diff --git a/windows/keep-secure/images/atp-alert-source.png b/windows/keep-secure/images/atp-alert-source.png new file mode 100644 index 0000000000..a52a00d9b9 Binary files /dev/null and b/windows/keep-secure/images/atp-alert-source.png differ diff --git a/windows/keep-secure/images/atp-alert-timeline-numbered.png b/windows/keep-secure/images/atp-alert-timeline-numbered.png new file mode 100644 index 0000000000..e654a285ba Binary files /dev/null and b/windows/keep-secure/images/atp-alert-timeline-numbered.png differ diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/keep-secure/images/atp-file-details.png new file mode 100644 index 0000000000..c6d9f0d76d Binary files /dev/null and b/windows/keep-secure/images/atp-file-details.png differ diff --git a/windows/keep-secure/images/atp-machine-details-view.png.pdf b/windows/keep-secure/images/atp-machine-details-view.png.pdf deleted file mode 100644 index 6f018827bb..0000000000 Binary files a/windows/keep-secure/images/atp-machine-details-view.png.pdf and /dev/null differ diff --git a/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md index 56b90de444..7f31afcf8e 100644 --- a/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Security information and events management (SIEM) schema and portal mapping -description: Get alerts from the Windows Defender ATP portal REST API. +description: Understand how the SIEM schema maps to the values in the Windows Defender ATP portal. keywords: alerts, get alerts, rest api, request, response, search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Get Windows Defender ATP alerts using REST API +# SIEM schema and portal mapping **Applies to:** @@ -20,3 +20,53 @@ localizationpriority: high - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Understand how the SIEM schema maps to the values in the Windows Defender ATP portal. + +Field numbers match the numbers in the images. + +(BORON image) + +![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png) + +![Image of new alerts with numbers](images/atp-alert-source.png) + +(INSERT MACHINE TIMELINE WITH REMEDIATION ACTION) + +![Image of file details](images/atp-file-details.png) + + +# SIEM field name Description Matching field in the portal + +Image label | SIEM field name | Description | Matching field in portal +:---|:---|:---|:--- +1 | Actor | Actor name when available or null | Actor in alert page +2 | Alert ID | Alert id in WDATP | Alert id is visible in the link: `https://securitycenter.windows.com/alert/` +3 | LinkToWDATP | Link back to the alert page in WDATP portal || +4 |Severity | High / Medium / Low / Informational | Severity in alert page +5 | AlertTitle | Title | Alert title in alert page +6 | Category | How the alert was categorized | Category on alert page +7 | ComputerDnsName| Computer DNS name (or GUID if machine has no reported DNS name)| Machine name in alert page +8 | IoaDefinitionId | ID for which IOA (Indication of attack) this alert belongs to. **Note**: This is an internal ID of the rule which triggers the alert, provided as it can be used for aggregations in the SIEM. | Internal field (usually correlates with the title) +9 | AlertTime | Last time the alert was observed | Last Observed in alert page +10 | UserName | The user context relevant to the activity on the machine which trigger the alert | Not yet populated +11 | FileName | File name |Related file name +12 | FileHash | Sha1 of file observed | File Sha1 in alert timeline +13 | FilePath | File path | File path in alert timeline +14 | IpAddress | IP IOC | IP in alert timeline (when relevant) +15 | Url | Url IOC | URL in alert timeline (when relevant) +16 | FullId | Unique ID for each combination of IOC + Alert ID. Enables to apply dedup logic in the SIEM. | Internal field +17 | AlertPart | Alerts which contains multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter enables to reconstruct the alerts in the SIEM. | Internal field +18 | LastProccesedTimeUtc | Time the alert was last processed in Seville| Internal field +19 | Source| Windows Defender AV/Windows Defender ATP +20 | ThreatCategory| Windows Defender AV threat category | Windows Defender AV field +21 | ThreatFamily | Windows Defender AV family | Windows Defender AV field +22 | ThreatName | Windows Defender AV threat name | Windows Defender AV field +23 | RemediationAction | Windows Defender AV threat category | Windows Defender AV field +24 | RemediationIsSuccess | True/False | Windows Defender AV field +25 | WasExecutingWhileDetected | True/False | Windows Defender AV field +26 | Sha1 | Sha1 of file observed File Sha1 in alert timeline and in file side pane (when available) +27 | Sha256 | Sha256 of file observed | File Sha256 in file side pane (when available) +28 | Md5 | Md5 of file observed | File Md5 in file side pane (when available) + +>[!NOTE] A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender AV alerts.