0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint

The DeviceFileCertificateInfo table in the advanced hunting schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

TABLE 1
Column name Data type Description
Timestamp datetime Date and time when the event was recorded
DeviceId string Unique identifier for the machine in the service
DeviceName string Fully qualified domain name (FQDN) of the machine
SHA1 string SHA-1 of the file that the recorded action was applied to
IsSigned boolean Indicates whether the file is signed
SignatureType string Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file
Signer string Information about the signer of the file
SignerHash string Unique hash value identifying the signer
Issuer string Information about the issuing certificate authority (CA)
IssuerHash string Unique hash value identifying issuing certificate authority (CA)
CertificateSerialNumber string Identifier for the certificate that is unique to the issuing certificate authority (CA)
CrlDistributionPointUrls string JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs)
CertificateCreationTime datetime Date and time the certificate was created
CertificateExpirationTime datetime Date and time the certificate is set to expire
CertificateCountersignatureTime datetime Date and time the certificate was countersigned
IsTrusted boolean Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes
IsRootSignerMicrosoft boolean Indicates whether the signer of the root certificate is Microsoft
ReportId long Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.