DeviceFileCertificateInfoDeviceFileCertificateInfo

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint

[!附注] DeviceFileCertificateInfo 高級搜尋 架構中的表格包含檔簽署憑證的相關資訊。The DeviceFileCertificateInfo table in the advanced hunting schema contains information about file signing certificates. 此表格使用從憑證驗證活動取得的資料,定期對端點上的檔案執行。This table uses data obtained from certificate verification activities regularly performed on files on endpoints.

如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
DeviceId stringstring 服務中電腦的唯一識別碼Unique identifier for the machine in the service
DeviceName stringstring 電腦的完整網域名稱 (FQDN)Fully qualified domain name (FQDN) of the machine
SHA1 字串string 記錄動作已套用的檔案 SHA-1SHA-1 of the file that the recorded action was applied to
IsSigned 布林值boolean 指出檔是否已簽署Indicates whether the file is signed
SignatureType stringstring 會指出簽章資訊是做為內嵌內容,還是從外部目錄檔讀取Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file
Signer stringstring 檔案的簽署者相關資訊Information about the signer of the file
SignerHash stringstring 識別簽署者的唯一雜湊值Unique hash value identifying the signer
Issuer stringstring 發證憑證授權 (CA 的相關資訊) Information about the issuing certificate authority (CA)
IssuerHash stringstring 唯一的雜湊值,用以識別發證憑證授權 (CA) Unique hash value identifying issuing certificate authority (CA)
CertificateSerialNumber stringstring 發證憑證授權 (CA 所獨有之憑證的識別碼) Identifier for the certificate that is unique to the issuing certificate authority (CA)
CrlDistributionPointUrls stringstring JSON 陣列,列出包含憑證和憑證吊銷清單 (Crl 的網路共用 URLs) JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs)
CertificateCreationTime datetimedatetime 建立憑證的日期和時間Date and time the certificate was created
CertificateExpirationTime datetimedatetime 將憑證設為到期的日期和時間Date and time the certificate is set to expire
CertificateCountersignatureTime datetimedatetime 反署憑證的日期和時間Date and time the certificate was countersigned
IsTrusted 布林值boolean 會指出是否要根據 WinVerifyTrust 函式的結果來信任檔案,該函數會檢查未知的根憑證資訊、不正確簽章、吊銷的憑證,以及其他可疑屬性Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes
IsRootSignerMicrosoft 布林值boolean 會指出根憑證的簽署者是否為 MicrosoftIndicates whether the signer of the root certificate is Microsoft
ReportId longlong 以重複計數器為基礎的事件識別碼。Event identifier based on a repeating counter. 若要識別唯一的事件,此資料行必須與 DeviceName 及 Timestamp 資料行一起使用。To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.