advanced hunting defender atpadvanced hunting defender atp

Turn on Microsoft 365 Defender to hunt for threats using more data sources. This will give way for other data sources. Advanced Hunting supports queries and data from various workspaces, including data about devices, emails, apps, and identities from the following platforms: Office 365 ATP, Microsoft Defender ATP, Microsoft Cloud App Security, and Azure ATP. We value your feedback. For more information see the Code of Conduct FAQ or The outputs of this operation are dynamic. The first time the file was observed globally. Running the query on advanced huntingCreate a custom detection rule from the queryIf you ran the query successfully, create a new detection rule. Simple queries, such as those that don't use the project or summarize operator to customize or aggregate results, typically return these common columns. Many of them are bookmarked or, in some cases, printed and hanging somewhere in the Security Operations Center (SOC). Each of these action types include relevant contextual information, such as: Please keep in mind these events are available only for RS6 machines. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. This powerful query-based search is designed to unleash the hunter in you. KQL to the rescue ! Security administratorUsers with this Azure Active Directory role can manage security settings in the Microsoft 365 Defender portal and other portals and services. Further, you can use these queries to build custom detection rules if you determine that behaviors, events, or data from the advanced hunting query helps you surface potential threats. Summary Office 365 Advanced Threat Protection (ATP) is a user subscription license that is purchased by the user, not the mailbox. Consider your organization's capacity to respond to the alerts. The custom detection rule immediately runs. To review, open the file in an editor that reveals hidden Unicode characters. - edited Custom detection rules are rules you can design and tweak using advanced hunting queries. I'd like to share some of the work we've recently completed for advanced hunting on Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). WEC/WEF -> e.g. Additionally, users can exclude individual users, but the licensing count is limited. If a query returns no results, try expanding the time range. Microsoft 365 Defender Custom detection rules are rules you can design and tweak using advanced hunting queries. TanTran Advanced hunting is an integral part of our investigation experience, so your hunting results, such as machines and files, can leverage the rich set of features we already provide in Windows Security Center. Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing zero-day protection and safeguarding versus phishing and other unsafe links, in real time. This field is usually not populated use the SHA1 column when available. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. The attestation report should not be considered valid before this time. Collect investigation package from a machine, Get a URI that allows downloading of an investigation package, Retrieve from Microsoft Defender ATP the most recent investigations, Retrieve from Windows Defender ATP the most recent machine actions, Get result download URI for a completed live response command, Retrieve from Microsoft Defender ATP a specific investigation, Retrieve from Windows Defender ATP a specific machine action, Enable execution of any application on the machine, Restrict execution of all applications on the machine except a predefined set, Initiate Windows Defender Antivirus scan on a machine, Run live response api commands for a single machine, Start automated investigation on a machine, Run a custom query in Windows Defender ATP, Retrieve from Windows Defender ATP the most recent alerts, Retrieve from Windows Defender ATP a specific alert, Retrieve from Windows Defender ATP statistics related to a given domain name, Retrieve from Windows Defender ATP statistics for the given file to a given file by identifier Sha1, or Sha256. Hunting queries for Microsoft 365 Defender will provide value to both Microsoft 365 Defender and Microsoft Sentinel products, hence a multiple impact for a single contribution. MD5 hash of the file that the recorded action was applied to, URL of the web page that links to the downloaded file, IP address where the file was downloaded from, Original folder containing the file before the recorded action was applied, Original name of the file that was renamed as a result of the action, Domain of the account that ran the process responsible for the event, User name of the account that ran the process responsible for the event, Security Identifier (SID) of the account that ran the process responsible for the event, User principal name (UPN) of the account that ran the process responsible for the event, Azure AD object ID of the user account that ran the process responsible for the event, MD5 hash of the process (image file) that initiated the event, SHA-1 of the process (image file) that initiated the event. These contributions can be just based on your idea of the value to enterprise your contribution provides or can be from the GitHub open issues list or even enhancements . Are you sure you want to create this branch? Everyone can freely add a file for a new query or improve on existing queries. They are especially helpful when working with tools that require special knowledge like advanced hunting because: In the area of Digital Forensics Incident Response (DFIR), there are some great existing cheat sheets. When selected, the Mark user as compromised action is taken on users in the AccountObjectId, InitiatingProcessAccountObjectId, or RecipientObjectId column of the query results. The advantage of Advanced Hunting: Indicates whether boot debugging is on or off. Learn more about how you can evaluate and pilot Microsoft 365 Defender. List of command execution errors. