Merge pull request #2789 from MicrosoftDocs/main

Publish main to live, 02/14/25, 3:30 PM PT

Author: Ruchika-mittal01

defender-xdr/TOC.yml

@@ -227,7 +227,11 @@
           - name: CloudAuditEvents
             href: advanced-hunting-cloudauditevents-table.md
           - name: CloudProcessEvents
-            href: advanced-hunting-cloudprocessevents-table.md                     
+            href: advanced-hunting-cloudprocessevents-table.md
+          - name: DataSecurityBehaviors
+            href: advanced-hunting-datasecuritybehaviors-table.md  
+          - name: DataSecurityEvents
+            href: advanced-hunting-datasecurityevents-table.md                                               
           - name: DeviceBaselineComplianceAssessment
             href: advanced-hunting-devicebaselinecomplianceassessment-table.md
           - name: DeviceBaselineComplianceAssessmentKB

defender-xdr/advanced-hunting-datasecuritybehaviors-table.md

@@ -0,0 +1,84 @@
+---
+title: DataSecurityBehaviors table in the advanced hunting schema
+description: Learn about the DataSecurityBehaviors table of the advanced hunting schema, which contains insights about potentially suspicious user behaviors that violate the user-defined or default policies configured in the Microsoft Purview suite of solutions.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 02/11/2025
+---
+
+# DataSecurityBehaviors (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- Microsoft Defender XDR
+- Microsoft Purview
+
+
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DataSecurityBehaviors` table in the [advanced hunting](advanced-hunting-overview.md) schema contains insights about potentially suspicious user behaviors that violate the user-defined or default policies configured in the Microsoft Purview suite of solutions. 
+
+Insights cover a range of data security related behaviors like behaviors involving exfiltration, obfuscation, risky interactions with AI applications, and others. Insights are generated by aggregating user behaviors over a calendar day and comparing them with previous activity, peer group activity, or other activities done by the user. Insights also capture summaries of various risk pivots like sensitive data, risky destinations, and the like.
+
+Use this reference to construct queries that return information from this table.
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+|`Timestamp` | `datetime`	| Date and time when the record was generated or updated |
+|`BehaviorId` | `string` | Unique identifier for the behavior |
+|`ActionType`|	`string`|Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management |
+|`StartTime`|	`datetime`	|Date and time of the first activity related to the behavior|
+|`EndTime`|	`datetime`|	Date and time of the last activity related to the behavior|
+|`AttackTechniques`|	`string`|	MITRE ATT&CK techniques associated with the activity that triggered the behavior. Refer to subtechniques in the insider risk management behavior catalog.|
+|`Categories`|	`string`|	Type of threat indicator or breach activity identified by the behavior|
+|`ActivityType`|	`enum`|	Activity category based on categories in Microsoft Purview Insider Risk Management|
+|`Description`|	`string`|	Description of the behavior|
+|`ServiceSource`|	`string`|	Product or service that identified the behavior|
+|`DetectionSource`|	`string`|	Detection technology or sensor that identified the notable component or activity|
+|`ActivityCount`|	`int`|	Total user activity events recorded under this behavior|
+|`IsAnomalous`|	`bool`|	Indicates if this user behavior is anomalous by itself or based on insider risk management global settings|
+|`IsContentHidden`|	`bool`|	Indicates if the behavior involves hidden content on a device|
+|`AccountUpn`|	`string`|	User principal name (UPN) of the account|
+|`AccountEmail`|	`string`|	Email address of the account|
+|`Application`|	`string`	|Application that performed the recorded action|
+|`DeviceInfo`|	`dynamic`|	List of device information for the device involved in this behavior, including device ID, device name, and the number of events in which the device is involved; in JSON array format|
+|`SensitivityLabelInfo`|	`dynamic`|	List of sensitivity labels assigned to content involved in this behavior, including the unique identifier for the Microsoft Information Protection sensitivity label assigned to the related content, the name of the sensitivity label, and the number of events in the behavior involving this label; in JSON array format|
+|`SensitiveInfoTypesInfo`|	`dynamic`	|List of sensitive info types detected in the content involved in this behavior, including the unique identifier for the sensitive info type, the name of the sensitive info type, and the number of events in the behavior involving this sensitive info type; in JSON array format|
+|`UrlDomainInfo`|	`dynamic`|	List of websites or service URLs involved in the behavior, including the name of the URL domain, the direction of data (sent or received from domain), type of URL domain (customer-configured or based on watchlists), and the number of events in the behavior involving the specific domain; in JSON array format|
+|`SharepointSiteInfo`|	`dynamic`|	List of SharePoint sites involved in this behavior, including the unique identifier for the SharePoint site, the name of the SharePoint site, and the number of events in the behavior involving the SharePoint site; in JSON array format|
+|`RecipientEmailInfo`|	`dynamic`|	List of information about the recipient involved in the behavior, including the email address of the recipient and the number of events in the behavior involving the recipient; in JSON array format|
+|`RemovableMediaInfo`|	`dynamic`|	List of any removable media involved in the behavior, including the serial number of the removable media device, the manufacturer of the removable media device, and the model of the removable device; in JSON array format|
+|`PrinterName`|	`dynamic`	|List of printers involved in the behavior; in array format|
+|`PriorityContentMatchInfo`	|`dynamic`|	List of priority content matches identified within this behavior and their associated details. Priority content definitions are done by the admins for each Insider risk management policy. Displayed in JSON array format.|
+
+## Related articles
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-datasecurityevents-table.md

