You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/ueba-reference.md
+12-10Lines changed: 12 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -217,15 +217,17 @@ While the initial synchronization may take a few days, once the data is fully sy
217
217
218
218
- Default retention time in the **IdentityInfo** table is 30 days.
219
219
220
+
#### Limitations
220
221
221
-
> [!NOTE]
222
-
> - Currently, only built-in roles are supported.
223
-
>
224
-
> - Data about deleted groups, where a user was removed from a group, is not currently supported.
225
-
>
226
-
> - There are actually two versions of the *IdentityInfo* table: one serving Microsoft Sentinel, in the *Log Analytics* schema, the other serving the Microsoft Defender portal via Microsoft Defender for Identity, in what's known as the *Advanced hunting* schema. Both versions of this table are fed by Microsoft Entra ID, but the Log Analytics version added a few fields.
227
-
>
228
-
> [The unified security operations platform in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) uses the *Advanced hunting* version of this table, so, to minimize the differences between the versions of the table, most of the unique fields in the Log Analytics version are gradually being added to the *Advanced hunting* version as well. Regardless of in which portal you're using Microsoft Sentinel, you'll have access to nearly all the same information, though there may be a small time lag in synchronization between the versions.
222
+
- Currently, only built-in roles are supported.
223
+
224
+
- Data about deleted groups, where a user was removed from a group, is not currently supported.
225
+
226
+
#### Versions of the IdentityInfo table
227
+
228
+
There are actually two versions of the *IdentityInfo* table: one serving Microsoft Sentinel, in the *Log Analytics* schema, the other serving the Microsoft Defender portal via Microsoft Defender for Identity, in what's known as the *Advanced hunting* schema. Both versions of this table are fed by Microsoft Entra ID, but the Log Analytics version added a few fields.
229
+
230
+
[The unified security operations platform in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) uses the *Advanced hunting* version of this table, so, to minimize the differences between the versions of the table, most of the unique fields in the Log Analytics version are gradually being added to the *Advanced hunting* version as well. Regardless of in which portal you're using Microsoft Sentinel, you'll have access to nearly all the same information, though there may be a small time lag in synchronization between the versions. For more information, see the [documentation of the *Advanced hunting* version of this table](/defender-xdr/advanced-hunting-identityinfo-table).
229
231
230
232
The following table describes the user identity data included in the **IdentityInfo** table in Log Analytics in the Azure portal. The fourth column shows the corresponding fields in the *Advanced hunting* version of the table, that Microsoft Sentinel uses in the Defender portal. Field names in boldface are named differently in the *Advanced hunting* schema than they are in the Microsoft Sentinel Log Analytics version.
231
233
@@ -242,7 +244,7 @@ The following table describes the user identity data included in the **IdentityI
242
244
|**AccountUPN**| string | The user principal name of the user account. | AccountUPN |
243
245
|**AdditionalMailAddresses**| dynamic | The additional email addresses of the user. | -- |
244
246
|**AssignedRoles**| dynamic | The Microsoft Entra roles the user account is assigned to. | AssignedRoles |
245
-
|**BlastRadius**| string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions. <br>Possible values: *Low, Medium, High*| -- |
247
+
|**BlastRadius**| string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions. <br>Possible values: *Low, Medium, High*| -- |
246
248
|**ChangeSource**| string | The source of the latest change to the entity. <br>Possible values: <li>*AzureActiveDirectory*<li>*ActiveDirectory*<li>*UEBA*<li>*Watchlist*<li>*FullSync*| ChangeSource |
247
249
|**CompanyName**|| The company name to which the user belongs. | -- |
248
250
|**City**| string | The city of the user account. | City |
@@ -255,7 +257,7 @@ The following table describes the user identity data included in the **IdentityI
255
257
|**JobTitle**| string | The job title of the user account. | JobTitle |
256
258
|**MailAddress**| string | The primary email address of the user account. |**EmailAddress**|
257
259
|**Manager**| string | The manager alias of the user account. | Manager |
258
-
|**OnPremisesDistinguishedName**| string | The Microsoft Entra ID distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. |**DistinguishedName**|
260
+
|**OnPremisesDistinguishedName**| string | The Microsoft Entra ID distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. |**DistinguishedName**|
259
261
|**Phone**| string | The phone number of the user account. | Phone |
260
262
|**SourceSystem**| string | The system where the user is managed. <br>Possible values: <li>*AzureActiveDirectory*<li>*ActiveDirectory*<li>*Hybrid*|**SourceProvider**|
261
263
|**State**| string | The geographical state of the user account. | State |
0 commit comments