mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 21:37:22 +00:00
Merge branch 'master' into mdatp-seccon-mgmt-lomayor
This commit is contained in:
lomayor
commit
ba3f68df93
@ -104,7 +104,20 @@
|
||||
### [Advanced hunting]()
|
||||
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
|
||||
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
|
||||
##### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md)
|
||||
|
||||
##### [Advanced hunting schema reference]()
|
||||
###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
|
||||
###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
|
||||
###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
|
||||
###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
|
||||
###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
|
||||
###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
|
||||
###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
|
||||
###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
|
||||
###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
|
||||
###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
|
||||
###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
|
||||
|
||||
##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
|
||||
|
||||
#### [Custom detections]()
|
||||
|
||||
@ -0,0 +1,54 @@
|
||||
---
|
||||
title: AlertEvents table in the advanced hunting schema
|
||||
description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# AlertEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| AlertId | string | Unique identifier for the alert |
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
|
||||
| Category | string | Type of threat indicator or breach activity identified by the alert |
|
||||
| Title | string | Title of the alert |
|
||||
| FileName | string | Name of the file that the recorded action was applied to |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||
| RemoteIP | string | IP address that was being connected to |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| Table | string | Table that contains the details of the event |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,73 @@
|
||||
---
|
||||
title: FileCreationEvents table in the Advanced hunting schema
|
||||
description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# FileCreationEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| FileName | string | Name of the file that the recorded action was applied to |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
||||
| FileOriginUrl | string | URL where the file was downloaded from |
|
||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
|
||||
| FileOriginIP | string | IP address where the file was downloaded from |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
|
||||
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
|
||||
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,66 @@
|
||||
---
|
||||
title: ImageLoadEvents table in the Advanced hunting schema
|
||||
description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# ImageLoadEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| FileName | string | Name of the file that the recorded action was applied to |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,74 @@
|
||||
---
|
||||
title: LogonEvents table in the Advanced hunting schema
|
||||
description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# LogonEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ActionType | string |Type of activity that triggered the event |
|
||||
| AccountDomain | string | Domain of the account |
|
||||
| AccountName | string | User name of the account |
|
||||
| AccountSid | string | Security Identifier (SID) of the account |
|
||||
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
|
||||
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
||||
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
|
||||
| RemoteIP | string | IP address that was being connected to |
|
||||
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
||||
| AdditionalFields | string | Additional information about the event in JSON array format |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,55 @@
|
||||
---
|
||||
title: MachineInfo table in the Advanced hunting schema
|
||||
description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# MachineInfo
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
|
||||
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
|
||||
| OSArchitecture | string | Architecture of the operating system running on the machine |
|
||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
|
||||
| OSBuild | string | Build version of the operating system running on the machine |
|
||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
|
||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
|
||||
| RegistryMachineTag | string | Machine tag added through the registry |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| OSVersion | string | Version of the operating system running on the machine |
|
||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,56 @@
|
||||
---
|
||||
title: MachineNetworkInfo table in the Advanced hunting schema
|
||||
description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# MachineNetworkInfo
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| NetworkAdapterName | string | Name of the network adapter |
|
||||
| MacAddress | string | MAC address of the network adapter |
|
||||
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
|
||||
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
|
||||
| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
|
||||
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
|
||||
| DnsAddresses | string | DNS server addresses in JSON array format |
|
||||
| IPv4Dhcp | string | IPv4 address of DHCP server |
|
||||
| IPv6Dhcp | string | IPv6 address of DHCP server |
|
||||
| DefaultGateways | string | Default gateway addresses in JSON array format |
|
||||
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,87 @@
|
||||
---
|
||||
title: MiscEvents table in the advanced hunting schema
|
||||
description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# MiscEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| FileName | string | Name of the file that the recorded action was applied to |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
||||
| AccountDomain | string | Domain of the account |
|
||||
| AccountName |string | User name of the account |
|
||||
| AccountSid | string | Security Identifier (SID) of the account |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
|
||||
| ProcessId | int | Process ID (PID) of the newly created process |
|
||||
| ProcessCommandLine | string | Command line used to create the new process |
|
||||
| ProcessCreationTime | datetime | Date and time the process was created |
|
||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
||||
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
||||
| RegistryKey | string | Registry key that the recorded action was applied to |
|
||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
|
||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
|
||||
| RemoteIP | string | IP address that was being connected to |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
||||
| LocalIP | string | IP address assigned to the local machine used during communication |
|
||||
| LocalPort | int | TCP port on the local machine used during communication |
|
||||
| FileOriginUrl | string | URL where the file was downloaded from |
|
||||
| FileOriginIP | string | IP address where the file was downloaded from |
|
||||
| AdditionalFields | string | Additional information about the event in JSON array format |
|
||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,70 @@
|
||||
---
|
||||
title: NetworkCommunicationEvents table in the Advanced hunting schema
|
||||
description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# NetworkCommunicationEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| RemoteIP | string | IP address that was being connected to |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||
| LocalIP | string | IP address assigned to the local machine used during communication |
|
||||
| LocalPort | int | TCP port on the local machine used during communication |
|
||||
| Protocol | string | IP protocol used, whether TCP or UDP |
|
||||
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -0,0 +1,78 @@
|
||||
---
|
||||
title: ProcessCreationEvents table in the Advanced hunting schema
|
||||