@@ -0,0 +1,116 @@
+---
+title: DataSecurityEvents table in the advanced hunting schema
+description: Learn about the DataSecurityEvents table of the advanced hunting schema, which contains information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions. 
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 02/11/2025
+---
+
+# DataSecurityEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- Microsoft Defender XDR
+- Microsoft Purview
+
+
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DataSecurityEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions. Each log represents a single user activity enriched with proprietary Microsoft detections (like sensitive info types) and user-defined enrichment labels like domain categories, sensitivity labels, and others.
+
+Use this reference to construct queries that return information from this table.
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+|`ApplicationNames`|	`string`|List of application names used or related to the event|
+|`DeviceId`|	`string`|	Unique identifier for the device in Microsoft Defender for Endpoint|
+|`DeviceName`|	`string`|	Fully qualified domain name(FQDN) of the device|
+|`AadDeviceId`|	`guid`|	Unique identifier for the device in Microsoft Entra ID|
+|`IsManagedDevice`|	`bool`| Indicates if the device is managed by the organization (True) or not (False)|
+|`DlpPolicyMatchInfo`|	`string`|	Information around the list of data loss prevention (DLP) policies matching this event|
+|`DlpPolicyEnforcementMode`|	`int`|	Indicates the Data Loss Prevention policy that was enforced; value can be: 0 (None), 1 (Audit), 2 (Warn), 3 (Warn and bypass), 4 (Block), 5 (Allow)|
+|`DlpPolicyRuleMatchInfo`|	`dynamic`|	Details of the data loss prevention (DLP)  rules that matched with this event; in JSON array format|
+|`FileRenameInfo`|`string`|	Details of the file (file name and extension) prior to this event|
+|`PhysicalAccessPointId`|	`string`|	Unique identifier for the physical access point|
+|`PhysicalAccessPointName`|	`string`|	Name of the physical access point|
+|`PhysicalAccessStatus`	|`string`|	Status of physical access, whether it succeeded or failed|
+|`PhysicalAssetTag`|`string`	|Tag assigned to the asset as configured in Microsoft Insider Risk Management global settings|
+|`RemovableMediaManufacturer`|`string`|	Manufacturer name of the removable device|
+|`RemovableMediaModel`|	`string`|	Model name of the removable device|
+|`RemovableMediaSerialNumber`|	`string`|Serial number of the removable device|
+|`TeamsChannelName`|`string`|	Name of the Teams channel|
+|`TeamsChannelType`|	`string`|	Type of the Teams channel|
+|`TeamsTeamName`|	`string`	|Name of the Teams team |
+|`UserAlternateEmails`|	`string`|	Alternate emails or aliases of the user|
+|`AccountUpn`|	`string`|	User principal name (UPN) of the account|
+|`AccountObjectId`|	`string`|	Unique identifier for the account in Microsoft Entra ID|
+|`Department`|`string`|	Name of the department that the account user belongs to|
+|`SourceCodeInfo`|	`string`|	Details of the source code repository involved in the event|
+|`CcPolicyMatchInfo`|	`dynamic` | Details of the Communications Compliance policy matches for this event; in JSON array format |
+|`IPAddress`|	`string`|	IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts|
+|`Timestamp`|	`datetime`|	Date and time when the event was recorded|
+|`DeviceSourceLocationType`|	`int`|	Indicates the type of location where the endpoint signals originated from; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
