You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/ueba-reference.md
+8-2Lines changed: 8 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -240,6 +240,12 @@ While the initial synchronization may take a few days, once the data is fully sy
240
240
241
241
- The *GroupMembership* field supports listing up to 500 groups per user, including subgroups. If a user is a member of more than 500 groups, only the first 500 are synchronized with the *IdentityInfo* table. The groups are not evaluated in any particular order, though, so at each new synchronization (every 14 days), it's possible that a different set of groups will be updated to the user record.
242
242
243
+
- When a user is deleted, that user's record is not immediately deleted from the *IdentityInfo* table. The reason for this is that one of this table's purposes is to audit changes to user records. Therefore, we want this table to have a record of a user being deleted, which can only happen if the user record in the *IdentityInfo* table still exists, even though the actual user (say, in Entra ID) is deleted.
244
+
245
+
Deleted users can be identified by the presence of a value in the `deletedDateTime` field. So if you need a query to show you a list of users, you can filter out deleted users by adding `| where IsNotEmpty(deletedDateTime)` to the query.
246
+
247
+
At a certain interval of time after a user was deleted, the user's record is eventually removed from the *IdentityInfo* table as well.
248
+
243
249
- When a group is deleted, or if a group with more than 100 members has its name changed, that group's member user records are not updated. If a different change causes one of those users' records to be updated, the updated group information will be included at that point.
244
250
245
251
#### Other versions of the IdentityInfo table
@@ -258,7 +264,7 @@ There are actually multiple versions of the *IdentityInfo* table:
258
264
259
265
Defender portal customers without UEBA enabled, or without Microsoft Sentinel at all, continue to use the [prior release of the *Advanced hunting* version](/defender-xdr/advanced-hunting-identityinfo-table), without the UEBA-generated fields.
260
266
261
-
For more information on the unified version, see [Unified IdentityInfo table reference](/unified-secops-platform/unified-identityinfo-table-reference).
267
+
For more information on the unified version, see [IdentityInfo in the *Advanced hunting* documentation](/defender-xdr/advanced-hunting-identityinfo-table).
262
268
263
269
#### Schema
264
270
@@ -312,7 +318,7 @@ If you're onboarding Microsoft Sentinel to the Defender portal, select the "Comp
312
318
|**UserStateChangedOn**| datetime | The date of the last time the account state was changed (UTC). |
313
319
|**UserType**| string | The user type. |
314
320
315
-
# [Unified table](#tab/unified-table)
321
+
# [Compare to unified schema](#tab/unified-table)
316
322
317
323
The following fields have been renamed in the unified version. Therefore, if you're onboarding Microsoft Sentinel to the Defender portal, check your queries for any references to these fields, and update them if necessary.
-[Additions to SOC optimization support (Preview)](#additions-to-soc-optimization-support-preview)
25
+
26
+
### Unified *IdentityInfo* table
27
+
28
+
Customers of Microsoft Sentinel in the Defender portal who have enabled UEBA can now take advantage of a new version of the IdentityInfo table, located in the Defender portal's *Advanced hunting* section, that includes the largest possible set of fields common to both the Defender and Azure portals. This unified table helps enrich your security investigations across the entire unified SecOps experience.
29
+
30
+
For more information, see [IdentityInfo table](ueba-reference.md#identityinfo-table).
31
+
32
+
### Additions to SOC optimization support (Preview)
33
+
22
34
SOC optimization support for:
23
35
-**AI MITRE ATT&CK tagging recommendations (Preview)**: Uses artificial intelligence to suggest tagging security detections with MITRE ATT&CK tactics and techniques.
24
36
-**Risk-based recommendations (Preview)**: Recommends implementing controls to address coverage gaps linked to use cases that may result in business risks or financial losses, including operational, financial, reputational, compliance, and legal risks.
0 commit comments