Skip to content

Document strong identifier requirements for XDR mapping#486

Open
PremMS-MDE wants to merge 2 commits into
MicrosoftDocs:publicfrom
PremMS-MDE:patch-6
Open

Document strong identifier requirements for XDR mapping#486
PremMS-MDE wants to merge 2 commits into
MicrosoftDocs:publicfrom
PremMS-MDE:patch-6

Conversation

@PremMS-MDE

Copy link
Copy Markdown
Contributor

Added requirements for strong identifiers to ensure correct mapping of custom activity data in Microsoft Defender XDR.

Added requirements for strong identifiers to ensure correct mapping of custom activity data in Microsoft Defender XDR.
@prmerger-automator

Copy link
Copy Markdown
Contributor

@PremMS-MDE : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit bb39b73:

✅ Validation status: passed

File Status Preview URL Details
defender-xdr/entity-page-device.md ✅Succeeded

For more details, please refer to the build report.

@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 2f2d0b2:

✅ Validation status: passed

File Status Preview URL Details
defender-xdr/entity-page-device.md ✅Succeeded

For more details, please refer to the build report.

@PremMS-MDE

Copy link
Copy Markdown
Contributor Author

can someone help reviewing this PR please?

@ShannonLeavitt

Copy link
Copy Markdown
Contributor

@guywi-ms

Could you review the proposed changes?

IMPORTANT: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

@prmerger-automator prmerger-automator Bot added the aq-pr-triaged Tracking label for the vendor PR Review team label Jul 2, 2026
@prmerger-automator

Copy link
Copy Markdown
Contributor

@PremMS-MDE : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds documentation to the Device entity page article clarifying which host/device identifiers must be present for Microsoft Sentinel unified timeline events to map correctly into Microsoft Defender XDR.

Changes:

  • Added a new section describing “strong identifier” requirements for Sentinel → XDR mapping in the unified timeline experience.
  • Listed minimum supported identifier combinations for host/device correlation.

Comment on lines +148 to +152
### Strong Identifier Requirements for Unified Timeline (Sentinel → XDR Mapping)

To ensure that custom activity data (e.g., Sophos alerts) is correctly mapped and visible in **Microsoft Defender XDR** (`security.microsoft.com`) under the **Device Timeline**, the ingested data must include multiple strong identifiers for the host/device.

#### ✅ Required Strong Identifiers
Comment on lines +154 to +157
At minimum, one of the following valid combinations must be present:

- **Hostname + NTDomain**
- **Hostname + DNS Domain**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants