Merge pull request #4874 from MicrosoftDocs/main

[AutoPublish] main to live - 08/31 01:31 PDT | 08/31 14:01 IST

Author: m365-skilling-repo-management[bot]

defender-xdr/advanced-hunting-schema-changes.md

@@ -38,41 +38,16 @@ Naming changes are automatically applied to queries that are saved in Microsoft
 - Queries that are saved elsewhere outside Microsoft Defender XDR
 
 
-
 ## May 2025
 In the [`IdentityInfo`](advanced-hunting-identityinfo-table.md) table, the `SourceProvider` column was replaced by the `IdentityEnvironment` column. This change was made to streamline the unified `IdentityInfo` table with a similar table in Microsoft Sentinel log analytics. Note that a new column, `SourceProviders` (with an *s*) was added in the unified table. This column refers to the source providers of the accounts for the identity.
 
+## May 2021
 
-## December 2020
-
-| Table name | Original column name | New column name | Reason for change
-|--|--|--|--|
-| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailAction` | `EmailAction` | Customer feedback |
-| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicy` | `EmailActionPolicy` | Customer feedback |
-| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicyGuid` | `EmailActionPolicyGuid` | Customer feedback |
-
-## January 2021
+The `AppFileEvents` table has been deprecated. The `CloudAppEvents` table includes information that used to be in the `AppFileEvents` table, along with other activities in cloud services.
 
-| Column name | Original value name | New value name | Reason for change
-|--|--|--|--|
-| `DetectionSource` | Defender for Cloud Apps | Microsoft Defender for Cloud Apps | Rebranding |
-| `DetectionSource` | WindowsDefenderAtp| EDR| Rebranding |
-| `DetectionSource` | WindowsDefenderAv | Antivirus | Rebranding |
-| `DetectionSource` | WindowsDefenderSmartScreen |  SmartScreen | Rebranding |
-| `DetectionSource` | CustomerTI | Custom TI | Rebranding |
-| `DetectionSource` | OfficeATP | Microsoft Defender for Office 365 | Rebranding |
-| `DetectionSource` | MTP | Microsoft Defender XDR | Rebranding |
-| `DetectionSource` | AzureATP | Microsoft Defender for Identity | Rebranding |
-| `DetectionSource` | CustomDetection | Custom detection | Rebranding |
-| `DetectionSource` | AutomatedInvestigation |Automated investigation | Rebranding |
-| `DetectionSource` | ThreatExperts | Microsoft Threat Experts | Rebranding |
-| `DetectionSource` | 3rd party TI | 3rd Party sensors | Rebranding |
-| `ServiceSource` | Microsoft Defender ATP| Microsoft Defender for Endpoint | Rebranding |
-|`ServiceSource` |Microsoft Threat Protection | Microsoft Defender XDR | Rebranding |
-| `ServiceSource` | Office 365 ATP |Microsoft Defender for Office 365 | Rebranding |
-| `ServiceSource` |Azure ATP |Microsoft Defender for Identity | Rebranding |
+## March 2021
 
-`DetectionSource` is available in the [AlertInfo](advanced-hunting-alertinfo-table.md) table. `ServiceSource` is available in the [AlertEvidence](advanced-hunting-alertevidence-table.md) and [AlertInfo](advanced-hunting-alertinfo-table.md) tables. 
+The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Replacing it are the `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables.
 
 ## February 2021
 
@@ -98,13 +73,38 @@ In the [`IdentityInfo`](advanced-hunting-identityinfo-table.md) table, the `Sour
     | `DeviceEvents` | `UsbDriveUnmount` | `UsbDriveUnmounted` | Customer feedback |
     | `DeviceEvents` | `WriteProcessMemoryApiCall` | `WriteToLsassProcessMemory` | Customer feedback |
 
-## March 2021
+## January 2021
 
-The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Replacing it are the `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables.
+| Column name | Original value name | New value name | Reason for change
+|--|--|--|--|
+| `DetectionSource` | Defender for Cloud Apps | Microsoft Defender for Cloud Apps | Rebranding |
+| `DetectionSource` | WindowsDefenderAtp| EDR| Rebranding |
+| `DetectionSource` | WindowsDefenderAv | Antivirus | Rebranding |
+| `DetectionSource` | WindowsDefenderSmartScreen |  SmartScreen | Rebranding |
+| `DetectionSource` | CustomerTI | Custom TI | Rebranding |
+| `DetectionSource` | OfficeATP | Microsoft Defender for Office 365 | Rebranding |
+| `DetectionSource` | MTP | Microsoft Defender XDR | Rebranding |
+| `DetectionSource` | AzureATP | Microsoft Defender for Identity | Rebranding |
+| `DetectionSource` | CustomDetection | Custom detection | Rebranding |
+| `DetectionSource` | AutomatedInvestigation |Automated investigation | Rebranding |
+| `DetectionSource` | ThreatExperts | Microsoft Threat Experts | Rebranding |
+| `DetectionSource` | 3rd party TI | 3rd Party sensors | Rebranding |
+| `ServiceSource` | Microsoft Defender ATP| Microsoft Defender for Endpoint | Rebranding |
+|`ServiceSource` |Microsoft Threat Protection | Microsoft Defender XDR | Rebranding |
+| `ServiceSource` | Office 365 ATP |Microsoft Defender for Office 365 | Rebranding |
+| `ServiceSource` |Azure ATP |Microsoft Defender for Identity | Rebranding |
 
-## May 2021
+`DetectionSource` is available in the [AlertInfo](advanced-hunting-alertinfo-table.md) table. `ServiceSource` is available in the [AlertEvidence](advanced-hunting-alertevidence-table.md) and [AlertInfo](advanced-hunting-alertinfo-table.md) tables. 
+
+
+## December 2020
+
+| Table name | Original column name | New column name | Reason for change
+|--|--|--|--|
+| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailAction` | `EmailAction` | Customer feedback |
+| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicy` | `EmailActionPolicy` | Customer feedback |
+| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicyGuid` | `EmailActionPolicyGuid` | Customer feedback |
 
-The `AppFileEvents` table has been deprecated. The `CloudAppEvents` table includes information that used to be in the `AppFileEvents` table, along with other activities in cloud services.
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)

unified-secops-platform/microsoft-sentinel-onboard.md

@@ -69,6 +69,8 @@ To onboard and use Microsoft Sentinel in the Defender portal, you must have the
   |**Take investigative actions on incidents** |[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/incidents/read</br>- Microsoft.SecurityInsights/incidents/write</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/comments/write</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/relations/write</br>- Microsoft.SecurityInsights/incidents/tasks/read</br>- Microsoft.SecurityInsights/incidents/tasks/write    |Subscription, resource group, or workspace resource  |
   |**Create a support request** |[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br> [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or </br> [Support request contributor](/azure/role-based-access-control/built-in-roles#support-request-contributor) or  a custom role with Microsoft.Support/*|Subscription  |
 
+  If you're working with multiple tenants, note that [granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) with [Azure Lighthouse](/azure/sentinel/multiple-tenants-service-providers) isn't supported for Microsoft Sentinel data in the Defender portal. Instead, use [Microsoft Entra B2B authentication](/entra/external-id/what-is-b2b). For more information, see [Set up Microsoft Defender multitenant management](mto-requirements.md#review-the-requirements).
+  
   After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal, as any Azure RBAC changes are reflected in the Defender portal. 
 
   For more information, see [Roles and permissions in Microsoft Sentinel](/azure/sentinel/roles) and [Manage access to Microsoft Sentinel data by resource](/azure/sentinel/resource-context-rbac).