Merge pull request #4829 from sbreingold-ms/wi-476568-reorder-naming-schema-newest-first

mberdugo · web-flow · commit 8df420784f12 · 2025-08-31T11:25:52.000+03:00
wi-476568 reordered schema name changes chronologically
diff --git a/defender-xdr/advanced-hunting-schema-changes.md b/defender-xdr/advanced-hunting-schema-changes.md
@@ -38,41 +38,16 @@ Naming changes are automatically applied to queries that are saved in Microsoft
 - Queries that are saved elsewhere outside Microsoft Defender XDR
 
 
-
 ## May 2025
 In the [`IdentityInfo`](advanced-hunting-identityinfo-table.md) table, the `SourceProvider` column was replaced by the `IdentityEnvironment` column. This change was made to streamline the unified `IdentityInfo` table with a similar table in Microsoft Sentinel log analytics. Note that a new column, `SourceProviders` (with an *s*) was added in the unified table. This column refers to the source providers of the accounts for the identity.
 
+## May 2021
 
-## December 2020
-
-| Table name | Original column name | New column name | Reason for change
-|--|--|--|--|
-| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailAction` | `EmailAction` | Customer feedback |
-| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicy` | `EmailActionPolicy` | Customer feedback |
-| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicyGuid` | `EmailActionPolicyGuid` | Customer feedback |
-
-## January 2021
+The `AppFileEvents` table has been deprecated. The `CloudAppEvents` table includes information that used to be in the `AppFileEvents` table, along with other activities in cloud services.
 
-| Column name | Original value name | New value name | Reason for change
-|--|--|--|--|
-| `DetectionSource` | Defender for Cloud Apps | Microsoft Defender for Cloud Apps | Rebranding |
-| `DetectionSource` | WindowsDefenderAtp| EDR| Rebranding |
-| `DetectionSource` | WindowsDefenderAv | Antivirus | Rebranding |
-| `DetectionSource` | WindowsDefenderSmartScreen |  SmartScreen | Rebranding |
-| `DetectionSource` | CustomerTI | Custom TI | Rebranding |
-| `DetectionSource` | OfficeATP | Microsoft Defender for Office 365 | Rebranding |
-| `DetectionSource` | MTP | Microsoft Defender XDR | Rebranding |
-| `DetectionSource` | AzureATP | Microsoft Defender for Identity | Rebranding |
-| `DetectionSource` | CustomDetection | Custom detection | Rebranding |
-| `DetectionSource` | AutomatedInvestigation |Automated investigation | Rebranding |
-| `DetectionSource` | ThreatExperts | Microsoft Threat Experts | Rebranding |
-| `DetectionSource` | 3rd party TI | 3rd Party sensors | Rebranding |
-| `ServiceSource` | Microsoft Defender ATP| Microsoft Defender for Endpoint | Rebranding |
-|`ServiceSource` |Microsoft Threat Protection | Microsoft Defender XDR | Rebranding |
-| `ServiceSource` | Office 365 ATP |Microsoft Defender for Office 365 | Rebranding |
-| `ServiceSource` |Azure ATP |Microsoft Defender for Identity | Rebranding |
+## March 2021
 
-`DetectionSource` is available in the [AlertInfo](advanced-hunting-alertinfo-table.md) table. `ServiceSource` is available in the [AlertEvidence](advanced-hunting-alertevidence-table.md) and [AlertInfo](advanced-hunting-alertinfo-table.md) tables. 
+The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Replacing it are the `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables.
 
 ## February 2021
 
@@ -98,13 +73,38 @@ In the [`IdentityInfo`](advanced-hunting-identityinfo-table.md) table, the `Sour
     | `DeviceEvents` | `UsbDriveUnmount` | `UsbDriveUnmounted` | Customer feedback |
     | `DeviceEvents` | `WriteProcessMemoryApiCall` | `WriteToLsassProcessMemory` | Customer feedback |
 
-## March 2021
+## January 2021
 
-The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Replacing it are the `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables.
+| Column name | Original value name | New value name | Reason for change
+|--|--|--|--|
+| `DetectionSource` | Defender for Cloud Apps | Microsoft Defender for Cloud Apps | Rebranding |
+| `DetectionSource` | WindowsDefenderAtp| EDR| Rebranding |
+| `DetectionSource` | WindowsDefenderAv | Antivirus | Rebranding |
+| `DetectionSource` | WindowsDefenderSmartScreen |  SmartScreen | Rebranding |
+| `DetectionSource` | CustomerTI | Custom TI | Rebranding |
+| `DetectionSource` | OfficeATP | Microsoft Defender for Office 365 | Rebranding |
+| `DetectionSource` | MTP | Microsoft Defender XDR | Rebranding |
+| `DetectionSource` | AzureATP | Microsoft Defender for Identity | Rebranding |
+| `DetectionSource` | CustomDetection | Custom detection | Rebranding |
+| `DetectionSource` | AutomatedInvestigation |Automated investigation | Rebranding |
+| `DetectionSource` | ThreatExperts | Microsoft Threat Experts | Rebranding |
+| `DetectionSource` | 3rd party TI | 3rd Party sensors | Rebranding |
+| `ServiceSource` | Microsoft Defender ATP| Microsoft Defender for Endpoint | Rebranding |
+|`ServiceSource` |Microsoft Threat Protection | Microsoft Defender XDR | Rebranding |
+| `ServiceSource` | Office 365 ATP |Microsoft Defender for Office 365 | Rebranding |
+| `ServiceSource` |Azure ATP |Microsoft Defender for Identity | Rebranding |
 
-## May 2021
+`DetectionSource` is available in the [AlertInfo](advanced-hunting-alertinfo-table.md) table. `ServiceSource` is available in the [AlertEvidence](advanced-hunting-alertevidence-table.md) and [AlertInfo](advanced-hunting-alertinfo-table.md) tables. 
+
+
+## December 2020
+
+| Table name | Original column name | New column name | Reason for change
+|--|--|--|--|
+| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailAction` | `EmailAction` | Customer feedback |
+| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicy` | `EmailActionPolicy` | Customer feedback |
+| [EmailEvents](advanced-hunting-emailevents-table.md) | `FinalEmailActionPolicyGuid` | `EmailActionPolicyGuid` | Customer feedback |
 
-The `AppFileEvents` table has been deprecated. The `CloudAppEvents` table includes information that used to be in the `AppFileEvents` table, along with other activities in cloud services.
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
