More updates

Author: schmurky

defender-xdr/advanced-hunting-datasecuritybehaviors-table.md

@@ -38,9 +38,9 @@ The `DataSecurityBehaviors` table in the [advanced hunting](advanced-hunting-ove
 
 Insights cover a range of data security related behaviors like behaviors involving exfiltration, obfuscation, risky interactions with AI applications, and others. Insights are generated by aggregating user behaviors over a calendar day and comparing them with previous activity, peer group activity, or other activities done by the user. Insights also capture summaries of various risk pivots like sensitive data, risky destinations, and the like.
 
-Use this reference to construct queries that return information from this table.
+This advanced hunting table is populated by records from Microsoft Purview Insider Risk Management. If your organization hasn’t opted in to share insider risk alerts with Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information, read [Investigate insider risk threats](irm-investigate-alerts-defender.md).
 
-For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+Use this reference to construct queries that return information from this table. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|

defender-xdr/advanced-hunting-datasecurityevents-table.md

@@ -35,9 +35,9 @@ ms.date: 03/28/2025
 
 The `DataSecurityEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions. Each log represents a single user activity enriched with proprietary Microsoft detections (like sensitive info types) and user-defined enrichment labels like domain categories, sensitivity labels, and others.
 
-Use this reference to construct queries that return information from this table.
+This advanced hunting table is populated by records from Microsoft Purview Insider Risk Management. If your organization hasn’t opted in to share insider risk alerts with Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information, read [Investigate insider risk threats](irm-investigate-alerts-defender.md).
 
-For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+Use this reference to construct queries that return information from this table. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |
 |-------------|-----------|-------------|

defender-xdr/advanced-hunting-identitydirectoryevents-table.md

@@ -32,6 +32,8 @@ ms.date: 03/28/2025
 
 The `IdentityDirectoryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity. Use this reference to construct queries that return information from this table.
 
+This advanced hunting table is populated by records from Microsoft Defender for Identity. If your organization hasn’t deployed the service in Microsoft Defender XDR,queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Identity in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
+
 > [!TIP]
 > For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
 

defender-xdr/advanced-hunting-messageevents-table.md

@@ -17,8 +17,9 @@ ms.collection:
 ms.custom:
 - cx-ti
 - cx-ah
-appliesto: 
-- Microsoft Defender XDR 
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
 ms.date: 03/18/2025
 ---
@@ -32,6 +33,8 @@ ms.date: 03/18/2025
 
 The `MessageEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains details about messages sent and received within your organization at the time of delivery. Use this reference to construct queries that return information from this table. 
 
+This advanced hunting table is populated by records from Microsoft Defender for Office 365. If your organization hasn’t deployed the service in Microsoft Defender XDR,queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](https://learn.microsoft.com/en-us/defender-xdr/deploy-supported-services).
+
 
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 

defender-xdr/advanced-hunting-messagepostdeliveryevents-table.md

@@ -17,8 +17,9 @@ ms.collection:
 ms.custom:
 - cx-ti
 - cx-ah
-appliesto: 
-- Microsoft Defender XDR 
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
 ms.date: 03/18/2025
 ---
@@ -32,6 +33,9 @@ ms.date: 03/18/2025
 
 The `MessagePostDeliveryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization. 
 
+This advanced hunting table is populated by records from Microsoft Defender for Office 365. If your organization hasn’t deployed the service in Microsoft Defender XDR,queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](https://learn.microsoft.com/en-us/defender-xdr/deploy-supported-services).
+
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |

defender-xdr/advanced-hunting-messageurlinfo-table.md

@@ -17,8 +17,9 @@ ms.collection:
 ms.custom:
 - cx-ti
 - cx-ah
-appliesto: 
-- Microsoft Defender XDR 
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
 ms.date: 03/18/2025
 ---
@@ -32,6 +33,8 @@ ms.date: 03/18/2025
 
 The `MessageUrlInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about URLs sent through Microsoft Teams messages in your organization. 
 
+This advanced hunting table is populated by records from Microsoft Defender for Office 365. If your organization hasn’t deployed the service in Microsoft Defender XDR,queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read [Deploy supported services](https://learn.microsoft.com/en-us/defender-xdr/deploy-supported-services).
+
 For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
 
 | Column name | Data type | Description |