Skip to content

advanced-hunting-schema-changes.md

Latest commit

 

History

History
123 lines (90 loc) · 8.12 KB

advanced-hunting-schema-changes.md

File metadata and controls

123 lines (90 loc) · 8.12 KB
title Naming changes in the Microsoft Defender XDR advanced hunting schema
description Track and review naming changes tables and columns in the advanced hunting schema
search.appverid met150
ms.service defender-xdr
ms.subservice adv-hunting
f1.keywords
NOCSH
ms.author pauloliveria
author poliveria
ms.localizationpriority medium
manager dansimp
audience ITPro
ms.collection
m365-security
tier3
ms.custom
cx-ti
cx-ah
appliesto
Microsoft Defender XDR
Microsoft Sentinel in the Microsoft Defender portal
ms.topic reference
ms.date 12/10/2025

Advanced hunting schema - Naming changes

[!INCLUDE Microsoft Defender XDR rebranding]

[!INCLUDE Prerelease information]

The advanced hunting schema is updated regularly to add new tables and columns. In some cases, existing columns names are renamed or replaced to improve the user experience. Refer to this article to review naming changes that could impact your queries.

Naming changes are automatically applied to queries that are saved in Microsoft Defender XDR, including queries used by custom detection rules. You don't need to update these queries manually. However, you will need to update the following queries:

  • Queries that are run using the API
  • Queries that are saved elsewhere outside Microsoft Defender XDR

November 2025

  • The Boolean field values in advanced hunting results will change from numeric (1 and 0) to textual (True and False) on February 25, 2026. While your queries and custom detection rules won't be affected by this change, you might want to update your automated processes (for example, scripts, playbooks, or integrations) parsing these values.

  • The AADSignInEventsBeta and AADSpnSignInEventsBeta tables are being replaced by EntraIdSignInEvents and EntraIdSpnSignInEvents, respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.

    The EntraIdSignInEvents and EntraIdSpnSignInEvents tables are now available. The legacy AADSignInEventsBetaand AADSpnSignInEventsBeta tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, AADSignInEventsBetaand AADSpnSignInEventsBeta will be removed from the schema.

September 2025

In the AADSignInEventsBeta table, the AadDeviceId column is being replaced with a new column, called EntraIdDeviceId, to align with current product branding. The legacy AadDeviceId column will remain in the schema for 30 days to allow time for updating in your queries. After this period of 30 days, AadDeviceId will be removed from the schema.

May 2025

In the IdentityInfo table, the SourceProvider column was replaced by the IdentityEnvironment column. This change was made to streamline the unified IdentityInfo table with a similar table in Microsoft Sentinel log analytics. Note that a new column, SourceProviders (with an s) was added in the unified table. This column refers to the source providers of the accounts for the identity.

May 2021

The AppFileEvents table has been deprecated. The CloudAppEvents table includes information that used to be in the AppFileEvents table, along with other activities in cloud services.

March 2021

The DeviceTvmSoftwareInventoryVulnerabilities table has been deprecated. Replacing it are the DeviceTvmSoftwareInventory and DeviceTvmSoftwareVulnerabilities tables.

February 2021

  • In the EmailAttachmentInfo and EmailEvents tables, the MalwareFilterVerdict and PhishFilterVerdict columns have been replaced by the ThreatTypes column. The MalwareDetectionMethod and PhishDetectionMethod columns were also replaced by the DetectionMethods column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.

    Table name Original column name New column name Reason for change
    EmailAttachmentInfo MalwareDetectionMethod
    PhishDetectionMethod    		 DetectionMethods Include more detection methods
    EmailAttachmentInfo MalwareFilterVerdict
    PhishFilterVerdict    		 ThreatTypes Include more threat types
    EmailEvents MalwareDetectionMethod
    PhishDetectionMethod    		 DetectionMethods Include more detection methods
    EmailEvents MalwareFilterVerdict
    PhishFilterVerdict    		 ThreatTypes Include more threat types

  • In the EmailAttachmentInfo and EmailEvents tables, the ThreatNames column was added to give more information about the email threat. This column contains values like Spam or Phish.

  • In the DeviceInfo table, the DeviceObjectId column was replaced by the AadDeviceId column based on customer feedback.

  • In the DeviceEvents table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.

    Table name Original ActionType name New ActionType name Reason for change
    DeviceEvents UsbDriveMount UsbDriveMounted Customer feedback
    DeviceEvents UsbDriveUnmount UsbDriveUnmounted Customer feedback
    DeviceEvents WriteProcessMemoryApiCall WriteToLsassProcessMemory Customer feedback

January 2021

Column name Original value name New value name Reason for change
DetectionSource Defender for Cloud Apps Microsoft Defender for Cloud Apps Rebranding
DetectionSource WindowsDefenderAtp EDR Rebranding
DetectionSource WindowsDefenderAv Antivirus Rebranding
DetectionSource WindowsDefenderSmartScreen SmartScreen Rebranding
DetectionSource CustomerTI Custom TI Rebranding
DetectionSource OfficeATP Microsoft Defender for Office 365 Rebranding
DetectionSource MTP Microsoft Defender XDR Rebranding
DetectionSource AzureATP Microsoft Defender for Identity Rebranding
DetectionSource CustomDetection Custom detection Rebranding
DetectionSource AutomatedInvestigation Automated investigation Rebranding
DetectionSource ThreatExperts Microsoft Threat Experts Rebranding
DetectionSource 3rd party TI 3rd Party sensors Rebranding
ServiceSource Microsoft Defender ATP Microsoft Defender for Endpoint Rebranding
ServiceSource Microsoft Threat Protection Microsoft Defender XDR Rebranding
ServiceSource Office 365 ATP Microsoft Defender for Office 365 Rebranding
ServiceSource Azure ATP Microsoft Defender for Identity Rebranding

DetectionSource is available in the AlertInfo table. ServiceSource is available in the AlertEvidence and AlertInfo tables.

December 2020

Table name Original column name New column name Reason for change
EmailEvents FinalEmailAction EmailAction Customer feedback
EmailEvents FinalEmailActionPolicy EmailActionPolicy Customer feedback
EmailEvents FinalEmailActionPolicyGuid EmailActionPolicyGuid Customer feedback

Related topics