Document strong identifier requirements for XDR mapping#486
Conversation
Added requirements for strong identifiers to ensure correct mapping of custom activity data in Microsoft Defender XDR.
|
@PremMS-MDE : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
Learn Build status updates of commit bb39b73: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit 2f2d0b2: ✅ Validation status: passed
For more details, please refer to the build report. |
|
can someone help reviewing this PR please? |
|
Could you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
|
@PremMS-MDE : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
There was a problem hiding this comment.
Pull request overview
Adds documentation to the Device entity page article clarifying which host/device identifiers must be present for Microsoft Sentinel unified timeline events to map correctly into Microsoft Defender XDR.
Changes:
- Added a new section describing “strong identifier” requirements for Sentinel → XDR mapping in the unified timeline experience.
- Listed minimum supported identifier combinations for host/device correlation.
| ### Strong Identifier Requirements for Unified Timeline (Sentinel → XDR Mapping) | ||
|
|
||
| To ensure that custom activity data (e.g., Sophos alerts) is correctly mapped and visible in **Microsoft Defender XDR** (`security.microsoft.com`) under the **Device Timeline**, the ingested data must include multiple strong identifiers for the host/device. | ||
|
|
||
| #### ✅ Required Strong Identifiers |
| At minimum, one of the following valid combinations must be present: | ||
|
|
||
| - **Hostname + NTDomain** | ||
| - **Hostname + DNS Domain** |
Added requirements for strong identifiers to ensure correct mapping of custom activity data in Microsoft Defender XDR.