deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add images and fix table sequence

Browse Source
This commit is contained in:
Joey Caparas
2017-03-20 19:25:52 -07:00
parent 490665af0a
commit da713f7285
4 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -25,30 +25,31 @@ Understand how the SIEM schema maps to the values in the Windows Defender ATP po
Field numbers match the numbers in the images. Field numbers match the numbers in the images.
(BORON image) ![Image of actor profile with numbers](images/atp-actor.png)
![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png) ![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
![Image of new alerts with numbers](images/atp-alert-source.png) ![Image of new alerts with numbers](images/atp-alert-source.png)
(INSERT MACHINE TIMELINE WITH REMEDIATION ACTION) ![Image of machine timeline with numbers](images/atp-remediated-alert.png)
![Image of file details](images/atp-file-details.png) ![Image of file details](images/atp-file-details.png)
# SIEM fields and portal mapping # SIEM fields and portal mapping
Portal label | SIEM field name | Description Portal label | SIEM field name | Description
:---|:---|:--- :---|:---|:---
1 | Actor | Actor name 1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP
2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>` 2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
3 | LinkToWDATP | Link back to the alert page in Windows Defender ATP portal | 3 | AlertTitle | Alert title
4 |Severity | Alert severity 4 | Actor | Actor name
5 | AlertTitle | Alert title 5 | AlertTime | Last time the alert was observed
6 | Category | Alert category 6 | Severity | Alert severity
7 | ComputerDnsName| Computer DNS name and machine name 7 | Category | Alert category
8 | IoaDefinitionId | (Internal only) <br><br> ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM. 8 | Status in queue | Alert status in queue
9 | AlertTime | Last time the alert was observed 9 | ComputerDnsName| Computer DNS name and machine name
10 | IoaDefinitionId | (Internal only) <br><br> ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
10 | UserName | The user context relevant to the activity on the machine which triggered the alert. 10 | UserName | The user context relevant to the activity on the machine which triggered the alert.
11 | FileName | File name 11 | FileName | File name
12 | FileHash | Sha1 of file observed 12 | FileHash | Sha1 of file observed
@ -61,13 +62,13 @@ Portal label | SIEM field name | Description
19 | Source| Alert detection source (Windows Defender AV or Windows Defender ATP) 19 | Source| Alert detection source (Windows Defender AV or Windows Defender ATP)
20 | ThreatCategory| Windows Defender AV threat category 20 | ThreatCategory| Windows Defender AV threat category
21 | ThreatFamily | Windows Defender AV family name 21 | ThreatFamily | Windows Defender AV family name
22 | ThreatName | Windows Defender AV threat name 22 | RemediationAction | Windows Defender AV threat category |
23 | RemediationAction | Windows Defender AV threat category | 23 | WasExecutingWhileDetected | Indicates if a file was running while being detected. (Windows Defender AV field)
24 | RemediationIsSuccess | Indicates if an alert was successfully remediated. (Windows Defender AV field) 24| RemediationIsSuccess | Indicates if an alert was successfully remediated. (Windows Defender AV field)
25 | WasExecutingWhileDetected | Indicates if a file was running while being detected. (Windows Defender AV field) 25 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available) 26 | Md5 | Md5 of file observed (when available)
27 | Sha256 | Sha256 of file observed (when available) 27 | Sha256 | Sha256 of file observed (when available)
28 | Md5 | Md5 of file observed (when available) 28 | ThreatName | Windows Defender AV threat name
>[!NOTE] >[!NOTE]
>A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender AV alerts. >A single AlertID represents an IOA detection and may contain multiple IOCs. In such a cases, they will be exported to the SIEM tool as multiple instances. For every instance with the same AlertID, fields #1-8 will be identical while fields #9-18 will be different according to the new IOC information. Fields #20-28 are related to Windows Defender Antivirus alerts.

BIN
windows/keep-secure/images/atp-actor.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/keep-secure/images/atp-file-details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 57 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/keep-secure/images/atp-remediated-alert.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 128 KiB