deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 3233: 9/15 PM Publish

Browse Source
This commit is contained in:
Alma Jenks 2017-09-15 22:30:06 +00:00
commit 986e67cf97
2 changed files with 53 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -929,6 +929,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</thead>
<tbody>
<tr class="even">
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
<td style="vertical-align:top"><p>The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:</p>
<ul>
<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. </li>
<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.</li>
<li>DomainName - fully qualified domain name if the device is domain-joined.</li>
</ul>
<p>For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
@ -1361,6 +1371,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
<td style="vertical-align:top"><p>The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:</p>
<ul>
<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. </li>
<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.</li>
<li>DomainName - fully qualified domain name if the device is domain-joined.</li>
</ul>
<p>For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.</p>
</td></tr>
</tbody>
</table>

267
windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -36,240 +36,39 @@ The ArcSight field column contains the default mapping between the Windows Defen
Field numbers match the numbers in the images below.
<table style="table-layout:fixed;width:100%" >
<tr>
<th class>Portal label</th>
<th class>SIEM field name</th>
<th class>ArcSight field</th>
<th class>Example value</th>
<th class>Description</th>
<th class></th>
</tr>
<tr>
<td class>1</td>
<td class>AlertTitle</td>
<td class>name</td>
<td class>A dll was unexpectedly loaded into a high integrity process without a UAC prompt</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>2</td>
<td class>Severity</td>
<td class>deviceSeverity</td>
<td class>Medium</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>3</td>
<td class>Category</td>
<td class>deviceEventCategory</td>
<td class>Privilege Escalation</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>4</td>
<td class>Source</td>
<td class>sourceServiceName</td>
<td class>WindowsDefenderATP</td>
<td class>Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>5</td>
<td class>MachineName</td>
<td class>sourceHostName</td>
<td class>liz-bean</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>6</td>
<td class>FileName</td>
<td class>fileName</td>
<td class>Robocopy.exe</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>7</td>
<td class>FilePath</td>
<td class>filePath</td>
<td class>C:\Windows\System32\Robocopy.exe</td>
<td class>Available for alerts associated with a file or process. \</td>
<td class></td>
</tr>
<tr>
<td class>8</td>
<td class>UserDomain</td>
<td class>sourceNtDomain</td>
<td class>contoso</td>
<td class>The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>9</td>
<td class>UserName</td>
<td class>sourceUserName</td>
<td class>liz-bean</td>
<td class>The user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>10</td>
<td class>Sha1</td>
<td class>fileHash</td>
<td class>5b4b3985339529be3151d331395f667e1d5b7f35</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>11</td>
<td class>Md5</td>
<td class>deviceCustomString5</td>
<td class>55394b85cb5edddff551f6f3faa9d8eb</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>12</td>
<td class>Sha256</td>
<td class>deviceCustomString6</td>
<td class>9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>13</td>
<td class>ThreatName</td>
<td class>eviceCustomString1</td>
<td class>Trojan:Win32/Skeeyah.A!bit</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>14</td>
<td class>IpAddress</td>
<td class>sourceAddress</td>
<td class>218.90.204.141</td>
<td class>Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>15</td>
<td class>Url</td>
<td class>requestUrl</td>
<td class>down.esales360.cn</td>
<td class>Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>16</td>
<td class>RemediationIsSuccess</td>
<td class>deviceCustomNumber2</td>
<td class>TRUE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>17</td>
<td class>WasExecutingWhileDetected</td>
<td class>deviceCustomNumber1</td>
<td class>FALSE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>18</td>
<td class>AlertId</td>
<td class>externalId</td>
<td class>636210704265059241_673569822</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>19</td>
<td class>LinkToWDATP</td>
<td class>flexString1</td>
<td class>`https://securitycenter.windows.com/alert/636210704265059241_673569822`</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>20</td>
<td class>AlertTime</td>
<td class>deviceReceiptTime</td>
<td class>2017-05-07T01:56:59.3191352Z</td>
<td class>The time the activity relevant to the alert occurred. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>21</td>
<td class>MachineDomain</td>
<td class>sourceDnsDomain</td>
<td class>contoso.com</td>
<td class>Domain name not relevant for AAD joined machines. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>22</td>
<td class>Actor</td>
<td class>deviceCustomString4</td>
<td class></td>
<td class>Available for alerts related to a known actor group.</td>
<td class></td>
</tr>
<tr>
<td class>21+5</td>
<td class>ComputerDnsName</td>
<td class>No mapping</td>
<td class>liz-bean.contoso.com</td>
<td class>The machine fully qualified domain name. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>LogOnUsers</td>
<td class>sourceUserId</td>
<td class>contoso\liz-bean; contoso\jay-hardee</td>
<td class>The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.</td>
<td class></td>
</tr>
<tr>
<td class>Internal field</td>
<td class>LastProcessedTimeUtc</td>
<td class>No mapping</td>
<td class>2017-05-07T01:56:58.9936648Z</td>
<td class>Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVendor</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Microsoft'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceProduct</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Windows Defender ATP'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVersion</td>
<td class></td>
<td class>Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.</td>
<td class></td>
</tr>
</table>
> [!div class="mx-tableFixed"]
| Portal label | SIEM field name | ArcSight field | Example value | Description |
|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
| 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
| 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. |
| 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
| 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
| 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
| 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
| 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
| 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
| 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 15 | Url | requestUrl | down.esales360.cn | Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
| 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
| 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
| 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
| 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
| 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
| | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
| | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | |
| | InternalIPv4List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | |
| Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
| | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. |
| | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. |1234567891011121314151617181920212223242526272829303132
![Image of alert with numbers](images/atp-alert-page.png)