Merge pull request #820 from Microsoft/atp-siem

update SIEM portal mapping

windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md

@@ -25,52 +25,262 @@ Understand what data fields are exposed as part of the alerts API and how they m
 
 
 ##	Alert API fields and portal mapping
+The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
+
+
+The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the  needs of your organization. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+
 Field numbers match the numbers in the images below.
 
-Portal label  | SIEM field name | Description
+<table style="table-layout:fixed;width:100%" >
-:---|:---|:---
+  <tr>
-1	| LinkToWDATP |	Link back to the alert page in Windows Defender ATP
+    <th class>Portal label</th>
-2	|	Alert ID	| Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
+    <th class>SIEM field name</th>
-3	| AlertTitle | Alert	title
+    <th class>ArcSight field</th>
-4	| Actor |	Actor name
+    <th class>Example value</th>
-5	| AlertTime |	Last time the alert was observed
+    <th class>Description</th>
-6 | Severity |	Alert severity
+    <th class></th>
-7	| Category |	Alert category
+  </tr>
-8 | Status in queue | Alert status in queue
+  <tr>
-9	| ComputerDnsName|	Computer DNS name and machine name
+    <td class>1</td>
-10| IoaDefinitionId	| (Internal only)  <br><br>  ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
+    <td class>AlertTitle</td>
-11 | UserName	| The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
+    <td class>name</td>
-12 | FileName	| File name
+    <td class>A dll was unexpectedly loaded into a high integrity process without a UAC prompt</td>
-13 | FileHash	| Sha1 of file observed
+    <td class>Value available for every alert.</td>
-14 | FilePath	| File path
+    <td class></td>
-15 | IpAddress |	IP of the IOC (when relevant)
+  </tr>
-16 | URL	| URL of the IOC (when relevant)  
+  <tr>
-17 | FullId	| (Internal only)  <br><br> Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
+    <td class>2</td>
-18 | AlertPart	| (Internal only)  <br><br> Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
+    <td class>Severity</td>
-19 | LastProccesedTimeUtc | (Internal only)  <br><br>	Time the alert was last processed in Windows Defender ATP.
+    <td class>deviceSeverity</td>
-20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
+    <td class>Medium</td>
-21 | ThreatCategory| Windows Defender AV threat category
+    <td class>Value available for every alert.</td>
-22 | ThreatFamily |	Windows Defender AV family name
+    <td class></td>
-23 | RemediationAction |	Windows Defender AV threat category	 |
+  </tr>
-24 | WasExecutingWhileDetected	| Indicates if a file was running while being detected.
+  <tr>
-25|	RemediationIsSuccess	| Indicates if an alert was successfully remediated.
+    <td class>3</td>
-26 | Sha1	| Sha1 of file observed	in alert timeline and in file side pane (when available)
+    <td class>Category</td>
-27 | Md5 | Md5 of file observed	(when available)
+    <td class>deviceEventCategory</td>
-28 | Sha256 |	Sha256 of file observed	(when available)
+    <td class>Privilege Escalation</td>
-29	|	ThreatName	| Windows Defender AV threat name
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>4</td>
+    <td class>Source</td>
+    <td class>sourceServiceName</td>
+    <td class>WindowsDefenderATP</td>
+    <td class>Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>5</td>
+    <td class>MachineName</td>
+    <td class>sourceHostName</td>
+    <td class>liz-bean</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>6</td>
+    <td class>FileName</td>
+    <td class>fileName</td>
+    <td class>Robocopy.exe</td>
+    <td class>Available for alerts associated with a file or process.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>7</td>
+    <td class>FilePath</td>
+    <td class>filePath</td>
+    <td class>C:\Windows\System32\Robocopy.exe</td>
+    <td class>Available for alerts associated with a file or process. \</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>8</td>
+    <td class>UserDomain</td>
+    <td class>sourceNtDomain</td>
+    <td class>contoso</td>
+    <td class>The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>9</td>
+    <td class>UserName</td>
+    <td class>sourceUserName</td>
+    <td class>liz-bean</td>
+    <td class>The user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>10</td>
+    <td class>Sha1</td>
+    <td class>fileHash</td>
+    <td class>5b4b3985339529be3151d331395f667e1d5b7f35</td>
+    <td class>Available for alerts associated with a file or process.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>11</td>
