Merge pull request #305060 from snicklezzz/wi448845-xdr-alert-schema-differences

created xdr alert schema differences page

Author: v-ccolin

articles/sentinel/TOC.yml

@@ -1009,6 +1009,8 @@
           href: sentinel-tables-connectors-reference.md
         - name: Security alert schema reference
           href: security-alert-schema.md
+        - name: Standalone vs XDR alert schema reference
+          href: security-alert-schema-differences.md
         - name: CEF log field mapping
           href: cef-name-mapping.md
         - name: Windows security event sets

articles/sentinel/connect-microsoft-365-defender.md

@@ -72,6 +72,9 @@ To ingest and synchronize Microsoft Defender XDR incidents with all their alerts
 
 When you enable the Microsoft Defender XDR connector, any Microsoft Defender components’ connectors that were previously connected are automatically disconnected in the background. Although they continue to *appear* connected, no data flows through them.
 
+> [!NOTE]
+> Replacing standalone connectors with the XDR connector changes the schema of your alerts and might impact your existing queries. For a detailed comparison, see [Alert schema differences: Standalone vs. XDR connector](security-alert-schema-differences.md).
+
 ### Connect entities
 
 Use Microsoft Defender for Identity to sync user entities from your on-premises Active Directory to Microsoft Sentinel.

articles/sentinel/move-to-defender.md

@@ -107,6 +107,9 @@ From a Log Analytics perspective, Microsoft Sentinel’s integration into Micros
 
 Alerts related to Defender products are streamed directly from the [Microsoft Defender XDR connector](/azure/sentinel/connect-microsoft-365-defender) to ensure consistency. Make sure that you have incidents and alerts from this connector turned on in your workspace. Once you have this data connector configured in your workspace, [offboarding the workspace from Microsoft Defender](/unified-secops/microsoft-sentinel-onboard#offboard-microsoft-sentinel) also disconnects the Microsoft Defender XDR connector.
 
+> [!NOTE]
+> This change in connectors results in schema differences for some alerts. For a detailed comparison, see [Alert schema differences: Standalone vs. XDR connector](security-alert-schema-differences.md).
+
 For more information, see [Connect data from Microsoft Defender XDR to Microsoft Sentinel](connect-microsoft-365-defender.md).
 
 #### Integrate with Microsoft Defender for Cloud
@@ -302,3 +305,4 @@ The Microsoft Sentinel [similar incidents](investigate-cases.md#similar-incident
 - [The Best of Microsoft Sentinel - now in Microsoft Defender](https://techcommunity.microsoft.com/blog/MicrosoftThreatProtectionBlog/the-best-of-microsoft-sentinel-%E2%80%94-now-in-microsoft-defender/4415822) (blog)
 - Watch the webinar: [Transition to the Unified SOC Platform: Deep Dive and Interactive Q&A for SOC Professionals](https://www.youtube.com/watch?v=WIM6fbJDkK4).
 - See frequently asked questions in the [TechCommunity blog](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/unified-security-operations-platform---technical-faq/4189136) or the [Microsoft Community Hub](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/frequently-asked-questions-about-the-unified-security-operations-platform/4212048).
+- Review [alert schema differences between Standalone and XDR connectors](security-alert-schema-differences.md)

