mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 23:07:23 +00:00
add ref topic to adv hunting
This commit is contained in:
Joey Caparas
parent
dce607c19f
commit
95f3e815fc
@ -90,6 +90,7 @@
|
||||
|
||||
#### [Automated investigations](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
|
||||
#### [Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
|
||||
##### [Advanced hunting table reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
### [Enable conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
@ -0,0 +1,101 @@
|
||||
---
|
||||
title: Advanced hunting table reference in Windows Defender ATP
|
||||
description: Learn about advanced hunting table reference such as column name, data type, and description
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
ms.date: 04/16/2018
|
||||
---
|
||||
|
||||
# Advanced hunting table reference in Windows Defender ATP
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
When you run a query using Advanced hunting, a table with columns is returned as a result.
|
||||
|
||||
Use the following table to understand what the columns represent, its data type, and their description.
|
||||
|
||||
## Advanced hunting table reference
|
||||
|
||||
| Column name | Data type | Description
|
||||
:---|:--- |:---
|
||||
| AccountDomain | string | Domain of the account. |
|
||||
| AccountName | string | User name of the account. |
|
||||
| AccountSid | string | Security Identifier (SID) of the account. |
|
||||
| ActionType | string | Type of activity that triggered the event. |
|
||||
| AdditionalFields | string | Additional information about the event in JSON array format. |
|
||||
| AlertId | string | Unique identifier for the alert. |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
|
||||
| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
|
||||
| EventTime | datetime | Date and time when the event was recorded. |
|
||||
| EventType | string | Table where the record is stored. |
|
||||
| FileName | string | Name of the file that the recorded action was applied to. |
|
||||
| FileOriginIp | string | IP address where the file was downloaded from. |
|
||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. |
|
||||
| FileOriginUrl | string | URL where the file was downloaded from. |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessCommandLine | string | Path and command line arguments used to run the process that initiated the event. |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
|
||||
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was event was started. |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. |
|
||||
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. |
|
||||
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
|
||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. |
|
||||
| LocalIP | string | IP address assigned to the local machine used during communication. |
|
||||
| LocalPort | int | TCP port on the local machine used during communication. |
|
||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. |
|
||||
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
|
||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
|
||||
| MachineId | string | Unique identifier for the machine in the service. |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
|
||||
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. |
|
||||
| OSArchitecture | string | Architecture of the operating system running on the machine. |
|
||||
| OSBuild | string | Build version of the operating system running on the machine. |
|
||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such Windows 10 and Windows 7. |
|
||||
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. |
|
||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified. |
|
||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified. |
|
||||
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. |
|
||||
| ProcessCommandline | string | Path and command line arguments used to create the new process. |
|
||||
| ProcessCreationTime | datetime | Date and time the process was created. |
|
||||
| ProcessId | int | Process ID (PID) of the newly created process. |
|
||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
|
||||
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. |
|
||||
| RegistryKey | string | Registry key that the recorded action was applied to. |
|
||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
|
||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
|
||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. |
|
||||
| RemoteIP | string | IP address that was being connected to. |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to. |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
|
||||
| ReportIndex | long | Event identifier that is unique among the same event type. |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to.
|
||||
|
||||
|
||||
|
||||
@ -147,80 +147,15 @@ The filter selections will resolve as an additional query term and the results w
|
||||
- Use time filters first. Kusto is highly optimized to utilize time filters.
|
||||
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
|
||||
- Prefer 'has' keyword over 'contains' when looking for full tokens.
|
||||
- Prefer looking in specific column rather than using full text search accross all columns.
|
||||
- Prefer looking in specific column rather than using full text search across all columns.
|
||||
- When joining between two tables - choose the table with less rows to be the first one (left-most).
|
||||
- When joining between two tables - project only needed columns from both sides of the join.
|
||||
|
||||
## Public Advanced Hunting query GitHub repository
|
||||
Check out the [Advanced Hunting repository](https://github.com/Microsoft/Advanced-Hunting-Queries). Contribute and use example queries shared by our customers.
|
||||
|
||||
## Advanced hunting table reference
|
||||
|
||||
| Column name | Data type | Description
|
||||
:---|:--- |:---
|
||||
| AccountDomain | string | Domain of the account. |
|
||||
| AccountName | string | User name of the account. |
|
||||
| AccountSid | string | Security Identifier (SID) of the account. |
|
||||
| ActionType | string | Type of activity that triggered the event. |
|
||||
| AdditionalFields | string | Additional information about the event in JSON array format. |
|
||||
| AlertId | string | Unique identifier for the alert. |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
|
||||
| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
|
||||
| EventTime | datetime | Date and time when the event was recorded. |
|
||||
| EventType | string | Table where the record is stored. |
|
||||
| FileName | string | Name of the file that the recorded action was applied to. |
|
||||
| FileOriginIp | string | IP address where the file was downloaded from. |
|
||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. |
|
||||
| FileOriginUrl | string | URL where the file was downloaded from. |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
|
||||
| InitiatingProcessCommandLine | string | Path and command line arguments used to run the process that initiated the event. |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
|
||||
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was event was started. |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. |
|
||||
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. |
|
||||
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
|
||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. |
|
||||
| LocalIP | string | IP address assigned to the local machine used during communication. |
|
||||
| LocalPort | int | TCP port on the local machine used during communication. |
|
||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. |
|
||||
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
|
||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
|
||||
| MachineId | string | Unique identifier for the machine in the service. |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
|
||||
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. |
|
||||
| OSArchitecture | string | Architecture of the operating system running on the machine. |
|
||||
| OSBuild | string | Build version of the operating system running on the machine. |
|
||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such Windows 10 and Windows 7. |
|
||||
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. |
|
||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified. |
|
||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified. |
|
||||
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. |
|
||||
| ProcessCommandline | string | Path and command line arguments used to create the new process. |
|
||||
| ProcessCreationTime | datetime | Date and time the process was created. |
|
||||
| ProcessId | int | Process ID (PID) of the newly created process. |
|
||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
|
||||
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. |
|
||||
| RegistryKey | string | Registry key that the recorded action was applied to. |
|
||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
|
||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
|
||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. |
|
||||
| RemoteIP | string | IP address that was being connected to. |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to. |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
|
||||
| ReportIndex | long | Event identifier that is unique among the same event type. |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to.
|
||||
## Related topic
|
||||
- [Advanced hunting table reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user