Merge pull request #4723 from MicrosoftDocs/main

[AutoPublish] main to live - 08/11 22:32 PDT | 08/12 11:02 IST

Author: aditisrivastava07

ATPDocs/whats-new.md

@@ -25,9 +25,12 @@ For updates about versions and features released six months ago or earlier, see
 
 ## August 2025
 
-### Sensor version 2.246
+### Microsoft Defender for Identity sensor version updates
 
-This version includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.
+|Version number |Updates |
+|---------|---------|
+|2.247|Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.|
+|2.246|Includes bug fixes and stability improvements for the Microsoft Defender for Identity sensor.    |
 
 ### Detection update: Suspected Brute Force attack (Kerberos, NTLM)
 

defender-xdr/TOC.yml

@@ -313,6 +313,8 @@
             href: advanced-hunting-graphapiauditevents-table.md            
           - name: IdentityDirectoryEvents
             href: advanced-hunting-identitydirectoryevents-table.md
+          - name: IdentityEvents
+            href: advanced-hunting-identityevents-table.md
           - name: IdentityInfo
             href: advanced-hunting-identityinfo-table.md
           - name: IdentityLogonEvents

defender-xdr/advanced-hunting-identityevents-table.md

@@ -0,0 +1,75 @@
+---
+title: IdentityEvents table in the advanced hunting schema
+description: Learn about the IdentityEvents table in the advanced hunting schema, which contains information about identity events obtained from other cloud identity service providers. 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords:
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 08/07/2025
+---
+
+# IdentityEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+The `IdentityEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about identity events obtained from other cloud identity service providers. Use this reference to construct queries that return information from this table. 
+
+> [!IMPORTANT]
+> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This advanced hunting table is populated by records from Microsoft Defender for Identity. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Identity in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+>[!NOTE]
+>This advanced hunting table is populated only when other identity services like Okta are connected to Defender for Identity. 
+
+
+For information on other tables in the advanced hunting schema, see the [advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp ` | `datetime` | Date and time when the record was generated  |
+| `ReportId ` | `string` | Unique identifier for the event  |
+| `AccountId ` | `string` | Unique identifier for the account in the source application |
+| `AccountType` | `string` | Type of user account, indicating its general role like User, SystemPrincipal |
+| `AccountDisplayName` | `string` | Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user.  |
+| `AccountUpn` | `string` | Alternate ID, email, or name for the account in the source application |
+| `ActionType` | `string` | Type of activity that triggered the event in the raw format received from the source application | 	
+| `ActionResult` | `string` | Result of the action | 	 
+| `ActionFailureReason` | `string` | Information explaining why the recorded action failed | 	 
+| `IPAddress` | `string` | IP address assigned to the device and used during related network communications |  	 
+| `UserAgent` | `string` | User agent information from the web browser or other client application | 	 
+| `TargetObjects` | `dynamic` | List of the target objects of this activity. Target object can be user, group, role, domain, application, and more. | 	 
+| `Application` | `string` | The source application where this event was received from | 	 
+| `ApplicationInstanceId` | `string` | Domain of the source application | 	 
+| `ApplicationEventId` | `string` | Raw event ID provided by the source application | 	 
+| `ApplicationSessionId` | `string` | Raw session ID provided by the source application | 	 
+| `RawEventData` | `dynamic` | Full raw event information from the source application in JSON format | 	 
+| `AdditionalFields` | `dynamic` | Additional information about the entity or event |
+
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-schema-tables.md

@@ -100,6 +100,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[ExposureGraphNodes](advanced-hunting-exposuregraphnodes-table.md)** | Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties |
 | **[GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md)**  (Preview) | Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant |
 | **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)** | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. |
+| **[IdentityEvents](advanced-hunting-identityevents-table.md)** (Preview) | Information about identity events obtained from other cloud identity service providers |
 | **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Microsoft Entra ID |
 | **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Authentication events on Active Directory and Microsoft online services |
 | **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)** | Queries for Active Directory objects, such as users, groups, devices, and domains |

defender-xdr/whats-new.md

@@ -33,16 +33,18 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## August 2025
+- (Preview) The following advanced hunting schema tables are now available for preview:
+   - The [`CloudStorageAggregatedEvents`](advanced-hunting-cloudstorageaggregatedevents-table.md) table contains information about storage activity and related events
+   - The [`IdentityEvents`](advanced-hunting-identityevents-table.md) table contains information about identity events obtained from other cloud identity service providers
+- (Preview) Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see [Investigate behaviors with advanced hunting](/defender-cloud-apps/behaviors).
+- (Preview) In advanced hunting, the number of [query results](advanced-hunting-query-results.md) displayed in the Microsoft Defender portal has been increased to 100,000. 
 - (GA) [Microsoft Defender Experts for XDR](dex-xdr-overview.md) and [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md) customers can now expand their service coverage to include server and cloud workloads protected by Microsoft Defender for Cloud through the respective add-ons, **Microsoft Defender Experts for Servers** and **Microsoft Defender Experts for Hunting - Servers**. [Learn more](faq-cloud-coverage-defender-experts.md)
 - (GA) Defender Experts for XDR customers can now [incorporate third-party network signals](third-party-enrichment-defender-experts.md) for enrichment, which could allow our security analysts to not only gain a more comprehensive view of an attack's path that allows for faster and more thorough detection and response, but also provide customers with a more holistic view of the threat in their environments.
 - (GA) In advanced hunting, you can now [view all your user-defined rules](custom-detection-manage.md)—both custom detection rules and analytics rules—in the **Detection rules** page. This feature also brings the following improvements:
     - You can now filter for *every* column (in addition to **Frequency** and **Organizational scope**).
     - For multiworkspace organizations that have onboarded multiple workspaces to Microsoft Defender, you can now view the **Workspace ID** column and filter by workspace. 
     - You can now view the details pane even for analytics rules.
     - You can now perform the following actions on analytics rules: Turn on/off, Delete, Edit.
-- (Preview) In advanced hunting, the number of [query results](advanced-hunting-query-results.md) displayed in the Microsoft Defender portal has been increased to 100,000. 
-- (Preview) The [`CloudStorageAggregatedEvents`](advanced-hunting-cloudstorageaggregatedevents-table.md) table in advanced hunting is now available for preview. This table contains information about storage activity and related events.
-- (Preview) Advanced hunting now lets you investigate Microsoft Defender for Cloud behaviors. For more information, see [Investigate behaviors with advanced hunting](/defender-cloud-apps/behaviors).
 
 ## July 2025
 - (Preview) The [`GraphApiAuditEvents`](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.