From f070934bfab9b72ccc771e31cfb7023b4af92fb2 Mon Sep 17 00:00:00 2001
From: maayankislev <moof.katom@gmail.com>
Date: Mon, 21 May 2018 10:32:40 +0300
Subject: [PATCH] added new columns to doc

---
 ...ing-reference-windows-defender-advanced-threat-protection.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index 77ffee9999..4510f2dbe7 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -42,6 +42,7 @@ Use the following table to understand what the columns represent, its data type,
 | AdditionalFields                    | string      | Additional information about the event in JSON array format.                                                                                                                                                                                                   |
 | AlertId                             | string      | Unique identifier for the alert.                                                                                                                                                                                                                               |
 | ComputerName                        | string      | Fully qualified domain name (FQDN) of the machine.                                                                                                                                                                                                             |
+| RemoteComputerName                  | string      | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.                      | 
 | EventId                             | int         | Unique identifier used by Event Tracing for Windows (ETW) for the event type.                                                                                                                                                                                  |
 | EventTime                           | datetime    | Date and time when the event was recorded.                                                                                                                                                                                                                     |
 | EventType                           | string      | Table where the record is stored.                                                                                                                                                                                                                              |
@@ -53,6 +54,7 @@ Use the following table to understand what the columns represent, its data type,
 | InitiatingProcessAccountDomain      | string      | Domain of the account that ran the process responsible for the event.                                                                                                                                                                                          |
 | InitiatingProcessAccountName        | string      | User name of the account that ran the process responsible for the event.                                                                                                                                                                                       |
 | InitiatingProcessAccountSid         | string      | Security Identifier (SID) of the account that ran the process responsible for the event.                                                                                                                                                                       |
+| InitiatingProcessLogonId            | string      | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.                                                                                                                   |
 | InitiatingProcessCommandLine        | string      | Command line used to run the process that initiated the event.                                                                                                                                                                              |
 | InitiatingProcessCreationTime       | datetime    | Date and time when the process that initiated the event was started.                                                                                                                                                                                           |
 | InitiatingProcessFileName           | string      | Name of the process that initiated the event.                                                                                                                                                                                                                  |