Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

IdentityInfo is one of a handful of tables that the XDR event streaming API doesn't export to an event hub. The DeviceTvm* tables are other examples.

I'm definitely seeing these events come through and getting an error.message: The event category AdvancedHunting-IdentityInfo is not supported.

It's interesting that doc lists some things as "Not Available" but doesn't list IdentityInfo at all - wondering if it might be a little out of date?

Alternatively this might be to do with how we ingest. I didn't set this up and the person that did is away for a few weeks. Our elastic instance is in azure and I know there's a native log forwarder for some types of azure logs that bypasses a lot of the APIs, but I didn't think it applied to the defender logs.

I'm definitely seeing these events come through and getting an error.message: The event category AdvancedHunting-IdentityInfo is not supported.

Checking our setup, this is case. The table wasn't available about a year ago but now I have 21/22 tables set to stream. IdentityInfo is the one not checked. Their documentation is definitely out of date.

Looking at the schema for the table, nearly all the parsing would be already in place . It just needs an additional condition for AdvancedHunting-IdentityInfo and couple fields to unique to the table.

@rkerr Do you have any sample events or redacted event.original? I have the changes staged for a PR, so having some additional test input will help.

I've got a few but changes that'd be reflected here are currently infrequent as it's the period between semesters, and most people on PTO. I'm not certain if what i have will cover everything.