+|`DeviceDestinationLocationType`|	`int`|	Indicates the type of location where the endpoint signals connected to; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
+|`IrmPolicyMatchInfo`|	`dynamic`| Details of Insider Risk Management policy matches for the content involved in the event; in JSON array format |	
+|`UnallowedUrlDomains`|	`string`|	Websites or service URLs involved in this event that is configured as Unallowed in Insider Risk Management global settings|
+|`ExternalUrlDomains`|	`string`|	Websites or service URLs involved in this event that is classified as External in Insider Risk Management global settings|
+|`UrlDomainInfo`|	`string`|	Details about the websites or service URLs involved in the event|
+|`SourceUrlDomain`|	`string`|	Domain where the device and email signals originated|
+|`TargetUrlDomain`|	`string`|	Domain where the content was shared with or the user has browsed to|
+|`EmailAttachmentCount`|`int`| Number of email attachments	|
+|`EmailAttachmentInfo`|	`dynamic`|	Details of email attachments; in JSON array format|
+|`InternetMessageId`|`string`	|Public-facing identifier for the email or Teams message that is set by the sending email system |
+|`NetworkMessageId`|	`guid`|	Unique identifier for the email, generated by Microsoft 365 |
+|`EmailSubject`|	`string`|	Subject of the email|
+|`ObjectId`|	`string`	|Unique identifier of the object that the recorded action was applied to, in case of files it includes the extension|
+|`ObjectName`|	`string`|	Name of the object that the recorded action was applied to, in case of files it includes the extension|
+|`ObjectType`|	`string`|	Type of object, such as a file or a folder, that the recorded action was applied to|
+|`ObjectSize`|	`int`|	Size of the object in bytes|
+|`IsHidden`|	`bool`|	Indicates whether the user has marked the content as hidden (True) or not (False) |
+|`ActivityId`	|`guid`|	Unique identifier of the activity log|
+|`ActionType`|`string`|	Type of activity that triggered the event|
+|`SensitiveInfoTypeInfo`|	`dynamic`|	Details of Data Loss Prevention sensitive info types detected in the impacted asset|
+|`SensitivityLabelId`|`string`|The current Microsoft Information Protection sensitivity label ID associated with the item|
+|`SharepointSiteSensitivityLabelIds`|`string`|	The current Microsoft Information Protection sensitivity label ID assigned to the parent site of the item related to SharePoint activities |
+|`PreviousSensitivityLabelId`|	`string`|The previous Microsoft Information Protection sensitivity label ID associated with the item in case of activities where the sensitivity label was changed|
+|`Operation`|	`string`|	Name of the admin activity|
+|`RecipientEmailAddress`|	`string`|	Email address of the recipient, or email address of the recipient after distribution list expansion|
+|`SiteUrl`|	`string` | The URL of the site where the file or folder accessed by the user is located |	
+|`SourceRelativeUrl`|	`string`| The URL of the folder that contains the file accessed by the user |	
+|`TargetFilePath`|	`string`|	Target file path of endpoint activities|
+|`PrinterName`|	`string`|	List of printers involved in the behavior|
+|`Workload`|`string`|	The Microsoft 365 service where the event occurred|
+|`IrmActionCategory`|	`enum`|	A unique enumeration value indicating the activity category in Microsoft Purview Insider Risk Management|
+|`SequenceCorrelationId`|`string`	|Details of the sequence activity|
+
+
+## Related articles
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-schema-tables.md