description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# ProcessCreationEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| FileName | string | Name of the file that the recorded action was applied to |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
||||
| ProcessId | int | Process ID (PID) of the newly created process |
|
||||
| ProcessCommandLine | string | Command line used to create the new process |
|
||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
|
||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
||||
| ProcessCreationTime | datetime | Date and time the process was created |
|
||||
| AccountDomain | string | Domain of the account |
|
||||
| AccountName | string | User name of the account |
|
||||
| AccountSid | string | Security Identifier (SID) of the account |
|
||||
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
|
||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Advanced hunting reference in Microsoft Defender ATP
|
||||
description: Learn about Advanced hunting table reference such as column name, data type, and description
|
||||
title: Advanced hunting schema reference
|
||||
description: Learn about the tables in the advanced hunting schema
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -15,7 +15,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 06/01/2018
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# Advanced hunting reference in Microsoft Defender ATP
|
||||
@ -26,101 +26,28 @@ ms.date: 06/01/2018
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
## Advanced hunting column reference
|
||||
To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
|
||||
## Advanced hunting table reference
|
||||
|
||||
| Column name | Data type | Description
|
||||
:---|:--- |:---
|
||||
| AccountDomain | string | Domain of the account |
|
||||
| AccountName | string | User name of the account |
|
||||
| AccountSid | string | Security Identifier (SID) of the account |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| AdditionalFields | string | Additional information about the event in JSON array format |
|
||||
| AlertId | string | Unique identifier for the alert |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
| Category | string | Type of threat indicator or breach activity identified by the alert |
|
||||
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
|
||||
| DefaultGateways | string | Default gateway addresses in JSON array format |
|
||||
| DnsAddresses | string | DNS server addresses in JSON array format |
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| FileName | string | Name of the file that the recorded action was applied to |
|
||||
| FileOriginIp | string | IP address where the file was downloaded from |
|
||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
|
||||
| FileOriginUrl | string | URL where the file was downloaded from |
|
||||
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
|
||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
||||
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
|
||||
| Ipv4Dhcp | string | IPv4 address of DHCP server |
|
||||
| Ipv6Dhcp | string | IPv6 address of DHCP server |
|
||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
|
||||
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
|
||||
| LocalIP | string | IP address assigned to the local machine used during communication |
|
||||
| LocalPort | int | TCP port on the local machine used during communication |
|
||||
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
|
||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
|
||||
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br>
|
||||
| MacAddress | string | MAC address of the network adapter |
|
||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
||||
| NetworkAdapterName | string | Name of the network adapter |
|
||||
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
|
||||
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
|
||||
| OSArchitecture | string | Architecture of the operating system running on the machine |
|
||||
| OSBuild | string | Build version of the operating system running on the machine |
|
||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
|
||||
| OsVersion | string | Version of the operating system running on the machine |
|
||||
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
|
||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
|
||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
|
||||
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
|
||||
| ProcessCommandline | string | Command line used to create the new process |
|
||||
| ProcessCreationTime | datetime | Date and time the process was created |
|
||||
| ProcessId | int | Process ID (PID) of the newly created process |
|
||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
||||
| Protocol | string | IP protocol used, whether TCP or UDP |
|
||||
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
|
||||
| RegistryKey | string | Registry key that the recorded action was applied to |
|
||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
|
||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
|
||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
|
||||
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
|
||||
| RemoteIP | string | IP address that was being connected to |
|
||||
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
|
||||
| RemotePort | int | TCP port on the remote device that was being connected to |
|
||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
|
||||
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
|
||||
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
|
||||
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
|
||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
|
||||
| RegistryMachineTag | string | Machine tag added through the registry |
|
||||
| Table | string | Table that contains the details of the event |
|
||||
| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
|
||||
The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
|
||||
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
|
||||
|
||||
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
|
||||
|
||||
| Table name | Description |
|
||||
|------------|-------------|
|
||||
| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
|
||||
| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
|
||||
| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
|
||||
| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
|
||||
| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
|
||||
| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
|
||||
| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
|
||||
| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
|
||||
| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
|
||||
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
|
||||
- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)
|
||||
|
||||
@ -0,0 +1,68 @@
|
||||
---
|
||||
title: RegistryEvents table in the Advanced hunting schema
|
||||
description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
|
||||
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: v-maave
|
||||
author: martyav
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 07/24/2019
|
||||
---
|
||||
|
||||
# RegistryEvents
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| EventTime | datetime | Date and time when the event was recorded |
|
||||
| MachineId | string | Unique identifier for the machine in the service |
|
||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||
| ActionType | string | Type of activity that triggered the event |
|
||||
| RegistryKey | string | Registry key that the recorded action was applied to |
|
||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
|
||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
|
||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
|
||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
|
||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
|
||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
|
||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
|
||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
|
||||
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](overview-hunting.md)
|
||||
- [All Advanced hunting tables](advanced-hunting-reference.md)
|
||||
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
|
||||
- [Query data using Advanced hunting](advanced-hunting.md)
|
||||
Loading…
x
Reference in New Issue
Block a user