You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ appliesto:
21
21
- Microsoft Defender XDR
22
22
- Microsoft Sentinel in the Microsoft Defender portal
23
23
ms.topic: reference
24
-
ms.date: 03/28/2025
24
+
ms.date: 11/27/2025
25
25
---
26
26
27
27
# DeviceTvmSecureConfigurationAssessment
@@ -48,8 +48,8 @@ For information on other tables in the advanced hunting schema, see [the advance
48
48
|`ConfigurationCategory`|`string`| Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
49
49
|`ConfigurationSubcategory`|`string`| Subcategory or subgrouping to which the configuration belongs. In many cases, string describes specific capabilities or features. |
50
50
|`ConfigurationImpact`|`real`| Rated impact of the configuration to the overall configuration score (1-10) |
51
-
|`IsCompliant`|`boolean`| Indicates whether the configuration or policy is properly configured <br /> * A value of 1 is Compliant<br /> * A value of 0 is Not Compliant|
52
-
|`IsApplicable`|`boolean`| Indicates whether the configuration or policy applies to the device <br /> * A value of 1 is Applicable<br /> * A value of 0 is Not Applicable |
51
+
|`IsCompliant`|`boolean`| Indicates whether the configuration or policy is properly configured <br /> * A value of True is Compliant<br /> * A value of False is Not Compliant|
52
+
|`IsApplicable`|`boolean`| Indicates whether the configuration or policy applies to the device <br /> * A value of True is Applicable<br /> * A value of False is Not Applicable |
53
53
|`Context`|`dynamic`| Additional contextual information about the configuration or policy |
54
54
|`IsExpectedUserImpact`|`boolean`| Indicates whether there will be user impact if the configuration or policy is applied |
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-schema-changes.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ appliesto:
21
21
- Microsoft Defender XDR
22
22
- Microsoft Sentinel in the Microsoft Defender portal
23
23
ms.topic: reference
24
-
ms.date: 11/04/2025
24
+
ms.date: 11/27/2025
25
25
---
26
26
27
27
# Advanced hunting schema - Naming changes
@@ -38,10 +38,12 @@ Naming changes are automatically applied to queries that are saved in Microsoft
38
38
- Queries that are saved elsewhere outside Microsoft Defender XDR
39
39
40
40
## November 2025
41
+
- The Boolean field values in advanced hunting results will change from numeric (`1` and `0`) to textual (`True` and `False`) on January 25, 2026. While your queries and custom detection rules won't be affected by this change, you might want to update your automated processes (for example, scripts, playbooks, or integrations) parsing these values.
41
42
42
-
The [`AADSignInEventsBeta`](advanced-hunting-aadsignineventsbeta-table.md) and [`AADSpnSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) tables are being replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md) and [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md), respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.
43
43
44
-
The `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` tables are now available. The legacy `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` will be removed from the schema.
44
+
- The [`AADSignInEventsBeta`](advanced-hunting-aadsignineventsbeta-table.md) and [`AADSpnSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) tables are being replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md) and [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md), respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.
45
+
46
+
The `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` tables are now available. The legacy `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, `AADSignInEventsBeta`and `AADSpnSignInEventsBeta` will be removed from the schema.
45
47
46
48
## September 2025
47
49
@@ -60,7 +62,7 @@ The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Repla
60
62
61
63
## February 2021
62
64
63
-
1. In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict` and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
65
+
- In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict` and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
64
66
65
67
| Table name | Original column name | New column name | Reason for change
66
68
|--|--|--|--|
@@ -70,11 +72,11 @@ The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Repla
70
72
|`EmailEvents`|`MalwareFilterVerdict` <br>`PhishFilterVerdict`|`ThreatTypes`| Include more threat types |
71
73
72
74
73
-
2. In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
75
+
- In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
74
76
75
-
3. In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, the `DeviceObjectId` column was replaced by the `AadDeviceId` column based on customer feedback.
77
+
- In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, the `DeviceObjectId` column was replaced by the `AadDeviceId` column based on customer feedback.
76
78
77
-
4. In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
79
+
- In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
78
80
79
81
| Table name | Original ActionType name | New ActionType name | Reason for change
0 commit comments