@@ -62,6 +62,8 @@ The following reference lists all the tables in the schema. Each table name link
 | **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** (Preview) | Alerts from Microsoft Defender for Cloud Apps (not available for GCC) |
 | **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services |
 | **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** (Preview)| Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud |
+| **[DataSecurityBehaviors](advanced-hunting-datasecuritybehaviors-table.md)** (Preview)| Insights about potentially suspicious user behaviors that violate user-defined or default policies configured in the Microsoft Purview suite of solutions|
+| **[DataSecurityEvents](advanced-hunting-datasecurityevents-table.md)** (Preview)| Information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions |
 | **[CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md)** (Preview)| Cloud process events for various cloud platforms protected by the organization's Microsoft Defender for Containers |
 | **[DeviceBaselineComplianceAssessment](advanced-hunting-devicebaselinecomplianceassessment-table.md)** (Preview) | Baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices |
 | **[DeviceBaselineComplianceAssessmentKB](advanced-hunting-devicebaselinecomplianceassessmentkb-table.md)** (Preview) | Information about various security configurations used by baseline compliance to assess devices |

defender-xdr/irm-investigate-alerts-defender.md

@@ -119,8 +119,8 @@ Use advanced hunting to further investigate insider risk events and behaviors. R
 |:---|:---|
 |[AlertInfo](advanced-hunting-alertinfo-table.md)|Insider risk management alerts are available as part the AlertInfo table, which contains information about alerts from various Microsoft security solutions.|
 |[AlertEvidence](advanced-hunting-alertevidence-table.md)|Insider risk management alerts are available as part of the AlertEvidence table, which contains information about entities associated with alerts from various Microsoft security solutions.|
-|DataSecurityBehaviors|This table contains insights into potentially suspicious user behavior that violates the default or customer-defined policies in Microsoft Purview.|
-|DataSecurityEvents|This table contains enriched events about user activities that violate the default or customer-defined policies in Microsoft Purview.|
+|[DataSecurityBehaviors](advanced-hunting-datasecuritybehaviors-table.md)|This table contains insights into potentially suspicious user behavior that violates the default or customer-defined policies in Microsoft Purview.|
+|[DataSecurityEvents](advanced-hunting-datasecurityevents-table.md)|This table contains enriched events about user activities that violate the default or customer-defined policies in Microsoft Purview.|
 
 In the example below, we use the **DataSecurityEvents** table to investigate potentially suspicious user behavior. In this case, the user uploaded a file to Google Drive, which can be viewed as suspicious behavior if a company doesn't support file uploads to Google Drive.
 

defender-xdr/whats-new.md

@@ -35,6 +35,7 @@ You can also get product updates and important notifications through the [messag
 ## February 2025
 - (Preview) The `PrivilegedEntraPimRoles` column is available for preview in the advanced hunting [IdentityInfo](advanced-hunting-identityinfo-table.md) table. 
 
+
 ## January 2025
 
 - (Preview) Device activity events from Microsoft Sentinel's device [entity pages](/azure/sentinel/entity-pages) are now visible in the *Timeline* tab on the [Device entity page](./entity-page-device.md#timeline-tab) in the Defender portal, in addition to remaining visible on the [*Sentinel events* tab](./entity-page-device.md#sentinel-events-tab).