+    <td class>Md5</td>
+    <td class>deviceCustomString5</td>
+    <td class>55394b85cb5edddff551f6f3faa9d8eb</td>
+    <td class>Available for Windows Defender AV alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>12</td>
+    <td class>Sha256</td>
+    <td class>deviceCustomString6</td>
+    <td class>9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5</td>
+    <td class>Available for Windows Defender AV alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>13</td>
+    <td class>ThreatName</td>
+    <td class>eviceCustomString1</td>
+    <td class>Trojan:Win32/Skeeyah.A!bit</td>
+    <td class>Available for Windows Defender AV alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>14</td>
+    <td class>IpAddress</td>
+    <td class>sourceAddress</td>
+    <td class>218.90.204.141</td>
+    <td class>Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>15</td>
+    <td class>Url</td>
+    <td class>requestUrl</td>
+    <td class>down.esales360.cn</td>
+    <td class>Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>16</td>
+    <td class>RemediationIsSuccess</td>
+    <td class>deviceCustomNumber2</td>
+    <td class>TRUE</td>
+    <td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>17</td>
+    <td class>WasExecutingWhileDetected</td>
+    <td class>deviceCustomNumber1</td>
+    <td class>FALSE</td>
+    <td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>18</td>
+    <td class>AlertId</td>
+    <td class>externalId</td>
+    <td class>636210704265059241_673569822</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>19</td>
+    <td class>LinkToWDATP</td>
+    <td class>flexString1</td>
+    <td class>`https://securitycenter.windows.com/alert/636210704265059241_673569822`</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>20</td>
+    <td class>AlertTime</td>
+    <td class>deviceReceiptTime</td>
+    <td class>2017-05-07T01:56:59.3191352Z</td>
+    <td class>The time the activity relevant to the alert occurred. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>21</td>
+    <td class>MachineDomain</td>
+    <td class>sourceDnsDomain</td>
+    <td class>contoso.com</td>
+    <td class>Domain name not relevant for AAD joined machines. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>22</td>
+    <td class>Actor</td>
+    <td class>deviceCustomString4</td>
+    <td class></td>
+    <td class>Available for alerts related to a known actor group.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>21+5</td>
+    <td class>ComputerDnsName</td>
+    <td class>No mapping</td>
+    <td class>liz-bean.contoso.com</td>
+    <td class>The machine fully qualified domain name. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>LogOnUsers</td>
+    <td class>sourceUserId</td>
+    <td class>contoso\liz-bean; contoso\jay-hardee</td>
+    <td class>The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>Internal field</td>
+    <td class>LastProcessedTimeUtc</td>
+    <td class>No mapping</td>
+    <td class>2017-05-07T01:56:58.9936648Z</td>
+    <td class>Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>Not part of the schema</td>
+    <td class>deviceVendor</td>
+    <td class></td>
+    <td class>Static value in the ArcSight mapping - 'Microsoft'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>Not part of the schema</td>
+    <td class>deviceProduct</td>
+    <td class></td>
+    <td class>Static value in the ArcSight mapping - 'Windows Defender ATP'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>Not part of the schema</td>
+    <td class>deviceVersion</td>
+    <td class></td>
+    <td class>Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.</td>
+    <td class></td>
+  </tr>
+</table>
 
->[!NOTE]
-> Fields #21-29 are related to Windows Defender Antivirus alerts.
 
-![Image of actor profile with numbers](images/atp-actor.png)
+![Image of alert with numbers](images/atp-alert-page.png)
 
-![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
+![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
 
-![Image of new alerts with numbers](images/atp-alert-source.png)
+![Image of alert timeline with numbers](images/atp-siem-mapping3.png)
 
-![Image of machine timeline with numbers](images/atp-remediated-alert.png)
+![Image of alert timeline with numbers](images/atp-siem-mapping4.png)
 
-![Image of file details](images/atp-file-details.png)
+![Image machine view](images/atp-mapping6.png)
+
+![Image browser URL](images/atp-mapping5.png)
+
+![Image actor alert](images/atp-mapping7.png)
 
 
 ## Related topics