You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/ueba-reference.md
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -209,13 +209,12 @@ The following tables describe the enrichments featured in the **ActivityInsights
209
209
210
210
### IdentityInfo table
211
211
212
-
After you [enable UEBA](enable-entity-behavior-analytics.md) for your Microsoft Sentinel workspace, data from your Microsoft Entra ID is synchronized to the *IdentityInfo* table in Log Analytics for use in Microsoft Sentinel.
212
+
After you [enable and configure UEBA](enable-entity-behavior-analytics.md) for your Microsoft Sentinel workspace, data from your Microsoft identity providers is synchronized to the *IdentityInfo* table in Log Analytics for use in Microsoft Sentinel.
213
213
214
-
If you have on-premises Active Directory, its data is synchronized to the *IdentityInfo* table as well, if the following two conditions are met:
214
+
Those identity providers are either or both of the following, depending on which you selected when you configured UEBA:
215
215
216
-
- You have a subscription to Microsoft Defender for Identity or Microsoft Defender XDR.
217
-
- You configured UEBA to ingest records from on-premises Active Directory.
218
-
(For more information, see [How to enable User and Entity Behavior Analytics](enable-entity-behavior-analytics.md#how-to-enable-user-and-entity-behavior-analytics).)
216
+
- Microsoft Entra ID (cloud-based)
217
+
- Microsoft Active Directory (on-premises, requires Microsoft Defender for Identity))
219
218
220
219
You can query the *IdentityInfo* table in analytics rules, hunting queries, and workbooks, enhancing your analytics to fit your use cases and reducing false positives.
221
220
@@ -237,9 +236,9 @@ While the initial synchronization may take a few days, once the data is fully sy
237
236
238
237
- Currently, only built-in roles are supported.
239
238
240
-
- Support for groups (as listed in the *GroupMembership* field) is limited to 500 groups, including subgroups.
239
+
- Support for groups (as listed in the *GroupMembership* field) is limited to 500 groups, including subgroups. If an organization has more than 500 groups, only the first 500 are synchronized with the *IdentityInfo* table. The groups are not evaluated in any particular order, though, so at each new synchronization (every 14 days), it's possible that a different set of groups will be updated.
241
240
242
-
- When a group is deleted, its member user records are not updated immediately. They will be updated at the next full sync.
241
+
- When a group is deleted, or if a group with more than 100 members has its name changed, that group's member user records are not updated. If a different change causes one of those users' records to be updated, the updated group information will be included at that point.
0 commit comments