Merge branch 'main' into WI473943-account-view-manual-account-correlation

Author: padmagit77

defender-for-cloud-apps/policy-template-reference.md

@@ -1,9 +1,10 @@
 ---
 title: Microsoft Defender for Cloud Apps policy templates
 description: This article provides information on policy templates included in Microsoft Defender for Cloud Apps.
-ms.date: 01/29/2023
+ms.date: 11/16/2025
 ms.topic: how-to
-ms.reviewer: Ronen-Refaeli
+ms.reviewer: MayaAbelson
+
 ---
 
 # Defender for Cloud Apps policy templates
@@ -13,7 +14,6 @@ We recommend that you simplify policy creation by starting with existing templat
 For the full list of templates, check the Microsoft Defender Portal.
 
 
-
 ## Policy template highlights
 
 |Risk category|Template name|Description|
@@ -33,10 +33,6 @@ For the full list of templates, check the Microsoft Defender Portal.
 |Cloud discovery|New risky app|Alert when new apps are discovered with risk score lower than 6 and that are used by more than 50 users with a total daily use of more than 50 MB.|
 |Cloud discovery|New sales app|Alert when new sales apps are discovered that are used by more than 50 users with a total daily use of more than 50 MB.|
 |Cloud discovery|New vendor management system apps|Alert when new vendor management system apps are discovered that are used by more than 50 users with a total daily use of more than 50 MB.|
-|DLP|Externally shared source code|Alert when a file containing source code is shared outside your organization.|
-|DLP|File containing PCI detected in the cloud (built-in DLP engine)|Alert when a file with payment card information (PCI) is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
-|DLP|File containing PHI detected in the cloud (built-in DLP engine)|Alert when a file with protected health information (PHI) is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
-|DLP|File containing private information detected in the cloud (built-in DLP engine)|Alert when a file with personal data is detected by the Microsoft Defender for Cloud Apps built-in data loss prevention (DLP) engine in a sanctioned cloud app.|
 |Threat detection|Administrative activity from a non-corporate IP address|Alert when an admin user performs an administrative activity from an IP address that isn't included in the corporate IP address range category. First configure your corporate IP addresses by going to the Settings page, and setting **IP address ranges**.|
 |Threat detection|Log on from a risky IP address|Alert when a user signs into your sanctioned apps from a risky IP address. By default, the Risky IP address category contains addresses that have IP address tags of Anonymous proxy, TOR, or Botnet. You can add more IP addresses to this category in the IP address ranges settings page.|
 |Threat detection|Mass download by a single user|Alert when a single user performs more than 50 downloads within 1 minute.|

defender-xdr/TOC.yml

@@ -315,6 +315,8 @@
             href: advanced-hunting-exposuregraphnodes-table.md
           - name: GraphApiAuditEvents
             href: advanced-hunting-graphapiauditevents-table.md            
+          - name: IdentityAccountInfo
+            href: advanced-hunting-identityaccountinfo-table.md
           - name: IdentityDirectoryEvents
             href: advanced-hunting-identitydirectoryevents-table.md
           - name: IdentityEvents

