deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs3' into jd3csp

Browse Source
This commit is contained in:
jdeckerMS 2017-09-18 08:28:16 -07:00
commit f0d6ac748b
8 changed files with 224 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
education/windows/change-history-edu.md
View File

@ -15,6 +15,12 @@ ms.date: 08/01/2017
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## September 2017
| New or changed topic | Description |
| --- | ---- |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. |
## August 2017
| New or changed topic | Description |

7
education/windows/use-set-up-school-pcs-app.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 08/01/2017
ms.date: 09/18/2017
---
# Use the Set up School PCs app
@ -103,7 +103,10 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the
- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40).
- Install the app on your work PC and make sure you're connected to your school's network.
- You must be an administrator on Office 365 and Azure Active Directory, and have Microsoft Store for Education configured. It's best if you sign up for and configure Intune for Education before using the Set up School PCs app.
- You must have Office 365 and Azure Active Directory.
- You must have the Microsoft Store for Education configured.
- You must be a global admin, store admin, or purchaser in the Microsoft Store for Education.
- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app.
- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office.
## Set up School PCs step-by-step

1
windows/application-management/TOC.md
View File

@ -101,5 +101,6 @@
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
## [Service Host process refactoring](svchost-service-refactoring.md)
## [Per-user services in Windows](per-user-services-in-windows.md)
## [Understand apps in Windows 10](apps-in-windows-10.md)
## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Change history for Application management](change-history-for-application-management.md)

