We are excited to share that the updated IdentityInfo schema is planned to be available by May 12th! This upcoming enhancement will unify identity insights from SIEM (Microsoft Sentinel, UEBA) and XDR (Microsoft Defender for Identity) into a single, streamlined table - enhancing security operations, threat detection, and investigation workflows.
Why This Matters
Security teams often struggle with fragmented identity data across SIEM and XDR solutions, making investigations slower and less efficient. By unifying the IdentityInfo schema, we provide a single, enriched view of identity-related data, empowering defenders with:
- Comprehensive Identity Context – See identity activity from both Sentinel UEBA and MDI in one place, making it easier to detect anomalies and correlate identity threats.
- Faster, More Efficient Investigations – Eliminate time-consuming cross-referencing between different tables, reducing investigation time and response delays.
- Improved Threat Detection – Enriched identity attributes enhance analytics, helping security teams spot insider threats, compromised accounts, and anomalous behaviour faster.
- Better Correlation with Incidents – The unified table makes it easier to link identity activities to security incidents across the SIEM and XDR ecosystem.
What’s Changing?
New Fields from Sentinel UEBA
To provide richer identity context, we are adding the following new columns to the IdentityInfo table:
|
Column Name |
Type |
Description |
Comment |
|
OnPremObjectId |
String |
Active Directory object ID of the user |
New column |
|
TenantMembershipType |
String |
User type in Microsoft Entra ID; possible values: Guest, Member |
New column |
|
RiskStatus |
String |
Status of the user's risk; possible values: None, ConfirmedSafe, Remediated, Dismissed, AtRisk, ConfirmedCompromised, UnknownFutureValue |
New column |
|
UserAccountControlSettings |
Dynamic |
Security attributes of the user account in Active Directory |
New column |
|
GroupMembership |
Dynamic |
Microsoft Entra groups where the user account is a member |
New column |
To help you adjust existing queries, here’s how Sentinel UEBA fields map to the new unified IdentityInfo table’s schema:
|
Sentinel UEBA Column |
Unified IdentityInfo Column |
Comments |
|
AccountCloudSID |
CloudSid | |
|
AccountSID |
OnPremSid |
|
|
AccountCreationTime |
CreatedDateTime | |
|
AccountDisplayName |
AccountDisplayName | |
|
AccountDomain |
AccountDomain |
Values might be different |
|
AccountName |
AccountName |
Values might be different |
|
AccountTenantId |
TenantId |
|
|
AccountUPN |
AccountUpn |
|
|
AdditionalMailAddresses |
OtherMailAddresses |
|
|
MailAddress |
EmailAddress |
|
|
OnPremisesDistinguishedName |
DistinguishedName |
|
|
SAMAccountName |
AccountName |
|
|
StreetAddress |
Address |
|
|
UserType |
TenantMembershipType |
|
Breaking Changes to Support 3rd Party Identity Providers
To support a broader range of identity environments, we are modifying existing fields:
The SourceProvider column replacement is a breaking change for customers using Advanced Hunting queries that reference it. Please review and update your queries accordingly.
|
Column Name |
Type |
Change |
|
IdentityEnvironment |
String |
Replaces the SourceProvider column. Specifies now the environment where the identity is used. Possible values: CloudOnly, Hybrid, On-premises |
|
SourceProviders |
Dynamic |
New column listing identity sources. Possible values: ActiveDirectory, EntraID, Okta |
How to Prepare
To ensure a smooth transition, we recommend:
✔ Review the new and updated fields in the IdentityInfo schema.
✔ Prepare to update and adjust any queries, custom alert rules, playbooks, workbooks, watchlists or automations that reference the IdentityInfo table and would be impacted by the changes.
✔ Stay informed via Message Center, the Defender XDR Community Hub and the official documentation.
Next Steps
These changes are part of our ongoing efforts to unify identity insights across Microsoft SIEM and XDR. We encourage all security professionals to explore these updates and adapt their queries to take full advantage of the new capabilities.
We are here to help! If you have any questions or need support, join the discussion in the Microsoft Security Community or reach out via your support channels.
Start using the new IdentityInfo schema today and take your security operations to the next level!
Updated May 05, 2025
Version 1.0
ShaharAviv
Microsoft
Microsoft
