Merge pull request #4449 from MicrosoftDocs/main

m365-skilling-repo-management[bot] · web-flow · commit 9458536e0637 · 2025-07-09T08:41:29.000Z
[AutoPublish] main to live - 07/09 01:35 PDT | 07/09 14:05 IST
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
@@ -307,6 +307,8 @@
             href: advanced-hunting-exposuregraphedges-table.md
           - name: ExposureGraphNodes
             href: advanced-hunting-exposuregraphnodes-table.md
+          - name: GraphApiAuditEvents
+            href: advanced-hunting-graphapiauditevents-table.md            
           - name: IdentityDirectoryEvents
             href: advanced-hunting-identitydirectoryevents-table.md
           - name: IdentityInfo
diff --git a/defender-xdr/advanced-hunting-graphapiauditevents-table.md b/defender-xdr/advanced-hunting-graphapiauditevents-table.md
@@ -0,0 +1,66 @@
+---
+title: GraphApiAuditEvents table in the advanced hunting schema
+description: Learn about the GraphApiAuditEvents table in the advanced hunting schema, which provides information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 07/09/2025
+---
+
+# GraphApiAuditEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `GraphApiAuditEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant. Use this reference to construct queries that return information from this table.
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `IdentityProvider` | `string` | Identity provider that authenticated the subject of the token |
+| `ApiVersion` | `string` | The API version of the event |
+| `ApplicationId` | `string` | Unique identifier for the application |
+| `IPAddress` | `string` | The IP address of the client from where the request was made |
+| `ClientRequestId` | `string` | Identifier for the client request sent; if none is available, the operation identifier is used instead |
+| `EntityType ` | `string` | Type of object, such as a file, a process, a device, or a user, that made the request |
+| `RequestUri` | `string` | Uniform resource identifier (URI) of the request |
+| `AccountObjectId` | `string` | Unique identifier for the account making the request |
+| `OperationId` | `string` | Identifier for a batch of requests; the same identifier is used for all requests in a batch but if requests are non-batched, the identifier is unique per request |
+| `Location` | `string` | Name of the region that served the request |
+| `RequestDuration` | `string` | Duration of the request in milliseconds |
+| `RequestId` | `string` | Unique identifier of the request |
+| `RequestMethod` | `string` | HTTP method of the request |
+| `Timestamp` | `string` | Date and time when the request was recorded |
+| `ResponseStatusCode` | `string` | HTTP response status code for the request |
+| `Scopes` | `string` | Scopes in token claims |
+| `UniqueTokenIdentifier` | `string` | Unique identifier embedded in every access token and ID token that were issued |
+
+
+## Related articles
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-schema-tables.md b/defender-xdr/advanced-hunting-schema-tables.md
@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/28/2025
+ms.date: 07/09/2025
 ---
 
 # Understand the advanced hunting schema
@@ -97,6 +97,7 @@ The following reference lists all the tables in the schema. Each table name link
 | **[EmailUrlInfo](advanced-hunting-emailurlinfo-table.md)** | Information about URLs on emails |
 | **[ExposureGraphEdges](advanced-hunting-exposuregraphedges-table.md)** | Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph |
 | **[ExposureGraphNodes](advanced-hunting-exposuregraphnodes-table.md)** | Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties |
+| **[GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md)**  (Preview) | Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant |
 | **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)** | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. |
 | **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Microsoft Entra ID |
 | **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Authentication events on Active Directory and Microsoft online services |
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 04/09/2025
+ms.date: 07/09/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -33,6 +33,8 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## July 2025
+- (Preview) The [GraphApiAuditEvents](advanced-hunting-graphapiauditevents-table.md) table in advanced hunting is now available for preview. This table contains information about Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant.
+
 - (Preview) The [`DisruptionAndResponseEvents`](advanced-hunting-disruptionandresponseevents-table.md) table, now available in advanced hunting, contains information about [automatic attack disruption](automatic-attack-disruption.md) events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. Increase your visibility and awareness of active, complex attacks disrupted by attack disruption to understand the attacks' scope, context, impact, and actions taken.
 
 ## June 2025
diff --git a/unified-secops-platform/cases-overview.md b/unified-secops-platform/cases-overview.md
@@ -77,7 +77,6 @@ To start using case management, select **Cases** in the Defender portal to acces
 
 :::image type="content" source="media/cases-overview/cases-queue-view.png" alt-text="Screenshot of the cases queue in the Defender portal.":::
 
-The maximum allowed per tenant is 100,000 cases.
 
 ## Case details
 
@@ -127,8 +126,6 @@ Alternatively, if the IR team needs to escalate one or more incidents to the hun
 
 :::image type="content" source="media/cases-overview/link-incident-from-incident-graph.png" alt-text="Screenshot showing the link incident option from ellipses menu in the incident view.":::
 
-Each case has a threshold of 100 linked incidents.
-
 ### Activity log
 
 Need to write down notes, or that key detection logic to pass along? Create rich text comments and review the audit events in the activity log. Comments are a great place to quickly add information&mdash;including such things as queries, tables, links, and structured content&mdash;to a case.
@@ -145,6 +142,10 @@ Share reports, emails, screenshots, log files, and more, all centralized in the
 
 To add attachments to your case, go to the **Case details** page, select the **Attachments** tab, select **Upload**, select your file, and wait for the upload to complete. Once uploaded, the file is scanned in the background for malware. When the scan is complete, anyone with access to the case can download the file. If the file you want to upload is actually a malware sample, you can wrap it in a password-protected ZIP file.
 
+## Limitations
+
+See [Case management limits](/azure/sentinel/sentinel-service-limits#case-management-limits).
+
 ## Related content
 
 - [Microsoft Sentinel blog - Improve SecOps collaboration with case management](https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/improve-secops-collaboration-with-case-management/4369044)