153
windows/application-management/apps-in-windows-10.md Normal file
View File

@ -0,0 +1,153 @@
---
title: Windows 10 - Apps
description: What are Windows, UWP, and Win32 apps
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
ms.author: elizapo
author: lizap
ms.localizationpriority: low
ms.date: 09/15/2017
---
# Understand the different apps included in Windows 10
The following types of apps run on Windows 10:
- Windows apps - introduced in Windows 8, primarily installed from the Store app.
- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps.
- "Win32" apps - traditional Windows applications, built for 32-bit systems.
Digging into the Windows apps, there are two categories:
- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS.
- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps:
- Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in.
- Installed: Installed as part of the OS.
The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1511, 1607, and 1703, and indicate whether an app can be uninstalled through the UI.
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
> [!TIP]
> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet:
> ```powershell
> Get-AppxPackage |Select Name,PackageFamilyName
> Get-AppsProvisionedPackage -Online | select DisplayName,PackageName
> ```
## System apps
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1511, 1607, and 1703.
| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
|------------------|-------------------------------------------|------|------|------|--------------------------------------------------------|
| Cortana UI | CortanaListenUIApp | | | x | No |
| | Desktop Learning | | | x | No |
| | DesktopView | | | x | No |
| | EnvironmentsApp | | | x | No |
| Mixed Reality + | HoloCamera | | | x | No |
| Mixed Reality + | HoloItemPlayerApp | | | x | No |
| Mixed Reality + | HoloShell | | | x | No |
| | Microsoft.AAD.Broker.Plugin | x | x | x | No |
| | Microsoft.AccountsControl | x | x | x | No |
| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No |
| | Microsoft.CredDialogHost | | | x | No |
| | Microsoft.LockApp | x | x | x | No |
| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x | No |
| | Microsoft.PPIProjection | | x | x | No |
| | Microsoft.Windows. Apprep.ChxApp | | x | x | No |
| | Microsoft.Windows. AssignedAccessLockApp | x | x | x | No |
| | Microsoft.Windows. CloudExperienceHost | x | x | x | No |
| | Microsoft.Windows. ContentDeliveryManager | x | x | x | No |
| Cortana | Microsoft.Windows.Cortana | x | x | x | No |
| | Microsoft.Windows. Holographic.FirstRun | | | x | No |
| | Microsoft.Windows. ModalSharePickerHost | | | x | No |
| | Microsoft.Windows. OOBENetworkCaptivePort | | | x | No |
| | Microsoft.Windows. OOBENetworkConnection | | | x | No |
| | Microsoft.Windows. ParentalControls | x | x | x | No |
| | Microsoft.Windows. SecHealthUI | | | x | No |
| | Microsoft.Windows. SecondaryTileExperience | x | x | x | No |
| | Microsoft.Windows. SecureAssessmentBrowser | | x | x | No |
| Start | Microsoft.Windows. ShellExperienceHost | x | x | x | No |
| Windows Feedback | Microsoft.WindowsFeedback | x | * | * | No |
| | Microsoft.XboxGameCallableUI | x | x | x | No |
| Xbox logon UI | Microsoft.XboxIdentityProvider | x | | | No |
| Contact Support | Windows.ContactSupport | x | x* | x* | In 1511, no.* |
| | Windows.Devicesflow | x | | | No |
| Settings | Windows.ImmersiveControlPanel | x | x | x | No |
| Connect | Windows.MiracastView | x | x | x | No |
| Print UI | Windows.PrintDialog | x | x | x | No |
| Purchase UI | Windows.PurchaseDialog | x | | | No |
> [!NOTE]
> - The Windows Feedback app changed to the Windows Feedback Hub in version 1607. It's listed in the installed apps table below.
> - As of Windows 10 version 1607, you can use the Optional Features app to uninstall the Contact Support app.
## Installed Windows apps
Here are the typical installed Windows apps in Windows 10 versions 1511, 1607, and 1703.
| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
|--------------------|-----------------------------------------|------|------|------|---------------------------|
| Remote Desktop | Microsoft.RemoteDesktop | | x | x | Yes |
| PowerBI | Microsoft.Microsoft PowerBIforWindows | | x | x | Yes |
| Candy Crush | king.com.CandyCrushSodaSaga | x | | | Yes |
| Code Writer | ActiproSoftwareLLC.562882FEEB491 | | x | x | Yes |
| Eclipse Manager | 46928bounde.EclipseManager | | x | x | Yes |
| Pandora | PandoraMediaInc.29680B314EFC2 | | x | x | Yes |
| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | | x | x | Yes |
| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | | | x | Yes |
| Network Speed Test | Microsoft.NetworkSpeedTest | | x | x | Yes |
| Paid Wi-FI | | x | | | Yes |
| Skype Video | | x | | | Yes |
| Twitter | | x | | | Yes |
| PicArts | | x | | | Yes |
| Minecraft | | x | | | Yes |
| Flipboard | | x | | | Yes |
## Provisioned Windows apps
Here are the typical provisioned Windows apps in Windows 10 versions 1511, 1607, and 1703.
| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
|---------------------------------|----------------------------------------|------|------|------|---------------------------|
| 3D Builder | Microsoft.3DBuilder | x | | x | Yes |
| App Connector | Microsoft.Appconnector | x | | | Yes, through Settings app |
| Money | Microsoft.BingFinance | x | | | Yes |
| News | Microsoft.BingNews | x | * | * | Yes |
| Sports | Microsoft.BingSports | x | | | Yes |
| Weather | Microsoft.BingWeather | x | x | x | No |
| Phone Companion | Microsoft.CommsPhone | x | | | Yes |
| | Microsoft.ConnectivityStore | x | | | No |
| | Microsoft.DesktopAppInstaller | | x | x | Yes, through Settings app |
| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes |
| Messaging | Microsoft.Messaging | x | x | x | No |
| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | | | x | No |
| Get Office | Microsoft.MicrosoftOfficeHub | x | x | x | Yes |
| Solitaire | Microsoft.Microsoft SolitaireCollection | x | x | x | Yes |
| Sticky Notes | Microsoft.MicrosoftStickyNotes | | x | x | No |
| OneNote | Microsoft.Office.OneNote | x | x | x | No |
| Sway | Microsoft.Office.Sway | x | * | * | Yes |
| | Microsoft.OneConnect | | x | x | No |
| Paint 3D | Microsoft.MSPaint | | | x | No |
| People | Microsoft.People | x | x | x | No |
| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes |
| | Microsoft.StorePurchaseApp | | x | x | No |
| | Microsoft.Wallet | | | x | No |
| Photos | Microsoft.Windows.Photos | x | x | x | No |
| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No |
| Calculator | Microsoft.WindowsCalculator | x | x | x | No |
| Camera | Microsoft.WindowsCamera | x | x | x | No |
| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No |
| Feedback Hub | Microsoft.WindowsFeedbackHub | * | x | x | Yes |
| Maps | Microsoft.WindowsMaps | x | x | x | No |
| Phone | Microsoft.WindowsPhone | x | | | No |
| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No |
| Store | Microsoft.WindowsStore | x | x | x | No |
| Xbox | Microsoft.XboxApp | x | x | x | No |
| | Microsoft.XboxGameOverlay | | | x | No |
| | Microsoft.XboxIdentityProvider | * | x | x | No |
| Groove | Microsoft.ZuneMusic | x | x | x | No |
| Movies & TV | Microsoft.ZuneVideo | x | x | x | No |
| | Microsoft.XboxSpeech ToTextOverlay | | | x | No |
> [!NOTE]
> - As of Windows 10, version 1607, News and Sway are installed apps.
> - Both Feedback Hub and Microsoft.XboxIdentityProvider were installed apps in version 1511 and provisioned apps in versions 1607 and later.