defender-xdr/advanced-hunting-identityaccountinfo-table.md

@@ -0,0 +1,94 @@
+---
+title: IdentityAccountInfo table in the advanced hunting schema
+description: Learn about the IdentityAccountInfo table in the advanced hunting schema, which provides account information from various sources, including Microsoft Entra ID.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/17/2025
+---
+
+# IdentityAccountInfo (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `IdentityAccountInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about account information from various sources, including Microsoft Entra ID. This table also includes information and link to the identity that owns the account. Use this reference to construct queries that return information from this table.
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | The date and time that the line was written to the database.<br><br>This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added. |
+| `ReportId` | `string` | Unique identifier for the event |
+| `SourceProviderAccountId` | `string` | Identifier for the account in the source provider (for example, object ID for a Microsoft Entra ID account) |
+| `AccountId` | `string` | Internal identifier for the account |
+| `IdentityId` | `string` | Identifier for the identity that the account is linked to |
+| `IsPrimary ` | `bool` | Indicates if this account is considered as primary account for the linked identity |
+| `IdentityLinkType` | `string` | Type of linkage between the account and identity; possible values: Manual, Strong identifiers |
+| `IdentityLinkReason` | `string` | Reason for linking the account and identity. If the linkage type is manual, the value will be the justification comment added by the user. |
+| `IdentityLinkTime` | `datetime` | Date and time the account was linked to the identity |
+| `IdentityLinkBy` | `string` | The entity that linked the account to the identity. If the linkage type is based on strong identifiers, the value will be System |
+| `DisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |
+| `AccountUpn` | `string` | User principal name (UPN) of the account |
+| `EmailAddress` | `string` | SMTP address of the account |
+| `CriticalityLevel` | `int` | The criticality score of the account |
+| `DefenderRiskLevel` | `int` | The risk level of the account as calculated by Microsoft Defender |
+| `DefenderRiskUpdateTime` | `datetime` | Date and time Microsoft Defender last updated the risk level of the account |
+| `Type` | `string` | Type of identity; possible values: User, ServiceAccount |
+| `GivenName` | `string` | Given name or first name of the account user |
+| `Surname` | `string` | Surname, family name, or last name of the account user |
+| `EmployeeId` | `string` | Employee identifier assigned to the user by the organization |
+| `Department` | `string` | Name of the department that the account user belongs to |
+| `JobTitle` | `string` | Job title of the account user |
+| `Address` | `string` | Address of the account user |
+| `City` | `string` | City where the account user is located |
+| `Country` | `string` | Country/Region where the account user is located |
+| `Phone` | `string` | The listed phone number of the account user |
+| `Manager` | `string` | The listed manager of the account user |
+| `Sid` | `string` | Security identifier (SID) of the account |
+| `AccountStatus` | `string` | The status of the account; possible values: Disabled, Enabled, Deleted |
+| `SourceProvider` | `string` | Source application or service of the account (for example, Microsoft Entra ID) |
+| `SourceProviderInstanceId` | `string` | The identifier of the source application or service of the account. For example, in Microsoft Entra ID, this is the organization Globally Unique Identifier (GUID). |
+| `SourceProviderInstanceDisplayName` | `string` | The display name of the source application or service of the account |
+| `AuthenticationMethod` | `string` | Authentication method used to allow the account user to sign into the account; possible values: Credentials, Federated, Hybrid |
+| `AuthenticationSourceAcccountId` | `string` | The identifier of the federating account, if the authentication method is Federated |
+| `EnrolledMfas` | `dynamic` | Types of multifactor authentication methods configured for the account user and their status |
+| `LastPasswordChangeTime` | `datetime` | Date and time the account password was last changed |
+| `GroupMembership` | `dynamic` | Group identifiers assigned to the account |
+| `AssignedRoles` | `dynamic` | Role identifiers assigned to the account |
+| `EligibleRoles` | `dynamic` | Identifiers for roles the account are eligible to use (for example, Microsoft Entra Privileged Identity Management roles) |
+| `TenantMembershipType` | `string` | User type; possible values: Guest, Member |
+| `CreatedDateTime ` | `datetime` | Date and time when the user account was created |
+| `DeletedDateTime` | `datetime` | Date and time when the user account was deleted |
+| `Tags` | `dynamic` | Tags assigned to the account by Defender for Identity |
+| `SourceProvderRiskLevel` | `dynamic` | Risk level of the account as it appears in the source provider; possible values: Low, Medium, High |
+| `AdditionalFields` | `dynamic` | Additional information about the entity or event |
+| `TenantId` | `string` | Universally unique identifier (UUID) for the tenant |
+
+
+## Related articles
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-schema-tables.md

@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 11/04/2025
+ms.date: 11/17/2025
 ---
 
 # Understand the advanced hunting schema
@@ -102,6 +102,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[ExposureGraphEdges](advanced-hunting-exposuregraphedges-table.md)** | Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph |
 | **[ExposureGraphNodes](advanced-hunting-exposuregraphnodes-table.md)** | Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties |
 | **[GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md)**  (Preview) | Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant |
+| **[IdentityAccountInfo](advanced-hunting-identityaccountinfo-table.md)** (Preview) | Account information from various sources, including Microsoft Entra ID. This table also includes information and link to the identity that owns the account. |
 | **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)** | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. |
 | **[IdentityEvents](advanced-hunting-identityevents-table.md)** (Preview) | Information about identity events obtained from other cloud identity service providers |
 | **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Microsoft Entra ID |

defender-xdr/whats-new.md

@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: guywild
 author: guywi-ms
 ms.localizationpriority: medium
-ms.date: 11/03/2025
+ms.date: 11/17/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -33,6 +33,7 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## November 2025
+- (Preview) The [`IdentityAccountInfo`](advanced-hunting-identityaccountinfo-table.md) table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. 
 - (Preview) Threat analytics now has an **Indicators** tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. [Learn more](threat-analytics-indicators.md)
 - (Preview) The overview section of [threat analytics](threat-analytics.md) now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization.