Skip to content

Latest commit

 

History

History
81 lines (72 loc) · 5.13 KB

advanced-hunting-identityinfo-table.md

File metadata and controls

81 lines (72 loc) · 5.13 KB
title description search.appverid ms.service ms.subservice f1.keywords ms.author author ms.localizationpriority manager audience ms.collection ms.custom ms.topic ms.date appliesto
IdentityInfo table in the advanced hunting schema
Learn about user account information in the IdentityInfo table of the advanced hunting schema
met150
defender-xdr
adv-hunting
NOCSH
maccruz
schmurky
medium
dansimp
ITPro
m365-security
usx-security
tier3
cx-ti
cx-ah
reference
04/22/2024
Microsoft Defender XDR
Microsoft Sentinel in the Microsoft Defender portal

IdentityInfo

The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Microsoft Entra ID. Use this reference to construct queries that return information from this table.

This table was renamed from AccountInfo. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere.

Microsoft Sentinel uses a slightly expanded version of this table in Log Analytics. For more information, see Microsoft Sentinel UEBA reference | IdentityInfo table

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp * datetime The date and time that the line was written to the database.

This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added.
ReportId * string Unique identifier for the event
AccountObjectId string Unique identifier for the account in Microsoft Entra ID
AccountUpn string User principal name (UPN) of the account
OnPremSid string On-premises security identifier (SID) of the account
AccountDisplayName string Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname.
AccountName string User name of the account
AccountDomain * string Domain of the account
Type * string Type of record
DistinguishedName * string The user's distinguished name
CloudSid string Cloud security identifier of the account
GivenName string Given name or first name of the account user
Surname string Surname, family name, or last name of the account user
Department string Name of the department that the account user belongs to
JobTitle string Job title of the account user
EmailAddress string SMTP address of the account
SipProxyAddress string Voice over IP (VOIP) session initiation protocol (SIP) address of the account
Address string Address of the account user
City string City where the account user is located
Country string Country/Region where the account user is located
IsAccountEnabled boolean Indicates whether the account is enabled or not
Manager * string The listed manager of the account user
Phone * string The listed phone number of the account user
CreatedDateTime * datetime Date and time when the account user was created
SourceProvider * string The identity's source, such as Microsoft Entra ID, Active Directory, or a hybrid identity synchronized from Active Directory to Azure Active Directory
ChangeSource * string Identifies which identity provider or process triggered the addition of the new row. For example, the System-UserPersistence value is used for any rows added by an automated process.
Tags * dynamic Tags assigned to the account user by Defender for Identity
AssignedRoles * dynamic For identities from Microsoft Entra-only, the roles assigned to the account user
TenantId string Unique identifier representing your organization's instance of Microsoft Entra ID
SourceSystem * string The source system for the record

* Available only for tenants with Microsoft Defender for Identity, Microsoft Defender for Cloud Apps or Microsoft Defender for Endpoint P2 licensing.

Related topics