Skip to content

Commit 7120bf4

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #229257 from limwainstein/whats-new-update
Adding announcement for schema changes
2 parents 4c70692 + 224dd42 commit 7120bf4

File tree

1 file changed

+14
-0
lines changed

1 file changed

+14
-0
lines changed

articles/sentinel/whats-new.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -156,12 +156,26 @@ A [new version of the Microsoft Sentinel Logstash plugin](connect-logstash-data-
156156

157157
## Announcements
158158

159+
- [WindowsEvent table enhancements](#windowsevent-table-enhancements)
159160
- [Out-of-the-box content centralization changes](#out-of-the-box-content-centralization-changes)
160161
- [New behavior for alert grouping in analytics rules](#new-behavior-for-alert-grouping-in-analytics-rules)
161162
- [Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)](#microsoft-365-defender-now-integrates-azure-active-directory-identity-protection-aadip)
162163
- [Account enrichment fields removed from Azure AD Identity Protection connector](#account-enrichment-fields-removed-from-azure-ad-identity-protection-connector)
163164
- [Name fields removed from UEBA UserPeerAnalytics table](#name-fields-removed-from-ueba-userpeeranalytics-table)
164165

166+
### WindowsEvent table enhancements
167+
168+
The WindowsEvent schema has been expanded to include new fields, such as `Keywords`, `Version`, `Opcode`, `Correlation`, `SystemProcessId`, `SystemThreadId` and `EventRecordId`.
169+
170+
These additions allow for more comprehensive analysis and for more information to be extracted and parsed from the event.
171+
172+
If you aren't interested in ingesting the new fields, use ingest-time transformation in the AMA DCR to filter and drop the fields, while still ingesting the events. To ingest the events, add the following to your DCRs: 
173+
174+
```kusto
175+
"transformKql": "source | project-away TimeCreated, SystemThreadId, EventRecordId, SystemProcessId, Correlation, Keywords, Opcode, SystemUserId, Version"
176+
```
177+
Learn more about [ingest-time transformations](../azure-monitor/essentials/data-collection-transformations.md).
178+
165179
### Out-of-the-box content centralization changes
166180
A new banner is appearing in Microsoft Sentinel gallery pages! This informational banner is rolling out to all tenants to explain upcoming changes regarding out-of-the-box (OOTB) content. In short, the **Content hub** will be the central source whether you're looking for standalone content or packaged solutions. Expect banners to appear in the templates section of **Workbooks**, **Hunting**, **Automation**, **Analytics** and **Data connectors** galleries. Here's an example of the banner in the **Workbooks** gallery.
167181

0 commit comments

Comments
 (0)