mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 13:57:22 +00:00
Merged PR 8716: udpate refs
udpate refs
This commit is contained in:
Joey Caparas
commit
d715a6a114
@ -10,7 +10,7 @@ ms.pagetype: security
|
|||||||
ms.author: macapara
|
ms.author: macapara
|
||||||
author: mjcaparas
|
author: mjcaparas
|
||||||
ms.localizationpriority: high
|
ms.localizationpriority: high
|
||||||
ms.date: 04/24/2018
|
ms.date: 06/01/2018
|
||||||
---
|
---
|
||||||
|
|
||||||
# Advanced hunting reference in Windows Defender ATP
|
# Advanced hunting reference in Windows Defender ATP
|
||||||
@ -35,75 +35,73 @@ Use the following table to understand what the columns represent, its data type,
|
|||||||
|
|
||||||
| Column name | Data type | Description
|
| Column name | Data type | Description
|
||||||
:---|:--- |:---
|
:---|:--- |:---
|
||||||
| AccountDomain | string | Domain of the account. |
|
| AccountDomain | string | Domain of the account |
|
||||||
| AccountName | string | User name of the account. |
|
| AccountName | string | User name of the account |
|
||||||
| AccountSid | string | Security Identifier (SID) of the account. |
|
| AccountSid | string | Security Identifier (SID) of the account |
|
||||||
| ActionType | string | Type of activity that triggered the event. |
|
| ActionType | string | Type of activity that triggered the event |
|
||||||
| AdditionalFields | string | Additional information about the event in JSON array format. |
|
| AdditionalFields | string | Additional information about the event in JSON array format |
|
||||||
| AlertId | string | Unique identifier for the alert. |
|
| AlertId | string | Unique identifier for the alert |
|
||||||
| ComputerName | string | Fully qualified domain name (FQDN) of the machine. |
|
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
|
||||||
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
|
| EventTime | datetime | Date and time when the event was recorded |
|
||||||
| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. |
|
| EventType | string | Table where the record is stored |
|
||||||
| EventTime | datetime | Date and time when the event was recorded. |
|
| FileName | string | Name of the file that the recorded action was applied to |
|
||||||
| EventType | string | Table where the record is stored. |
|
| FileOriginIp | string | IP address where the file was downloaded from |
|
||||||
| FileName | string | Name of the file that the recorded action was applied to. |
|
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
|
||||||
| FileOriginIp | string | IP address where the file was downloaded from. |
|
| FileOriginUrl | string | URL where the file was downloaded from |
|
||||||
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. |
|
| FolderPath | string | Folder containing the file that the recorded action was applied to |
|
||||||
| FileOriginUrl | string | URL where the file was downloaded from. |
|
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
|
||||||
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
|
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
|
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
|
||||||
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
|
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
|
||||||
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
|
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
|
||||||
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
| InitiatingProcessFileName | string | Name of the process that initiated the event |
|
||||||
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
|
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
|
||||||
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
|
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
|
||||||
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
|
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
|
||||||
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
|
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
|
||||||
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. |
|
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
|
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
|
||||||
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. |
|
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
|
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event |
|
||||||
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. |
|
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
|
||||||
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. |
|
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
|
||||||
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. |
|
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
|
||||||
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
|
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
|
||||||
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
|
| LocalIP | string | IP address assigned to the local machine used during communication |
|
||||||
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. |
|
| LocalPort | int | TCP port on the local machine used during communication |
|
||||||
| LocalIP | string | IP address assigned to the local machine used during communication. |
|
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
|
||||||
| LocalPort | int | TCP port on the local machine used during communication. |
|
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
|
||||||
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. |
|
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
|
||||||
| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br>
|
| MachineId | string | Unique identifier for the machine in the service |
|
||||||
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
|
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
|
||||||
| MachineId | string | Unique identifier for the machine in the service. |
|
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
|
||||||
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
|
| OSArchitecture | string | Architecture of the operating system running on the machine |
|
||||||
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. |
|
| OSBuild | string | Build version of the operating system running on the machine |
|
||||||
| OSArchitecture | string | Architecture of the operating system running on the machine. |
|
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
|
||||||
| OSBuild | string | Build version of the operating system running on the machine. |
|
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
|
||||||
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
|
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
|
||||||
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. |
|
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
|
||||||
| PreviousRegistryValueData | string | Original data of the registry value before it was modified. |
|
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
|
||||||
| PreviousRegistryValueName | string | Original name of the registry value before it was modified. |
|
| ProcessCommandline | string | Command line used to create the new process |
|
||||||
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. |
|
| ProcessCreationTime | datetime | Date and time the process was created |
|
||||||
| ProcessCommandline | string | Command line used to create the new process. |
|
| ProcessId | int | Process ID (PID) of the newly created process |
|
||||||
| ProcessCreationTime | datetime | Date and time the process was created. |
|
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
||||||
| ProcessId | int | Process ID (PID) of the newly created process. |
|
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
|
||||||
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
|
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log |
|
||||||
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
|
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | |
|
||||||
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. |
|
| RegistryKey | string | Registry key that the recorded action was applied to |
|
||||||
| RegistryKey | string | Registry key that the recorded action was applied to. |
|
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
|
||||||
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
|
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
|
||||||
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
|
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
|
||||||
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. |
|
| RemoteIP | string | IP address that was being connected to |
|
||||||
| RemoteIP | string | IP address that was being connected to. |
|
| RemotePort | int | TCP port on the remote device that was being connected to |
|
||||||
| RemotePort | int | TCP port on the remote device that was being connected to. |
|
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
|
||||||
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
|
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
|
||||||
| ReportIndex | long | Event identifier that is unique among the same event type. |
|
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
|
||||||
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
|
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
|
||||||
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available.
|
|
||||||
|
|
||||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
|
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
|
||||||
|
|
||||||
## Related topic
|
## Related topic
|
||||||
- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
|
- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
|
||||||
- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
|
- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user