegistryValueData | string | Original data of the registry value before it was modified. |
|
||||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to.
|
| PreviousRegistryValueName | string | Original name of the registry value before it was modified. |
|
||||||
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified.
|
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. |
|
||||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified.
|
| ProcessCommandline | string | Path and command line arguments used to create the new process. |
|
||||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified.
|
| ProcessCreationTime | datetime | Date and time the process was created. |
|
||||||
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified.
|
| ProcessId | int | Process ID (PID) of the newly created process. |
|
||||||
| ProcessCommandline | string | Path and command line arguments used to create the new process.
|
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
||||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources.
|
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
|
||||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process.
|
| ProviderId | | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. |
|
||||||
| ProcessId | int | Process ID (PID) of the newly created process.
|
| RegistryKey | string | Registry key that the recorded action was applied to. |
|
||||||
| AlertId | string | Unique identifier for the alert.
|
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
|
||||||
| OSArchitecture | string | Architecture of the operating system running on the machine.
|
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
|
||||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such Windows 10 and Windows 7.
|
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. |
|
||||||
| OSBuild | string | Build version of the operating system running on the machine.
|
| RemoteIP | string | IP address that was being connected to. |
|
||||||
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format.
|
| RemotePort | int | TCP port on the remote device that was being connected to. |
|
||||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory.
|
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
|
||||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format.
|
| ReportIndex | | Event identifier that is unique among the same event type. |
|
||||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine.
|
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
|
||||||
|
| SHA256 | string | SHA-256 of the file that the recorded action was applied to.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user