You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/ueba-reference.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -224,19 +224,21 @@ While the initial synchronization may take a few days, once the data is fully sy
224
224
225
225
- Besides these regular full synchronizations, whenever changes are made to your user profiles, groups, and built-in roles in Microsoft Entra ID, the affected user records are re-ingested and updated in the *IdentityInfo* table within 15-30 minutes. This ingestion is billed at regular rates. For example:
226
226
227
-
-Group A has 100 users in it. 5 users are added to the group or removed from the group. In this case, those 5 user records are re-ingested.
227
+
-A user attribute, such as display name, job title, or email address, was changed. A new record for this user is ingested into the *IdentityInfo* table, with the relevant fields updated.
228
228
229
-
- Group A has 100 users in it. Ten users are added to Group A. Also, groups A1 and A2, each with 10 users, are added to Group A. In this case, 30 user records are re-ingested. This happens because group membership is transitive, so changes to groups affect all their subgroups.
229
+
- Group A has 100 users in it. 5 users are added to the group or removed from the group. In this case, those 5 user records are re-ingested, and their *GroupMembership* fields updated.
230
230
231
-
- Group B (with 50 users) is renamed to Group BeGood. In this case, 50 user records are re-ingested. If there are subgroups in that group, all their members' records are also re-ingested.
231
+
- Group A has 100 users in it. Ten users are added to Group A. Also, groups A1 and A2, each with 10 users, are added to Group A. In this case, 30 user records are re-ingested and their *GroupMembership* fields updated. This happens because group membership is transitive, so changes to groups affect all their subgroups.
232
+
233
+
- Group B (with 50 users) is renamed to Group BeGood. In this case, 50 user records are re-ingested and their *GroupMembership* fields updated. If there are subgroups in that group, the same happens for all their members' records.
232
234
233
235
- Default retention time in the *IdentityInfo* table is 30 days.
234
236
235
237
#### Limitations
236
238
237
-
-Currently, only built-in roles are supported.
239
+
-The *AssignedRoles* field supports only built-in roles.
238
240
239
-
-Support for groups (as listed in the *GroupMembership* field) is limited to 500 groups, including subgroups. If an organization has more than 500 groups, only the first 500 are synchronized with the *IdentityInfo* table. The groups are not evaluated in any particular order, though, so at each new synchronization (every 14 days), it's possible that a different set of groups will be updated.
241
+
-The *GroupMembership* field supports listing up to 500 groups per user, including subgroups. If a user is a member of more than 500 groups, only the first 500 are synchronized with the *IdentityInfo* table. The groups are not evaluated in any particular order, though, so at each new synchronization (every 14 days), it's possible that a different set of groups will be updated to the user record.
240
242
241
243
- When a group is deleted, or if a group with more than 100 members has its name changed, that group's member user records are not updated. If a different change causes one of those users' records to be updated, the updated group information will be included at that point.
242
244
@@ -264,7 +266,7 @@ The following table describes the user identity data included in the **IdentityI
264
266
|**AccountTenantId**| string | The Microsoft Entra tenant ID of the user account. | -- |
265
267
|**AccountUPN**| string | The user principal name of the user account. | AccountUPN |
266
268
|**AdditionalMailAddresses**| dynamic | The additional email addresses of the user. | -- |
267
-
|**AssignedRoles**| dynamic | The Microsoft Entra roles the user account is assigned to. | AssignedRoles |
269
+
|**AssignedRoles**| dynamic | The Microsoft Entra roles the user account is assigned to. Only built-in roles are supported. | AssignedRoles |
268
270
|**BlastRadius**| string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions. <br>Possible values: *Low, Medium, High*| -- |
269
271
|**ChangeSource**| string | The source of the latest change to the entity. <br>Possible values: <li>*AzureActiveDirectory*<li>*ActiveDirectory*<li>*UEBA*<li>*Watchlist*<li>*FullSync*| ChangeSource |
270
272
|**CompanyName**|| The company name to which the user belongs. | -- |
0 commit comments