diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md index 29f873260a..5745d3864d 100644 --- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -25,30 +25,31 @@ Understand how the SIEM schema maps to the values in the Windows Defender ATP po Field numbers match the numbers in the images. -(BORON image) +![Image of actor profile with numbers](images/atp-actor.png) ![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png) ![Image of new alerts with numbers](images/atp-alert-source.png) -(INSERT MACHINE TIMELINE WITH REMEDIATION ACTION) +![Image of machine timeline with numbers](images/atp-remediated-alert.png) ![Image of file details](images/atp-file-details.png) # SIEM fields and portal mapping -Portal label | SIEM field name | Description +Portal label | SIEM field name | Description :---|:---|:--- -1 | Actor | Actor name +1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP 2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/` -3 | LinkToWDATP | Link back to the alert page in Windows Defender ATP portal | -4 |Severity | Alert severity -5 | AlertTitle | Alert title -6 | Category | Alert category -7 | ComputerDnsName| Computer DNS name and machine name -8 | IoaDefinitionId | (Internal only)

ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.

**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM. -9 | AlertTime | Last time the alert was observed +3 | AlertTitle | Alert title +4 | Actor | Actor name +5 | AlertTime | Last time the alert was observed +6 | Severity | Alert severity +7 | Category | Alert category +8 | Status in queue | Alert status in queue +9 | ComputerDnsName| Computer DNS name and machine name +10 | IoaDefinitionId | (Internal only)

ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.

**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM. 10 | UserName | The user context relevant to the activity on the machine which triggered the alert. 11 | FileName | File name 12 | FileHash | Sha1 of file observed @@ -61,13 +62,13 @@ Portal label | SIEM field name | Description 19 | Source| Alert detection source (Windows Defender AV or Windows Defender ATP) 20 | ThreatCategory| Windows Defender AV threat category 21 | ThreatFamily | Windows Defender AV family name -22 | ThreatName | Windows Defender AV threat name -23 | RemediationAction | Windows Defender AV threat category | -24 | RemediationIsSuccess | Indicates if an alert was successfully remediated. (Windows Defender AV field) -25 | WasExecutingWhileDetected | Indicates if a file was running while being detected. (Windows Defender AV field) -26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available) +22 | RemediationAction | Windows Defender AV threat category | +23 | WasExecutingWhileDetected | Indicates if a file was running while being detected. (Windows Defender AV field) +24| RemediationIsSuccess | Indicates if an alert was successfully remediated. (Windows Defender AV field) +25 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available) +26 | Md5 | Md5 of file observed (when available) 27 | Sha256 | Sha256 of file observed (when available) -28 | Md5 | Md5 of file observed (when available) +28 | ThreatName | Windows Defender AV threat name >[!NOTE] ->A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender AV alerts. +>A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender Antivirus alerts. diff --git a/windows/keep-secure/images/atp-actor.png b/windows/keep-secure/images/atp-actor.png new file mode 100644 index 0000000000..dc9c9dd6fc Binary files /dev/null and b/windows/keep-secure/images/atp-actor.png differ diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/keep-secure/images/atp-file-details.png index c6d9f0d76d..0a7601f1c5 100644 Binary files a/windows/keep-secure/images/atp-file-details.png and b/windows/keep-secure/images/atp-file-details.png differ diff --git a/windows/keep-secure/images/atp-remediated-alert.png b/windows/keep-secure/images/atp-remediated-alert.png new file mode 100644 index 0000000000..70f5d527d0 Binary files /dev/null and b/windows/keep-secure/images/atp-remediated-alert.png differ