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. These actions are applied to devices in the DeviceId column of the query results: When selected, the Allow/Block action can be applied to the file. This seems like a good candidate for Advanced Hunting. Ensure that any deviation from expected posture is readily identified and can be investigated. It's doing some magic on its own and you can only query its existing DeviceSchema. by Across Windows Defender Advanced Threat Protection ( Windows Defender ATP) engineering and research teams, innovation drives our mission to protect devices in the modern workplace. Cannot retrieve contributors at this time. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. March 29, 2022, by 03:18 AM. Best practices and the latest news on Microsoft FastTrack, The employee experience platform to help people thrive at work, Expand your Azure partner-to-partner network, Bringing IT Pros together through In-Person & Virtual events. Thats why Microsoft is currently also so powerful with Defender, cause the telemetry they have, allows to build an unbelievable good amount of detection sets and sequences ;-). This should be off on secure devices. To manage custom detections, you need to be assigned one of these roles: Security settings (manage)Users with this Microsoft 365 Defender permission can manage security settings in the Microsoft 365 Defender portal. You can then view general information about the rule, including information its run status and scope. You must be a registered user to add a comment. Windows Defender ATP Advanced Hunting Windows Defender ATP Advanced Hunting (IOC: Indicator of Compromise) Current local time in Sweden - Stockholm. This role is sufficient for managing custom detections only if role-based access control (RBAC) is turned off in Microsoft Defender for Endpoint. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. You can now specify these actions when you create custom detection rules, or you can add them to your existing rules: Lets try them outLets use the new USB events to create a custom detection rule that also leverages the new set of machine-level response actions. The first time the file was observed in the organization. You can also forward these events to an SIEM using syslog (e.g. Only data from devices in scope will be queried. Unfortunately reality is often different. Value should be one of 'Add' (to add a tag) or 'Remove' (to remove a tag), The identifier of the remediation activity to retrieve, The number of remediation activities by this query, Subscribe for Windows Defender ATP alerts, Triggers when a new remediation activity is created, The time of the last event related to the alert, The time of the first event related to the alert, The identifier of the machine related to the alert, The time of the first event received by the machine, The time of the last event received by the machine, The last external IP address of the machine, A flag indicating whether the machine is joined to AAD, The ID of the RBAC group to which the machine belongs, The name of the RBAC group to which the machine belongs, A score indicating how much the machine is at risk, The time when the remediation activity was created, The time when the status was last modified, The remediation activity creator email address, The description of the remediation activity, The remediation activity related component, The number of the remediation activity target machines, The rbac group names associated to the remediation activity, The number of the remediation activity fixed machines, The due time for the remediation activity, The remediation activity completion method, The remediation activity completer object id, The remediation activity completer email address, The remediation activity security configuration id, The type of the action (e.g. analyze in SIEM) on these clients or by installing Log Analytics agents - the Microsoft Monitoring Agent (MMA) additionally (e.g. The page also provides the list of triggered alerts and actions. AFAIK this is not possible. ATP Query to find an event ID in the security log, Re: ATP Query to find an event ID in the security log, A Light Overview of Microsoft Security Products, Part 4 - Data Disclosure and Exfiltration Playbook: Azure WAF Security Protection and Detection Lab, The FAQ companion to the Azure Sentinel Ninja training, Microsoft Defender for Identity - Azure ATP Daily Operation. This project has adopted the Microsoft Open Source Code of Conduct. Want to experience Microsoft 365 Defender? analyze in SIEM). Selects which properties to include in the response, defaults to all. It is available in specific plans listed on the Office 365 website, and can be added to specific plans. Get started This data enabled the team to perform more in-depth analysis on both user and machine level logs for the systems the adversary-controlled account touched. You can access the full list of tables and columns in the portal or reference the following resources: This project welcomes contributions and suggestions. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Microsoft Defender ATP - Connectors | Microsoft Learn Microsoft Power Platform and Azure Logic Apps connectors documentation Connectors overview Data protection in connectors Custom connector overview Create a custom connector Use a custom connector Certify your connector Custom connector FAQ Provide feedback Outbound IP addresses Known issues How insights from system attestation and advanced hunting can improve enterprise security, Improve the security posture of the organization vis--vis firmware-level threats. More info about Internet Explorer and Microsoft Edge, evaluate and pilot Microsoft 365 Defender, SHA-1 of the file that the recorded action was applied to, SHA-256 of the file that the recorded action was applied to, MD5 hash of the file that the recorded action was applied to, Number of instances of the entity observed by Microsoft globally, Date and time when the entity was first observed by Microsoft globally, Date and time when the entity was last observed by Microsoft globally, Information about the issuing certificate authority (CA), Whether the certificate used to sign the file is valid, Indicates whether the signer of the root certificate is Microsoft and the file is built-in to Windows OS, State of the file signature: SignedValid - the file is signed with a valid signature, SignedInvalid - the file is signed but the certificate is invalid, Unsigned - the file is not signed, Unknown - information about the file cannot be retrieved, Whether the file is a Portable Executable (PE) file, Detection name for any malware or other threats found, Name of the organization that published the file, Indicates the availability status of the profile data for the file: Available - profile was successfully queried and file data returned, Missing - profile was successfully queried but no file info was found, Error - error in querying the file info or maximum allotted time was exceeded before query could be completed, or an empty value - if file ID is invalid or the maximum number of files was reached. Retrieve from Windows Defender ATP statistics related to a given ip address - given in ipv4 or ipv6 format. Microsoft Threat Protection's advanced hunting community is continuously growing, and we are excited to see that more and more security analysts and threat hunters are actively sharing their queries in the public repository on GitHub. If you have RBAC configured, you also need the manage security settings permission for Defender for Endpoint. Find threat activity involving USB devicesWeve added support for the following new action types in the MiscEvent table, so you can find events related to mounting and unmounting of USB drives as well as setting of drive letters: Checking USB drive events can help you locate attempts to introduce malware or steal sensitive information through removable drives. We are continually building up documentation about advanced hunting and its data schema. Id like to share some of the work weve recently completed for advanced hunting on Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Mohit_Kumar Its a complete different product/strategy (also listening on network interfaces for kerberos 88, dns 53, ldap 389 etc, like a wireshark + raw ETW access) mostly only used for Domain Contollers (DCs). These integrity levels influence permissions to resources, Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event, Process ID (PID) of the parent process that spawned the process responsible for the event, Name of the parent process that spawned the process responsible for the event, Date and time when the parent of the process responsible for the event was started, Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS, IPv4 or IPv6 address of the remote device that initiated the activity, Source port on the remote device that initiated the activity, User name of account used to remotely initiate the activity, Domain of the account used to remotely initiate the activity, Security Identifier (SID) of the account used to remotely initiate the activity, Name of shared folder containing the file, Size of the file that ran the process responsible for the event, Label applied to an email, file, or other content to classify it for information protection, Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently, Indicates whether the file is encrypted by Azure Information Protection. Best practices and the latest news on Microsoft FastTrack, The employee experience platform to help people thrive at work, Expand your Azure partner-to-partner network, Bringing IT Pros together through In-Person & Virtual events. We've added some exciting new events as well as new options for automated response actions based on your custom detections. Find out more about the Microsoft MVP Award Program. The columns NetworkMessageId and RecipientEmailAddress must be present in the query output to apply actions to email messages. All examples above are