Merge pull request #4288 from MicrosoftDocs/maccruz-ahschemareview

padmagit77 · web-flow · commit 3caea54b1511 · 2025-06-20T21:45:30.000+05:30
Added blurb for prereqs
diff --git a/defender-xdr/advanced-hunting-exposuregraphedges-table.md b/defender-xdr/advanced-hunting-exposuregraphedges-table.md
@@ -39,6 +39,9 @@ ms.date: 03/28/2025
 
 The `ExposureGraphEdges` table in the [advanced hunting](advanced-hunting-overview.md) schema provides visibility into relationships between entities and assets in the enterprise exposure graph. This visibility can help uncover critical organizational assets and explore entity relationships and attack paths. Use this reference to construct queries that return information from this table.
 
+This advanced hunting table is populated by records from various Microsoft Defender services, including Defender for Endpoint, Defender for Identity, Defender for Cloud, Entra ID, and others. The table also gets populated by third-party data through the various Security Exposure Management data connectors. The more security products you deploy, the richer the graph becomes with more meaningful data. If your organization hasn’t deployed any service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
diff --git a/defender-xdr/advanced-hunting-exposuregraphnodes-table.md b/defender-xdr/advanced-hunting-exposuregraphnodes-table.md
@@ -37,6 +37,10 @@ ms.date: 03/28/2025
 
 The `ExposureGraphNodes` table in the [advanced hunting](advanced-hunting-overview.md) schema contains organizational entities and their properties. These include entities like devices, identities, user groups, and cloud assets such as virtual machines (VMs), storage, and containers. Each node corresponds to an individual entity and encapsulates information about its characteristics, attributes, and security related insights within the organizational structure. Use this reference to construct queries that return information from this table.
 
+
+This advanced hunting table is populated by records from various Microsoft Defender services, including Defender for Endpoint, Defender for Identity, Defender for Cloud, Entra ID, and others. The table also gets populated by third-party data through the various Security Exposure Management data connectors. The more security products you deploy, the richer the graph becomes with more meaningful data. If your organization hasn’t deployed any service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
diff --git a/defender-xdr/advanced-hunting-identityinfo-table.md b/defender-xdr/advanced-hunting-identityinfo-table.md
@@ -35,9 +35,11 @@ Microsoft Sentinel uses a slightly expanded version of this table in Log Analyti
 
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
-The following schema is the unified `IdentityInfo` schema that streamlines a similar table in Microsoft Sentinel's log analytics and in Microsoft Defender XDR advanced hunting. The complete set of columns below is available for Defender portal users who have onboarded Sentinel and turned on the User and Entity Behavior Analytics (UEBA) service. 
+The following schema is the unified `IdentityInfo` schema that streamlines a similar table in Microsoft Sentinel's log analytics and in Microsoft Defender XDR advanced hunting. The complete set of columns is available for Defender portal users who have onboarded Microsoft Sentinel and turned on the User and Entity Behavior Analytics (UEBA) service. 
 
-Defender portal users who have not onboarded a Sentinel workspace that has the UEBA service turned on cannot view UEBA-specific columns. Read [UEBA-specific columns](#ueba-specific-columns).
+Defender portal users who haven't onboarded a Microsoft Sentinel workspace that has the UEBA service turned on can't view UEBA-specific columns. Read [UEBA-specific columns](#ueba-specific-columns).
+
+This advanced hunting table is populated by records from Microsoft Defender for Identity or Microsoft Sentinel and Microsoft Entra ID. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Identity in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
@@ -74,7 +76,7 @@ Defender portal users who have not onboarded a Sentinel workspace that has the U
 | `OtherMailAddresses` | `dynamic` | Additional email addresses of the user account |
 | `RiskLevel` | `string` | Microsoft Entra ID risk level of the user account; possible values: Low, Medium, High |
 | `RiskLevelDetails` | `string` | Details regarding the Microsoft Entra ID risk level |
-| `State` | `string` | State where the sign-in occured, if available |
+| `State` | `string` | State where the sign-in occurred, if available |
 | `Tags` [*](#mdi-only)  | `dynamic` | Tags assigned to the account user by Defender for Identity |
 | `AssignedRoles` [*](#mdi-only) | `dynamic` | For identities from Microsoft Entra-only, the roles assigned to the account user|
 | `PrivilegedEntraPimRoles` (Preview)  [**](#mdi) | `dynamic` | A snapshot of privileged role assignment schedules and eligibility schedules for the account as maintained by Microsoft Entra Privileged Identity Management (excluding activated assignments) |
@@ -93,7 +95,7 @@ Defender portal users who have not onboarded a Sentinel workspace that has the U
 <a name="mdi"></a>** Available only for tenants with Microsoft Defender for Identity.
 
 ## UEBA-specific columns
-If you are using the Microsoft Defender portal but have not onboarded a Microsoft Sentinel workspace with the UEBA service turned on, the following columns are not available in your `IdentityInfo` table:
+If you're using the Microsoft Defender portal but haven't onboarded a Microsoft Sentinel workspace with the UEBA service turned on, the following columns aren't available in your `IdentityInfo` table:
 
 - `BlastRadius`
 - `CompanyName`
@@ -108,7 +110,7 @@ If you are using the Microsoft Defender portal but have not onboarded a Microsof
 For more information about UEBA, read [Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](/azure/sentinel/identify-threats-with-entity-behavior-analytics). For more information about the different data sources in UEBA, read [Microsoft Sentinel UEBA reference](/azure/sentinel/ueba-reference).
 
 
-## Related topics
+## Related articles
 
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the query language](advanced-hunting-query-language.md)
diff --git a/defender-xdr/advanced-hunting-identitylogonevents-table.md b/defender-xdr/advanced-hunting-identitylogonevents-table.md
@@ -38,6 +38,8 @@ The `IdentityLogonEvents` table in the [advanced hunting](advanced-hunting-overv
 > [!NOTE]
 > This table covers Microsoft Entra logon activities tracked by Defender for Cloud Apps, specifically interactive sign-ins and authentication activities using ActiveSync and other legacy protocols. Non-interactive logons that are not available in this table can be viewed in the Microsoft Entra audit log. [Learn more about connecting Defender for Cloud Apps to Microsoft 365](/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security)
 
+This advanced hunting table is populated by records from Microsoft Defender for Identity or Microsoft Sentinel and Microsoft Entra ID. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Identity in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
diff --git a/defender-xdr/advanced-hunting-identityqueryevents-table.md b/defender-xdr/advanced-hunting-identityqueryevents-table.md
@@ -35,6 +35,8 @@ The `IdentityQueryEvents` table in the [advanced hunting](advanced-hunting-overv
 > [!TIP]
 > For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
 
+
+This advanced hunting table is populated by records from Microsoft Defender for Identity or Microsoft Sentinel and Mirosoft Entra ID. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Identity in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
