Merge pull request #3751 from MicrosoftDocs/maccruz-identityinfo

IdentityInfo table

Author: padmagit77

defender-xdr/advanced-hunting-identityinfo-table.md

@@ -19,7 +19,7 @@ ms.custom:
 - cx-ti
 - cx-ah
 ms.topic: reference
-ms.date: 04/22/2024
+ms.date: 05/13/2025
 appliesto: 
 - Microsoft Defender XDR 
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -35,6 +35,10 @@ Microsoft Sentinel uses a slightly expanded version of this table in Log Analyti
 
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
+The following schema is the unified `IdentityInfo` schema that streamlines a similar table in Microsoft Sentinel's log analytics and in Microsoft Defender XDR advanced hunting. The complete set of columns below is available for Defender portal users who have onboarded Sentinel and turned on the User and Entity Behavior Analytics (UEBA) service. 
+
+Defender portal users who have not onboarded a Sentinel workspace that has the UEBA service turned on cannot view UEBA-specific columns. Read [UEBA-specific columns](#ueba-specific-columns).
+
 | Column name | Data type | Description |
 |-------------|-----------|-------------|
 | `Timestamp` [*](#mdi-only) | `datetime` | The date and time that the line was written to the database. <br><br>This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added. |
@@ -45,7 +49,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |
 | `AccountName` | `string` | User name of the account |
 | `AccountDomain` [*](#mdi-only) | `string` | Domain of the account |
-| `Type` [*](#mdi-only) | `string` | Type of record |
+| `CriticalityLevel` | `int` | The criticality score of the account |
+| `Type` [*](#mdi-only) | `string` | Type of identity; possible values: User, ServiceAccount |
 | `DistinguishedName` [*](#mdi-only) | string | The user's [distinguished name](/previous-versions/windows/desktop/ldap/distinguished-names) |
 | `CloudSid` | `string` | Cloud security identifier of the account |
 | `GivenName` | `string` | Given name or first name of the account user |
@@ -61,17 +66,47 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `Manager` [*](#mdi-only)  | `string` | The listed manager of the account user |
 | `Phone` [*](#mdi-only)  | `string` | The listed phone number of the account user|
 | `CreatedDateTime` [*](#mdi-only)  | `datetime` | Date and time when the account user was created |
-| `SourceProvider` [*](#mdi-only)  | `string` |The identity's source, such as Microsoft Entra ID, Active Directory, or a [hybrid identity](/azure/active-directory/hybrid/what-is-provisioning) synchronized from Active Directory to Azure Active Directory |
 | `ChangeSource` [*](#mdi-only)  | `string` |Identifies which identity provider or process triggered the addition of the new row. For example, the `System-UserPersistence` value is used for any rows added by an automated process.|
+| `BlastRadius` | `string` | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions; possible values: Low, Medium, High|
+| `CompanyName` | `string` | Name of the company for which the user works |
+| `DeletedDateTime` | `datetime` | Date and time when the user account was deleted |
+| `EmployeeId` | `string` | Employee identifier assigned to the user by the organization |
+| `OtherMailAddresses` | `dynamic` | Additional email addresses of the user account |
+| `RiskLevel` | `string` | Microsoft Entra ID risk level of the user account; possible values: Low, Medium, High |
+| `RiskLevelDetails` | `string` | Details regarding the Microsoft Entra ID risk level |
+| `State` | `string` | State where the sign-in occured, if available |
 | `Tags` [*](#mdi-only)  | `dynamic` | Tags assigned to the account user by Defender for Identity |
 | `AssignedRoles` [*](#mdi-only) | `dynamic` | For identities from Microsoft Entra-only, the roles assigned to the account user|
 | `PrivilegedEntraPimRoles` (Preview)  [**](#mdi) | `dynamic` | A snapshot of privileged role assignment schedules and eligibility schedules for the account as maintained by Microsoft Entra Privileged Identity Management (excluding activated assignments) |
 | `TenantId` | `string` | Unique identifier representing your organization's instance of Microsoft Entra ID |
 | `SourceSystem` [*](#mdi-only) | `string` | The source system for the record|
+| `OnPremObjectId` | `string` | Active Directory object ID of the user |
+| `TenantMembershipType` | `string` | User type in Microsoft Entra ID; possible values: Guest, Member|
+| `RiskStatus` | `string` | Status of the user's risk; possible values: None, ConfirmedSafe, Remediated, Dismissed, AtRisk, ConfirmedCompromised, UnknownFutureValue|
+| `UserAccountControl` | `string` | Security attributes of the user account in the Active Directory domain |
+| `IdentityEnvironment` | `string` | Environment where the identity is used; possible values: CloudOnly, Hybrid, On-premises |
+| `SourceProviders` | `dynamic` | Source providers of the accounts for the identity; possible values: ActiveDirectory, EntraID, Okta |
+| `GroupMembership`	| `dynamic` |	Microsoft Entra ID groups where the user account is a member |
+
 
 <a name="mdi-only"></a>* Available only for tenants with Microsoft Defender for Identity, Microsoft Defender for Cloud Apps or Microsoft Defender for Endpoint P2 licensing.<br>
 <a name="mdi"></a>** Available only for tenants with Microsoft Defender for Identity.
 
+## UEBA-specific columns
+If you are using the Microsoft Defender portal but have not onboarded a Microsoft Sentinel workspace with the UEBA service turned on, the following columns are not available in your `IdentityInfo` table:
+
+- `BlastRadius`
+- `CompanyName`
+- `DeletedDateTime`
+- `EmployeeId`
+- `OtherMailAddresses`
+- `RiskLevel`
+- `RiskLevelDetails`
+- `State`
+- `Tags`
+
+For more information about UEBA, read [Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](/azure/sentinel/identify-threats-with-entity-behavior-analytics). For more information about the different data sources in UEBA, read [Microsoft Sentinel UEBA reference](/azure/sentinel/ueba-reference).
+
 
 ## Related topics
 

defender-xdr/whats-new.md

@@ -35,6 +35,7 @@ You can also get product updates and important notifications through the [messag
 ## May 2025
 
 - (Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the **unified security summary**. The unified security summary is available in the Microsoft Defender portal and streamlines the process for SOC teams to generate security reports, saving time usually spent on collecting data from various sources and creating reports. For more information, see [Visualize security impact with the unified security summary](security-summary-report.md).
+- Defender portal users who have onboarded Microsoft Sentinel and have enabled the [User and Entity Behavior Analytics (UEBA)](/azure/sentinel/ueba-reference) can now take advantage of the new unified [`IdentityInfo` table](advanced-hunting-identityinfo-table.md) in advanced hunting. This latest version now includes the largest possible set of fields common to both Defender and Azure portals. 
 
 ## April 2025