articles/sentinel/security-alert-schema-differences.md

@@ -0,0 +1,84 @@
+---
+title: Microsoft Sentinel alert schema differences between standalone and XDR connectors
+description: Learn how alert schema, field mappings, and ingestion behavior differ between standalone connectors and the XDR connector in Microsoft Sentinel.
+author: guywi-ms
+ms.author: guywild
+ms.topic: reference
+ms.date: 01/27/2026
+
+# customer intent: As a security analyst, I want to understand how alerts differ when ingested through the XDR connector so that I can update my queries, analytic rules, and workbooks accordingly.
+---
+
+# Alert schema differences: Standalone vs. XDR connector
+
+This article explains the differences between alerts ingested through standalone connectors and alerts ingested through the Extended Detection and Response (XDR) connector in Microsoft Sentinel.
+
+Standalone connectors ingest alerts directly from the original security products, whereas the XDR connector ingests alerts through the Microsoft Defender XDR pipeline. This includes connectors such as Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Information Rights Management (IRM), Data Loss Prevention (DLP), Microsoft Defender for Cloud (MDC), and Microsoft Defender for Cloud Apps (MDA).
+
+These differences can affect field mappings, derived field behavior, schema structure, and alert ingestion, which might impact your existing queries, analytic rules, and workbooks. Review these differences before migrating to the XDR connector.
+
+For the full alert schema, see the [Security alert schema reference](security-alert-schema.md).
+
+## CompromisedEntity behavior
+
+The CompromisedEntity field is handled differently across products when alerts are ingested through the XDR connector.
+
+| Product | CompromisedEntity equivalent value in XDR alerts |
+|---------|----------------------------------------|
+| Microsoft Defender for Endpoint (MDE) | The device where `"LeadingHost": true` in the alert entities JSON |
+| Microsoft Entra ID (Identity Protection) | Always set to the user’s UPN |
+| Microsoft Defender for Identity (MDI) | Fixed string `"CompromisedEntity"` |
+
+> [!NOTE]
+> In MDE alerts, CompromisedEntity is derived from the device where `"LeadingHost": true`. In some alerts, this field might not be populated.
+
+In MDI alerts, CompromisedEntity doesn't represent a host or user and is always the literal string `"CompromisedEntity"`.
+
+## Field mapping changes
+
+Some fields are renamed or use different value sets in alerts from the XDR connector.
+
+| Product | Legacy field/property | XDR behavior |
+|---------|-----------------------|--------------|
+| MDE | ExtendedProperties.MicrosoftDefenderAtp.Category | Mapped to `ExtendedProperties.Category` |
+| Microsoft Defender for Office (MDO) | ExtendedProperties.Status | Uses a different value set from legacy |
+| Microsoft Defender for Office (MDO) | ExtendedProperties.InvestigationName | Not available |
+
+## Structural schema transformations (MDI)
+
+The standalone Microsoft Defender for Identity (MDI) connector sometimes used placeholder entities to store additional information. In the XDR connector, this information is folded into properties under the `resourceAccessEvents` collection.
+
+| Legacy entity/property | XDR representation |
+|------------------------|-------------------|
+| ResourceAccessInfo.Time | `resourceAccessEvents[].AccessDateTime` |
+| ResourceAccessInfo.IpAddress | `resourceAccessEvents[].IpAddress` |
+| ResourceAccessInfo.ResourceIdentifier.AccountId | `resourceAccessEvents[].AccountId` |
+| ResourceAccessInfo.ResourceIdentifier.ResourceName | `resourceAccessEvents[].ResourceIdentifier` |
+| DomainResourceIdentifier | `resourceAccessEvents[].ResourceIdentifier` |
+
+ResourceAccessInfo.ComputerId is no longer required because it's 'identical to the Host entity that ResourceAccessInfo is defined in.
+
+## Alert ingestion filtering
+
+Some alerts available through standalone connectors aren't ingested through the XDR connector.
+
+| Product | Filtering behavior |
+|---------|--------------------|
+| Microsoft Defender for Cloud (MDC) | Informational severity alerts aren't ingested |
+| Microsoft Entra ID | By default, alerts below High severity aren't ingested; customers can configure ingestion to include all severities |
+
+## Scoping behavior (Microsoft Defender for Cloud)
+
+Microsoft Defender for Cloud alerts use different scoping when ingested through the XDR connector.
+
+| Standalone connector scope | XDR connector scope |
+|------------------------|---------------------|
+| Subscription level | Tenant level |
+
+> [!NOTE]
+> All MDC alerts are available in the primary workspace for the tenant. Alerts are scoped according to MDC subscription scopes within Defender XDR.
+
+## Next steps
+
+- [Create and manage analytic rules](create-analytics-rules.md)
+- [Use workbooks in Microsoft Sentinel](monitor-your-data.md)