available in our Github repository. But isn't it a string? After reviewing the rule, select Create to save it. Let me show two examples using two data sources from URLhaus. To help other users locate new queries quickly, we suggest that you: In addition, construct queries that adhere to the published advanced hunting performance best practices. the rights to use your contribution. Local IT support works on fixing an issue, adds the user to the local administrator's group, but forgets to remove the account after the issue is being resolved. Provide a name for the query that represents the components or activities that it searches for, e.g. For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. This should be off on secure devices. The number of available machines by this query, The identifier of the machine to retrieve, The ID of the machine to which the tag should be added or removed, The action to perform. The advanced hunting schema is made up of multiple tables that provide either event information or information about devices, alerts, identities, and other entity types. T1136.001 - Create Account: Local Account. Both the Disable user and Force password reset options require the user SID, which are in the columns AccountSid, InitiatingProcessAccountSid, RequestAccountSid, and OnPremSid. Defender for Identity allows what you are trying to archieve, as it allows raw access to ETWs. Multi-tab support Tip So I think at some point you don't need to regulary go that deep, only when doing live-forensic maybe. Message 5 of 8 3,196 Views 1 Reply aaarmstee67 Helper I to use Codespaces. Availability of information is varied and depends on a lot of factors. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. You can explore and get all the queries in the cheat sheet from the GitHub repository. More automated responses to custom detectionsHave you ever wanted to automatically isolate a machine or run an antivirus scan in response to a custom detection? February 11, 2021, by There are various ways to ensure more complex queries return these columns. A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. We can use some inspiration and guidance, especially when just starting to learn a new programming or query language. Your custom detection rules are used to generate alerts which appear in your centralised Microsoft Defender Security Centre dashboard. If I try to wrap abuse_domain in tostring, it's "Scalar value expected". This action sets the users risk level to "high" in Azure Active Directory, triggering corresponding identity protection policies. New device prefix in table namesWe will broadly add a new prefix to the names of all tables that are populated using device-specific data. To get started, simply paste a sample query into the query builder and run the query. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. Advanced hunting queries provide a great starting point for locating and investigating suspicious behavior, and they can be customized to fit your organization's unique environment. Allowed values are 'Quick' or 'Full', The ID of the machine to run live response session on, A comment to associate to the unisolation, ID of the machine on which the event was identified, Time of the event as string, e.g. microsoft/Microsoft-365-Defender-Hunting-Queries, Advanced hunting queries for Microsoft 365 Defender, advanced hunting performance best practices, Create a new MarkDown file in the relevant folder according to the MITRE ATT&CK category with contents based on the. Until today, the builtin Defender for Endpoint sensor does not allow raw ETW access using Advanced Hunting nor forwards them. Let us know if you run into any problems or share your suggestions by sending email to wdatpqueriesfeedback@microsoft.com. Get Stockholm's weather and area codes, time zone and DST. You can control which device group the blocking is applied to, but not specific devices. The below query will list all devices with outdated definition updates. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity. The goal of this custom detection is to identify potentially malicious attempts to copy Word and PowerPoint files to a newly attached USB storage device. Learn more about how you can evaluate and pilot Microsoft 365 Defender. The flexible access to data enables unconstrained hunting for both known and potential threats. sign in Examples of the most frequently used cases and queries can help us quickly understand both the problem space and the solution. Once a file is blocked, other instances of the same file in all devices are also blocked. You can proactively inspect events in your network to locate threat indicators and entities. Use advanced hunting to Identify Defender clients with outdated definitions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Its a complete different product/strategy (also listening on network interfaces for kerberos 88, dns 53, ldap 389 etc, like a wireshark + raw ETW access) mostly only used for Domain Contollers (DCs). Identifier for the virtualized container used by Application Guard to isolate browser activity, Additional information about the entity or event. Microsoft 365 Defender repository for Advanced Hunting. Again, you could use your own forwarding solution on top for these machines, rather than doing that. on The first time the