Update: We've pushed out the date for this change to from Dec 15, 2019 to Dec 29, 2019. Note that saved queries will be automatically updated. Also, existing names will continue to work for at least 1 month after the transition.
Hello there, Hunters!
As announced in a previous blog post, we will be making changes to how Advanced hunting will expose information through its schema.
With the broad initiative to unify Microsoft security capabilities under Microsoft Threat Protection, Advanced hunting will eventually support new types of data sets from various products: email events from Office 365 ATP,app activity from Microsoft Cloud App Security, and richer identity information from Azure ATP.To prepare for these changes and keep the schema intuitive, we want to ensurethat data providersare easily identified by customers as they transition to an expanded schema.
On December 22, we will start supporting this initiative by adding “Device” as a prefix to tables populated with device-related information. Moving forward, as the schema expands, corresponding prefixes will be used for tables populated by data from other providers as shown in the table below.
Here are the actual changes to existing table names that we will apply on December 22.
Old table name
New table name
We are also renaming the following columns to ensure that their names remain meaningful when they are used across more tables.
Old column name
New column name
Automatic updates to saved queries and custom detections
On December 29, we will automatically update all your saved queries and custom detections with the new table and column names, so nothing is required from your end.Keep in mind, however, that the query you have in the Advanced hunting query editor will not be updated automatically.
Changes to the schema displayed in the portaland the auto-complete functionalitywill also take full effect on December 22. From that point on, only the new names will be visible in the UI.
Deprecation of old names
To give you more time to transition,old nameswillcontinue to work as aliasesfor a short period.Wedo recommend that you stop using the old names and manually modify queries you've saved outside the portal.
We will deprecate the old names after at least a month, so they will eventually stop working.