Merge pull request #1290 from MicrosoftDocs/maccruz-deviceevents

garycentric · web-flow · commit 63b679923298 · 2024-09-06T13:16:42.000-07:00
New columns
diff --git a/defender-xdr/advanced-hunting-deviceevents-table.md b/defender-xdr/advanced-hunting-deviceevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceEvents
@@ -92,6 +92,16 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `CreatedProcessSessionId` | `long` | Windows session ID of the created process |
+|`IsProcessRemoteSession` | `bool` | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process’s RDP session was initiated |
+| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process’s RDP session was initiated |
+
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/defender-xdr/advanced-hunting-devicefileevents-table.md b/defender-xdr/advanced-hunting-devicefileevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceFileEvents
@@ -89,6 +89,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the entity or event |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 > [!NOTE]
 > File hash information will always be shown when it is available. However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. In these scenarios, the file hash information appears empty.
diff --git a/defender-xdr/advanced-hunting-deviceimageloadevents-table.md b/defender-xdr/advanced-hunting-deviceimageloadevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceImageLoadEvents
@@ -73,6 +73,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessParentCreationTime` | `datetime` | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/defender-xdr/advanced-hunting-devicelogonevents-table.md b/defender-xdr/advanced-hunting-devicelogonevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 01/16/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceLogonEvents
@@ -82,6 +82,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 > [!NOTE]
 > The collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008R2 devices onboarded to Defender for Endpoint. We recommend upgrading to a more recent operating system for optimal visibility into user logon activity.
diff --git a/defender-xdr/advanced-hunting-devicenetworkevents-table.md b/defender-xdr/advanced-hunting-devicenetworkevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceNetworkEvents
@@ -78,6 +78,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/defender-xdr/advanced-hunting-deviceprocessevents-table.md b/defender-xdr/advanced-hunting-deviceprocessevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceProcessEvents
@@ -96,6 +96,14 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `CreatedProcessSessionId` | `long` | Windows session ID of the created process |
+|`IsProcessRemoteSession` | `bool` | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process’s RDP session was initiated |
+| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process’s RDP session was initiated |
 
 
 ## Related topics
diff --git a/defender-xdr/advanced-hunting-deviceregistryevents-table.md b/defender-xdr/advanced-hunting-deviceregistryevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceRegistryEvents
@@ -74,6 +74,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessTokenElevation` | `string` | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
