deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 8390: Hunting: added new columns descriptions to documentation

Browse Source 
Hunting: added new columns descriptions to documentation - RemoteComputerName and InitiatingProcessLogonId.
Based on PR: https://microsoft.visualstudio.com/DefaultCollection/WDATP/WDATP%20Team/_git/InE/pullrequest/1752154
This commit is contained in:
Maayan Kislev 2018-05-21 12:41:10 +00:00 committed by Patti Short
commit c48940e3ba
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -42,6 +42,7 @@ Use the following table to understand what the columns represent, its data type,
| AdditionalFields | string | Additional information about the event in JSON array format. | | AdditionalFields | string | Additional information about the event in JSON array format. |
| AlertId | string | Unique identifier for the alert. | | AlertId | string | Unique identifier for the alert. |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. | | ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. | | EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
| EventTime | datetime | Date and time when the event was recorded. | | EventTime | datetime | Date and time when the event was recorded. |
| EventType | string | Table where the record is stored. | | EventType | string | Table where the record is stored. |
@ -53,6 +54,7 @@ Use the following table to understand what the columns represent, its data type,
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. | | InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. | | InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. | | InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. | | InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. | | InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the process that initiated the event. | | InitiatingProcessFileName | string | Name of the process that initiated the event. |