MicrosoftDocs
diff --git a/‎defender-xdr/advanced-hunting-devicenetworkinfo-table.md‎
Lines changed: 3 additions & 1 deletion b/‎defender-xdr/advanced-hunting-devicenetworkinfo-table.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎defender-xdr/alerts-incidents-correlation.md‎
Lines changed: 6 additions & 2 deletions b/‎defender-xdr/alerts-incidents-correlation.md‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎defender-xdr/whats-new.md‎
Lines changed: 3 additions & 0 deletions b/‎defender-xdr/whats-new.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎unified-secops-platform/media/mto-advanced-hunting/mto-cross-tenants-query-tenant-id.png‎
314 KB b/‎unified-secops-platform/media/mto-advanced-hunting/mto-cross-tenants-query-tenant-id.png‎
314 KB
diff --git a/‎unified-secops-platform/media/mto-advanced-hunting/mto-cross-tenants-query.png‎
145 KB b/‎unified-secops-platform/media/mto-advanced-hunting/mto-cross-tenants-query.png‎
145 KB
diff --git a/‎unified-secops-platform/media/mto-advanced-hunting/mto-cross-tenants-sidepane.png‎
183 KB b/‎unified-secops-platform/media/mto-advanced-hunting/mto-cross-tenants-sidepane.png‎
183 KB
diff --git a/‎unified-secops-platform/media/mto-incidents-alerts/mto-alerts-details.png‎
30.3 KB b/‎unified-secops-platform/media/mto-incidents-alerts/mto-alerts-details.png‎
30.3 KB
diff --git a/‎unified-secops-platform/media/mto-incidents-alerts/mto-incident-details.png‎
395 KB b/‎unified-secops-platform/media/mto-incidents-alerts/mto-incident-details.png‎
395 KB
diff --git a/‎unified-secops-platform/media/mto-incidents-alerts/mto-incidents.png‎
-44.6 KB b/‎unified-secops-platform/media/mto-incidents-alerts/mto-incidents.png‎
-44.6 KB
diff --git a/‎unified-secops-platform/media/mto-incidents-alerts/mto-manage-incidents.png‎
346 KB b/‎unified-secops-platform/media/mto-incidents-alerts/mto-manage-incidents.png‎
346 KB
@@ -18,7 +18,7 @@ ms.custom:
 - cx-ti
 - cx-ah
 ms.topic: reference
-ms.date: 01/16/2024
+ms.date: 04/03/2025
 ---
 
 # DeviceNetworkInfo
@@ -57,6 +57,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `IPAddresses` | `string` | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `NetworkAdapterVendor` | `string` | Name of the manufacturer or vendor of the network adapter |
+| `OnboardingStatus` | `string` | Indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or if the device is not supported |
+| `NetworkAdapterDnsSuffix` | `string` | Domain suffix assigned to the device’s network adapter, indicating the network environment the network adapter is connected to |
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)
 
@@ -1,6 +1,6 @@
 ---
 title: Alert correlation and incident merging in the Microsoft Defender portal
-description: Learn how alerts are correlated, and how and why incidents may be merged, in the Microsoft Defender portal.
+description: Learn how alerts are correlated, and how and why incidents might be merged, in the Microsoft Defender portal.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 02/02/2025
+ms.date: 03/17/2025
 appliesto: 
 - Microsoft Defender XDR 
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -37,6 +37,10 @@ When alerts are generated by the various detection mechanisms in the Microsoft D
 
 The criteria used by the Defender portal to correlate alerts together in a single incident are part of its proprietary, internal correlation logic. This logic is also responsible for giving an appropriate name to the new incident.
 
+### Alert correlation by workspace
+
+The Defender portal allows you to connect to one primary workspace and multiple secondary workspaces for Microsoft Sentinel. A primary workspace's alerts are correlated with Microsoft Defender XDR data. So, incidents include alerts from Microsoft Sentinel's primary workspace and Defender XDR in a unified queue. All other onboarded workspaces are considered secondary workspaces. For secondary workspaces, incidents are created based on the workspace’s data and won't include Defender XDR data. The Defender portal keeps incident creation and alert correlation separate between the Microsoft Sentinel workspaces. For more information, see [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579).
+
 ### Manual correlation of alerts
 
 While Microsoft Defender already uses advanced correlation mechanisms, you might want to decide differently whether a given alert belongs with a particular incident or not. In such a case, you can unlink an alert from one incident and link it to another. Every alert must belong to an incident, so you can either link the alert to another existing incident, or to a new incident that you create on the spot.
 
@@ -35,6 +35,9 @@ You can also get product updates and important notifications through the [messag
 
 ## April 2025
 - (Preview) The [OAuthAppInfo](advanced-hunting-oauthappinfo-table.md) table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability.
+- The `OnboardingStatus` and `NetworkAdapterDnsSuffix` columns are now available in the [`DeviceNetworkInfo`](advanced-hunting-devicenetworkinfo-table.md) table in advanced hunting.
+ 
+
 ## March 2025
 
 - (Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see [Incident details](investigate-incidents.md#incident-details).