title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | appliesto | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
IdentityInfo table in the advanced hunting schema |
Learn about user account information in the IdentityInfo table of the advanced hunting schema |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
04/22/2024 |
|
The IdentityInfo
table in the advanced hunting schema contains information about user accounts obtained from various services, including Microsoft Entra ID. Use this reference to construct queries that return information from this table.
This table was renamed from AccountInfo
. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere.
Microsoft Sentinel uses a slightly expanded version of this table in Log Analytics. For more information, see Microsoft Sentinel UEBA reference | IdentityInfo table
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Column name | Data type | Description |
---|---|---|
Timestamp * |
datetime |
The date and time that the line was written to the database. This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added. |
ReportId * |
string |
Unique identifier for the event |
AccountObjectId |
string |
Unique identifier for the account in Microsoft Entra ID |
AccountUpn |
string |
User principal name (UPN) of the account |
OnPremSid |
string |
On-premises security identifier (SID) of the account |
AccountDisplayName |
string |
Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |
AccountName |
string |
User name of the account |
AccountDomain * |
string |
Domain of the account |
Type * |
string |
Type of record |
DistinguishedName * |
string | The user's distinguished name |
CloudSid |
string |
Cloud security identifier of the account |
GivenName |
string |
Given name or first name of the account user |
Surname |
string |
Surname, family name, or last name of the account user |
Department |
string |
Name of the department that the account user belongs to |
JobTitle |
string |
Job title of the account user |
EmailAddress |
string |
SMTP address of the account |
SipProxyAddress |
string |
Voice over IP (VOIP) session initiation protocol (SIP) address of the account |
Address |
string |
Address of the account user |
City |
string |
City where the account user is located |
Country |
string |
Country/Region where the account user is located |
IsAccountEnabled |
boolean |
Indicates whether the account is enabled or not |
Manager * |
string |
The listed manager of the account user |
Phone * |
string |
The listed phone number of the account user |
CreatedDateTime * |
datetime |
Date and time when the account user was created |
SourceProvider * |
string |
The identity's source, such as Microsoft Entra ID, Active Directory, or a hybrid identity synchronized from Active Directory to Azure Active Directory |
ChangeSource * |
string |
Identifies which identity provider or process triggered the addition of the new row. For example, the System-UserPersistence value is used for any rows added by an automated process. |
Tags * |
dynamic |
Tags assigned to the account user by Defender for Identity |
AssignedRoles * |
dynamic |
For identities from Microsoft Entra-only, the roles assigned to the account user |
TenantId |
string |
Unique identifier representing your organization's instance of Microsoft Entra ID |
SourceSystem * |
string |
The source system for the record |
* Available only for tenants with Microsoft Defender for Identity, Microsoft Defender for Cloud Apps or Microsoft Defender for Endpoint P2 licensing.