4
windows/application-management/change-history-for-application-management.md
View File

@ -8,6 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
ms.date: 09/15/2017
---
# Change history for Configure Windows 10
@ -17,7 +18,8 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
## September 2017
| New or changed topic | Description |
| --- | --- |
| [Per-user services in Windows](per-user-services-in-windows.md) | New |
| [Per-user services in Windows 10](per-user-services-in-windows.md) | New |
| [Understand the different apps included in Windows 10](apps-in-windows-10.md) | New |
## July 2017
| New or changed topic | Description |

3
windows/application-management/index.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
ms.date: 09/15/2017
---
# Windows 10 application management
@ -20,5 +21,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
|---|---|
|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016|
|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise|
| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 |
| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile |

20
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -929,6 +929,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</thead>
<tbody>
<tr class="even">
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
<td style="vertical-align:top"><p>The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:</p>
<ul>
<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. </li>
<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.</li>
<li>DomainName - fully qualified domain name if the device is domain-joined.</li>
</ul>
<p>For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
@ -1361,6 +1371,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
<td style="vertical-align:top"><p>The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:</p>
<ul>
<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. </li>
<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.</li>
<li>DomainName - fully qualified domain name if the device is domain-joined.</li>
</ul>
<p>For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.</p>
</td></tr>
</tbody>
</table>