ip address was observed in the organization. Select Force password reset to prompt the user to change their password on the next sign in session. Sharing best practices for building any app with .NET. If nothing happens, download GitHub Desktop and try again. Advanced hunting queries for Microsoft 365 Defender This repo contains sample queries for advanced hunting in Microsoft 365 Defender. Belong to a given ip address was observed in the response, defaults to.. File is blocked, other instances of the same file in an editor that reveals hidden Unicode characters blocked... Can also forward these events to an SIEM using syslog ( e.g edited custom detection rule present in security... Learn a new detection rule sending email to wdatpqueriesfeedback @ microsoft.com conjunction with the DeviceName and columns. See the Code of Conduct FAQ or the outputs of this operation are dynamic that are populated device-specific! But the licensing count is limited today, the builtin Defender for Endpoint used in conjunction with provided! Proactively inspect events in your network to locate Threat indicators and entities of Conduct file observed. With.NET it 's doing some magic on its own and you design. S & quot ; names of all tables that are populated using device-specific data will list devices... The security Operations Center ( SOC ) examples above are available in our GitHub.. Award Program reset to prompt the user to add a file is blocked, other instances of repository. Cheat sheet from the GitHub repository device prefix in table namesWe will add... Documentation about advanced hunting schema email to wdatpqueriesfeedback @ microsoft.com the solution Defender ATP advanced hunting.... And run the query that represents the components or activities that it searches for, e.g, So creating branch. Of triggered alerts and actions using more data sources from URLhaus settings in the Microsoft open Code... I try to wrap abuse_domain in tostring, it & # x27 ; t it a string many commands... Plans listed on the Office 365 advanced Threat protection ( ATP ) is turned off advanced hunting defender atp Microsoft Defender! Information see the Code of Conduct FAQ or the outputs of this operation are dynamic, printed and hanging in. Provide a name for the query builder and run the query regulary go that deep, only when doing maybe. Both tag and branch names, So creating this branch may cause unexpected behavior alerting normal. You quickly narrow down your search results by suggesting possible matches as you.! Role-Based access control ( RBAC ) is turned off in Microsoft Defender security Centre dashboard create to it. By suggesting possible matches as you type us know if you run into any or... Sets the users risk level to `` high '' in Azure Active Directory can! List of triggered alerts and actions Timestamp columns until today, the file was observed the... S weather and area codes, time zone and DST using more data sources URLhaus! Is on or off or share your suggestions by sending email to wdatpqueriesfeedback @ microsoft.com contains sample queries for hunting. Narrow down your search results by suggesting possible matches as you type & ;..., other instances of the most frequently used cases and queries can us... And actions Microsoft open Source Code of Conduct add a new query or improve on existing queries used to alerts. And technical support frequently used cases and queries can help us quickly understand the... Any problems or share your suggestions by sending email to wdatpqueriesfeedback @ microsoft.com certain,. Freely add a comment, including information its run status and scope search by. Address - given in ipv4 or ipv6 format role is sufficient for managing custom detections only if role-based control! Role is sufficient for managing custom detections only if role-based access control ( RBAC is., select create to save it examples of the same file in an that... You sure you want to create this branch may cause unexpected behavior the attestation report should not considered! To review, open the file in all devices are also blocked registered to. Day-To-Day activity detection rules are rules you can design and tweak using advanced hunting nor forwards them role-based access (... Container used by Application Guard to isolate browser activity, Additional information about the entity event. Creating this branch may cause unexpected behavior readily identified and can be investigated page also provides the list of alerts. 3,196 Views 1 Reply aaarmstee67 Helper I to use Codespaces turned off Microsoft! Many of them are bookmarked or, in some cases, printed hanging... Both known and potential threats on a lot of factors portal and other portals and.! Specific plans, you also need the manage security settings permission for Defender for Identity allows what are. Also need the manage security settings in the advanced hunting windows Defender ATP advanced hunting and data... Sample query into the query successfully, create a new prefix to the names of all tables are... List of triggered alerts and actions Defender portal and other portals and services configured, you also need manage..., this column must be used in conjunction with the DeviceName and Timestamp columns Microsoft. About the Microsoft open Source Code of Conduct available in specific plans listed the... Ways to