Merge pull request #5797 from MicrosoftDocs/maccruz-campaigns

poliveria · web-flow · commit 5fafe47e00a7 · 2025-12-04T17:19:09.000+05:30
Maccruz campaigns
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
@@ -240,6 +240,8 @@
             href: advanced-hunting-behaviorentities-table.md
           - name: BehaviorInfo
             href: advanced-hunting-behaviorinfo-table.md
+          - name: CampaignIno
+            href: advanced-hunting-campaigninfo-table.md            
           - name: CloudAppEvents
             href: advanced-hunting-cloudappevents-table.md
           - name: CloudAuditEvents
@@ -320,6 +322,8 @@
             href: advanced-hunting-exposuregraphedges-table.md
           - name: ExposureGraphNodes
             href: advanced-hunting-exposuregraphnodes-table.md
+          - name: FileMaliciousContentInfo
+            href: advanced-hunting-filemaliciouscontentinfo-table.md            
           - name: GraphApiAuditEvents
             href: advanced-hunting-graphapiauditevents-table.md            
           - name: IdentityAccountInfo
diff --git a/defender-xdr/advanced-hunting-campaigninfo-table.md b/defender-xdr/advanced-hunting-campaigninfo-table.md
@@ -0,0 +1,63 @@
+---
+title: CampaignInfo table in the advanced hunting schema
+description: Learn about the CampaignInfo table of the advanced hunting schema
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 12/01/2025
+---
+
+# CampaignInfo (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+The `CampaignInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about email campaigns identified by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
+
+This advanced hunting table is populated by records from Defender for Office 365. If your organization didn't deploy the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `CampaignName` | `string` | Name of the email campaign |
+| `CampaignId` | `string` | Unique identifier for the campaign, generated by Microsoft Defender for Office 365  |
+| `CampaignType` | `string` | Category of the campaign, like Phish, Malware, Spam, and others  |
+| `CampaignSubtype` | `string` | Contains more details about the campaign, like the brand being phished or related malware campaigns, if available   |
+| `NetworkMessageId` | `string` | Unique identifier for the email, generated by Microsoft  Defender for Office 365  |
+| `RecipientEmailAddress` | `string` | Email address of the recipient, or email address of the recipient after distribution list expansion   |
+| `ReportId` | `string` | Unique identifier for the event  |
+
+
+## Read more
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
diff --git a/defender-xdr/advanced-hunting-filemaliciouscontentinfo-table.md b/defender-xdr/advanced-hunting-filemaliciouscontentinfo-table.md
@@ -0,0 +1,73 @@
+---
+title: FileMaliciousContentInfo table in the advanced hunting schema
+description: Learn about the FileMaliciousContentInfo table of the advanced hunting schema
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 12/01/2025
+---
+
+# FileMaliciousContentInfo (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `FileMaliciousContentInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about files that were identified as malicious by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams. Use this reference to construct queries that return information from this table.
+
+> [!TIP]
+> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
+
+This advanced hunting table is populated by records from Defender for Office 365. If your organization didn't deploy the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was generated |
+| `Workload`| `string` | Information about the workload from which the URL originated from |
+| `FileName`| `string` | Name of the file that the recorded action was applied to |
+| `FolderPath`| `string` | Path of the folder containing the file that the recorded action was applied to |
+| `FileSize`| `long` | Size of the file in bytes |
+| `SHA256`| `string` | SHA-256 of the file that the recorded action was applied to |
+| `FileOwnerDisplayName`| `string` | Account recorded as owner of the file |
+| `FileOwnerUpn`| `string` | Account recorded as owner of the file|
+| `DocumentId`| `string` | Unique identifier of the file |
+| `ThreatTypes`| `dynamic` | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
+| `ThreatNames`| `string` | Detection name for malware or other threats found|
+| `DetectionMethods`| `string` | Methods used to detect malware, phishing, or other threats found in the email |
+| `LastModifyingAccountUpn`| `string` | Account that last modified this file |
+| `LastModifiedTime`| `datetime` |Date and time the item or related metadata was last modified|
+| `FileCreationTime	`| `datetime` | Timestamp of the file creation|
+| `ReportId`| `string` | Unique identifier for the event |
+
+
+
+## Read more
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
diff --git a/defender-xdr/advanced-hunting-schema-tables.md b/defender-xdr/advanced-hunting-schema-tables.md
@@ -61,6 +61,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[AlertInfo](advanced-hunting-alertinfo-table.md)** | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization  |
 | **[BehaviorEntities](advanced-hunting-behaviorentities-table.md)** (Preview) | Behavior data types in Microsoft Defender for Cloud Apps (not available for GCC) |
 | **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** (Preview) | Alerts from Microsoft Defender for Cloud Apps (not available for GCC) |
+| **[CampaignInfo](advanced-hunting-campaigninfo-table.md)** (Preview) | Email campaigns identified by Microsoft Defender for Office 365 |
 | **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services |
 | **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** (Preview)| Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud |
 | **[CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md)** (Preview)| Cloud process events for various cloud platforms protected by the organization's Microsoft Defender for Containers |
@@ -101,6 +102,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[EntraIdSpnSignInEvents](advanced-hunting-entraidspnsigninevents-table.md)** (Preview)| Microsoft Entra service principal and managed identity sign-ins |
 | **[ExposureGraphEdges](advanced-hunting-exposuregraphedges-table.md)** | Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph |
 | **[ExposureGraphNodes](advanced-hunting-exposuregraphnodes-table.md)** | Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties |
+| **[FileMaliciousContentInfo](advanced-hunting-emailurlinfo-table.md)** (Preview) | Files that were identified as malicious by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams |
 | **[GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md)**  (Preview) | Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant |
 | **[IdentityAccountInfo](advanced-hunting-identityaccountinfo-table.md)** (Preview) | Account information from various sources, including Microsoft Entra ID. This table also includes information and link to the identity that owns the account. |
 | **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)** | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. |
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: guywild
 author: guywi-ms
 ms.localizationpriority: medium
-ms.date: 11/18/2025
+ms.date: 12/01/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -33,8 +33,11 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## December 2025
+- (Preview) The following advanced hunting schema tables are now available for preview:
+    - The [`CampaignInfo`](advanced-hunting-campaigninfo-table.md) table contains contains information about email campaigns identified by Microsoft Defender for Office 365
+    - The [`FileMaliciousContentInfo`](advanced-hunting-filemaliciouscontentinfo-table.md) table contains information about files that were identified as malicious by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams
 - (GA) The [hunting graph](advanced-hunting-graph.md) in advanced hunting is now generally available. It also now has two new predefined threat scenarios that you can use to render your hunts as interactive graphs.
-- Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. [Learn more](advanced-hunting-custom-functions.md#create-custom-functions-with-tabular-parameters)
+- (GA) Advanced hunting now supports custom functions that use tabular parameters. With tabular parameters, you can pass entire tables as inputs. This approach lets you build more modular, reusable, and expressive logic across your hunting queries. [Learn more](advanced-hunting-custom-functions.md#create-custom-functions-with-tabular-parameters) 
 
 ## November 2025
 - Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. To view these alert types, you must have the **Security Administrator** or **Global Administrator** role. The **Service Source**, **Detection Source**, and **Product Name** values for these alerts are listed as *Microsoft Threat Intelligence*.   For more information, see [Incidents and alerts in the Microsoft Defender portal](incidents-overview.md).