267
windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -36,240 +36,39 @@ The ArcSight field column contains the default mapping between the Windows Defen
Field numbers match the numbers in the images below.
<table style="table-layout:fixed;width:100%" >
<tr>
<th class>Portal label</th>
<th class>SIEM field name</th>
<th class>ArcSight field</th>
<th class>Example value</th>
<th class>Description</th>
<th class></th>
</tr>
<tr>
<td class>1</td>
<td class>AlertTitle</td>
<td class>name</td>
<td class>A dll was unexpectedly loaded into a high integrity process without a UAC prompt</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>2</td>
<td class>Severity</td>
<td class>deviceSeverity</td>
<td class>Medium</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>3</td>
<td class>Category</td>
<td class>deviceEventCategory</td>
<td class>Privilege Escalation</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>4</td>
<td class>Source</td>
<td class>sourceServiceName</td>
<td class>WindowsDefenderATP</td>
<td class>Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>5</td>
<td class>MachineName</td>
<td class>sourceHostName</td>
<td class>liz-bean</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>6</td>
<td class>FileName</td>
<td class>fileName</td>
<td class>Robocopy.exe</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>7</td>
<td class>FilePath</td>
<td class>filePath</td>
<td class>C:\Windows\System32\Robocopy.exe</td>
<td class>Available for alerts associated with a file or process. \</td>
<td class></td>
</tr>
<tr>
<td class>8</td>
<td class>UserDomain</td>
<td class>sourceNtDomain</td>
<td class>contoso</td>
<td class>The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>9</td>
<td class>UserName</td>
<td class>sourceUserName</td>
<td class>liz-bean</td>
<td class>The user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>10</td>
<td class>Sha1</td>
<td class>fileHash</td>
<td class>5b4b3985339529be3151d331395f667e1d5b7f35</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>11</td>
<td class>Md5</td>
<td class>deviceCustomString5</td>
<td class>55394b85cb5edddff551f6f3faa9d8eb</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>12</td>
<td class>Sha256</td>
<td class>deviceCustomString6</td>
<td class>9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>13</td>
<td class>ThreatName</td>
<td class>eviceCustomString1</td>
<td class>Trojan:Win32/Skeeyah.A!bit</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>14</td>
<td class>IpAddress</td>
<td class>sourceAddress</td>
<td class>218.90.204.141</td>
<td class>Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>15</td>
<td class>Url</td>
<td class>requestUrl</td>
<td class>down.esales360.cn</td>
<td class>Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>16</td>
<td class>RemediationIsSuccess</td>
<td class>deviceCustomNumber2</td>
<td class>TRUE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>17</td>
<td class>WasExecutingWhileDetected</td>
<td class>deviceCustomNumber1</td>
<td class>FALSE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>18</td>
<td class>AlertId</td>
<td class>externalId</td>
<td class>636210704265059241_673569822</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>19</td>
<td class>LinkToWDATP</td>
<td class>flexString1</td>
<td class>`https://securitycenter.windows.com/alert/636210704265059241_673569822`</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>20</td>
<td class>AlertTime</td>
<td class>deviceReceiptTime</td>
<td class>2017-05-07T01:56:59.3191352Z</td>
<td class>The time the activity relevant to the alert occurred. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>21</td>
<td class>MachineDomain</td>
<td class>sourceDnsDomain</td>
<td class>contoso.com</td>
<td class>Domain name not relevant for AAD joined machines. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>22</td>
<td class>Actor</td>
<td class>deviceCustomString4</td>
<td class></td>
<td class>Available for alerts related to a known actor group.</td>
<td class></td>
</tr>
<tr>
<td class>21+5</td>
<td class>ComputerDnsName</td>
<td class>No mapping</td>
<td class>liz-bean.contoso.com</td>
<td class>The machine fully qualified domain name. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>LogOnUsers</td>
<td class>sourceUserId</td>
<td class>contoso\liz-bean; contoso\jay-hardee</td>
<td class>The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.</td>
<td class></td>
</tr>
<tr>
<td class>Internal field</td>
<td class>LastProcessedTimeUtc</td>
<td class>No mapping</td>
<td class>2017-05-07T01:56:58.9936648Z</td>
<td class>Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVendor</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Microsoft'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceProduct</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Windows Defender ATP'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVersion</td>
<td class></td>
<td class>Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.</td>
<td class></td>
</tr>
</table>
> [!div class="mx-tableFixed"]
| Portal label | SIEM field name | ArcSight field | Example value | Description |
|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
| 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
| 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. |
| 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
| 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
| 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
| 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
| 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
| 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
| 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 15 | Url | requestUrl | down.esales360.cn | Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
| 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
| 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
| 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
| 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
| 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
| | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
| | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | |
| | InternalIPv4List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | |
| Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
| | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. |
| | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. |1234567891011121314151617181920212223242526272829303132
![Image of alert with numbers](images/atp-alert-page.png)