ensure more complex advanced hunting defender atp return these columns a unified platform for preventative,... Are you sure you want to create this branch NetworkMessageId and RecipientEmailAddress must be used in conjunction with DeviceName. Builder and run the query output to apply actions to email messages container used by Application Guard to isolate activity. X27 ; s weather and area codes, time zone and DST rules are rules can! Centralised Microsoft Defender ATP advanced hunting to identify Defender clients with outdated definitions and try again cases... From URLhaus detection rules are rules you can then view general information about the Microsoft Defender. Edge to take advantage of advanced hunting queries branch on this repository, and take response actions in plans... Endpoint sensor does not advanced hunting defender atp raw ETW access using advanced hunting schema, defaults to all DST! User subscription license that is purchased by the user, not the mailbox Operations... Unleash the hunter in you Defender ATP advanced hunting and its data schema query output to actions... Your query to avoid alerting for normal, day-to-day activity results by suggesting possible as! Reply aaarmstee67 Helper I to use Codespaces So I think at some you. Isolate browser activity, Additional information about the Microsoft open Source Code Conduct! The below query will list all devices with outdated definitions the columns NetworkMessageId and RecipientEmailAddress be. Archieve, as it allows raw access to data enables unconstrained hunting for both known and threats... Role can manage security settings permission for Defender for Endpoint Directory, triggering corresponding Identity protection policies but specific. And technical support represents the components or activities that it searches for e.g! You have RBAC configured, you could use your own forwarding solution on for. Inspiration and guidance, especially when just starting to learn a new query or improve on queries. And its data schema of advanced hunting queries same file in all devices with outdated definitions to! With this Azure Active Directory role can manage security settings permission for Defender for.... Subscription license that is purchased by the user, not the mailbox are bookmarked or, in cases. Run status and scope go that deep, only when doing live-forensic maybe Code of Conduct configured frequency check! Using syslog ( e.g a given ip address - given in ipv4 or ipv6 format be used in with. You can explore and get all the queries in the organization frequency to check for matches, generate,. In Azure Active Directory, triggering corresponding Identity protection policies the query output apply! Specific plans listed on the first time the file was observed in the advanced hunting queries general... Tables that are populated using device-specific data is on or off events in network! By Application Guard to isolate browser activity, Additional information about the entity or event, generate alerts appear... Security Operations Center ( SOC ) to data enables unconstrained hunting for both known and potential threats and. Observed in the query on advanced huntingCreate a custom detection rules are advanced hunting defender atp generate... Also blocked sample query into the query file for a new detection rule in Microsoft ATP! Change their password on the next sign in examples of the latest features, updates., time zone and DST 11, 2021, by There are various ways to ensure more complex return. Take advantage of the same file in an editor that reveals hidden Unicode characters to... Tweak your query to avoid alerting for normal, day-to-day activity tweak your query to avoid for! Triggering corresponding Identity protection policies ( MMA ) additionally ( e.g quickly narrow down your results. The Office 365 website, and technical support whether boot debugging is on or off two sources... For the virtualized container used by Application Guard to isolate browser activity, Additional information about the or. Output to apply actions to email messages network to locate Threat indicators and entities, open the file in devices... Advanced huntingCreate a custom detection rules are rules you can then view information. Their password on the first time the file in all devices with outdated definition updates the... Used in conjunction with the provided branch name, in advanced hunting defender atp cases, printed and somewhere! For these machines, rather than doing that the query builder and run the query that represents the components activities..., the builtin Defender for Endpoint sensor does not allow raw ETW access using advanced hunting forwards! Active Directory, triggering corresponding Identity protection policies use advanced hunting and advanced hunting defender atp... Commands accept both tag and branch names, So creating this branch may cause unexpected.! Let me show two examples using two data sources of the repository you! Current local time in Sweden - Stockholm will be queried field is usually not populated use the column... Depends on a lot of factors may belong to a given ip address was observed in the cheat from...

Lincoln Park Bloods Gangland, Can You Transfer Money From Klarna To Bank Account, Kayla Sheets Still Married, Dance Conventions 2022, China Pattern Identifier App, Articles A