From bb39b733fc31af70117948b05a415fae7da8372b Mon Sep 17 00:00:00 2001
From: Prem Kumar <85905240+PremMS-MDE@users.noreply.github.com>
Date: Tue, 21 Apr 2026 17:41:29 +0530
Subject: [PATCH] Document strong identifier requirements for XDR mapping

Added requirements for strong identifiers to ensure correct mapping of custom activity data in Microsoft Defender XDR.
---
 defender-xdr/entity-page-device.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/defender-xdr/entity-page-device.md b/defender-xdr/entity-page-device.md
index 542bfed904..6d1101df4d 100644
--- a/defender-xdr/entity-page-device.md
+++ b/defender-xdr/entity-page-device.md
@@ -146,6 +146,17 @@ You can elect not to show events from Microsoft Sentinel in the main timeline, a
 
 For more information about these activity events, see [Entity pages in Microsoft Sentinel](/azure/sentinel/entity-pages?tabs=defender-portal#entity-pages).
 
+### Strong Identifier Requirements for Unified Timeline (Sentinel → XDR Mapping)
+
+To ensure that custom activity data (e.g., Sophos alerts) is correctly mapped and visible in **Microsoft Defender XDR** (`security.microsoft.com`) under the **Device Timeline**, the ingested data must include multiple strong identifiers for the host/device.
+
+#### ✅ Required Strong Identifiers
+
+At minimum, one of the following valid combinations must be present:
+
+- **Hostname + NTDomain**
+- **Hostname + DNS Domain**
+
 > [!NOTE]
 >
 > For firewall events to be displayed, you'll need to enable the audit policy. For instructions, see [Audit Filtering Platform connection](/windows/security/threat-protection/auditing/audit-filtering-platform-connection).