diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index f0976431f1..78add1c8f2 100644 --- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -25,52 +25,262 @@ Understand what data fields are exposed as part of the alerts API and how they m ## Alert API fields and portal mapping +The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. + + +The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). + Field numbers match the numbers in the images below. -Portal label | SIEM field name | Description -:---|:---|:--- -1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP -2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/` -3 | AlertTitle | Alert title -4 | Actor | Actor name -5 | AlertTime | Last time the alert was observed -6 | Severity | Alert severity -7 | Category | Alert category -8 | Status in queue | Alert status in queue -9 | ComputerDnsName| Computer DNS name and machine name -10| IoaDefinitionId | (Internal only)

ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.

**Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM. -11 | UserName | The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated. -12 | FileName | File name -13 | FileHash | Sha1 of file observed -14 | FilePath | File path -15 | IpAddress | IP of the IOC (when relevant) -16 | URL | URL of the IOC (when relevant) -17 | FullId | (Internal only)

Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM. -18 | AlertPart | (Internal only)

Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM. -19 | LastProccesedTimeUtc | (Internal only)

Time the alert was last processed in Windows Defender ATP. -20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard) -21 | ThreatCategory| Windows Defender AV threat category -22 | ThreatFamily | Windows Defender AV family name -23 | RemediationAction | Windows Defender AV threat category | -24 | WasExecutingWhileDetected | Indicates if a file was running while being detected. -25| RemediationIsSuccess | Indicates if an alert was successfully remediated. -26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available) -27 | Md5 | Md5 of file observed (when available) -28 | Sha256 | Sha256 of file observed (when available) -29 | ThreatName | Windows Defender AV threat name + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Portal labelSIEM field nameArcSight fieldExample valueDescription
1AlertTitlenameA dll was unexpectedly loaded into a high integrity process without a UAC promptValue available for every alert.
2SeveritydeviceSeverityMediumValue available for every alert.
3CategorydeviceEventCategoryPrivilege EscalationValue available for every alert.
4SourcesourceServiceNameWindowsDefenderATPWindows Defender Antivirus or Windows Defender ATP. Value available for every alert.
5MachineNamesourceHostNameliz-beanValue available for every alert.
6FileNamefileNameRobocopy.exeAvailable for alerts associated with a file or process.
7FilePathfilePathC:\Windows\System32\Robocopy.exeAvailable for alerts associated with a file or process. \
8UserDomainsourceNtDomaincontosoThe domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.
9UserNamesourceUserNameliz-beanThe user context running the activity, available for Windows Defender ATP behavioral based alerts.
10Sha1fileHash5b4b3985339529be3151d331395f667e1d5b7f35Available for alerts associated with a file or process.
11Md5deviceCustomString555394b85cb5edddff551f6f3faa9d8ebAvailable for Windows Defender AV alerts.
12Sha256deviceCustomString69987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5Available for Windows Defender AV alerts.
13ThreatNameeviceCustomString1Trojan:Win32/Skeeyah.A!bitAvailable for Windows Defender AV alerts.
14IpAddresssourceAddress218.90.204.141Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.
15UrlrequestUrldown.esales360.cnAvailabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.
16RemediationIsSuccessdeviceCustomNumber2TRUEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
17WasExecutingWhileDetecteddeviceCustomNumber1FALSEAvailable for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.
18AlertIdexternalId636210704265059241_673569822Value available for every alert.
19LinkToWDATPflexString1`https://securitycenter.windows.com/alert/636210704265059241_673569822`Value available for every alert.
20AlertTimedeviceReceiptTime2017-05-07T01:56:59.3191352ZThe time the activity relevant to the alert occurred. Value available for every alert.
21MachineDomainsourceDnsDomaincontoso.comDomain name not relevant for AAD joined machines. Value available for every alert.
22ActordeviceCustomString4Available for alerts related to a known actor group.
21+5ComputerDnsNameNo mappingliz-bean.contoso.comThe machine fully qualified domain name. Value available for every alert.
LogOnUserssourceUserIdcontoso\liz-bean; contoso\jay-hardeeThe domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.
Internal fieldLastProcessedTimeUtcNo mapping2017-05-07T01:56:58.9936648ZTime when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.
Not part of the schemadeviceVendorStatic value in the ArcSight mapping - 'Microsoft'.
Not part of the schemadeviceProductStatic value in the ArcSight mapping - 'Windows Defender ATP'.
Not part of the schemadeviceVersionStatic value in the ArcSight mapping - '2.0', used to identify the mapping versions.
->[!NOTE] -> Fields #21-29 are related to Windows Defender Antivirus alerts. -![Image of actor profile with numbers](images/atp-actor.png) +![Image of alert with numbers](images/atp-alert-page.png) -![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png) +![Image of alert details pane with numbers](images/atp-siem-mapping13.png) -![Image of new alerts with numbers](images/atp-alert-source.png) +![Image of alert timeline with numbers](images/atp-siem-mapping3.png) -![Image of machine timeline with numbers](images/atp-remediated-alert.png) +![Image of alert timeline with numbers](images/atp-siem-mapping4.png) -![Image of file details](images/atp-file-details.png) +![Image machine view](images/atp-mapping6.png) + +![Image browser URL](images/atp-mapping5.png) + +![Image actor alert](images/atp-mapping7.png) ## Related topics diff --git a/windows/threat-protection/windows-defender-atp/images/1.png b/windows/threat-protection/windows-defender-atp/images/1.png new file mode 100644 index 0000000000..70ce314c00 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/1.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png new file mode 100644 index 0000000000..2f834e986c Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png new file mode 100644 index 0000000000..e2a484f610 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png new file mode 100644 index 0000000000..b34e915132 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png new file mode 100644 index 0000000000..7a735cb861 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png new file mode 100644 index 0000000000..7033649791 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png new file mode 100644 index 0000000000..baeae0dd38 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png new file mode 100644 index 0000000000..405fbaf384 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png new file mode 100644 index 0000000000..2681a11815 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png new file mode 100644 index 0000000000..e46a8edac4 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png new file mode 100644 index 0000000000..c59c3c04c0 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png new file mode 100644 index 0000000000..7aa79c89b8 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png new file mode 100644 index 0000000000..b1521c7567 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png new file mode 100644 index 0000000000..8dcfa06ea0 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png new file mode 100644 index 0000000000..ebc702179f Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png differ