Forum Discussion
query defender for identity logs
hi - how can i query using either sentinel or kql the data witin defender for identity. i want to do some analysis on our service accounts and the data will help with this. thanks
Sanjit Hayer You can use Advanced Hunting feature from Microsoft 365 Security Portal - https://security.microsoft.com/advanced-hunting
You'll find tables for IdentityInfo, IdentitylogonEvents, IdentityQueryEvents and IdentityDirectoryEvents.
These tables can be used to create relevant KQL queries.
4 Replies
New writeup on IdentityInfo from Itay Argoety
https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037Sanjit Hayer You can use Advanced Hunting feature from Microsoft 365 Security Portal - https://security.microsoft.com/advanced-hunting
You'll find tables for IdentityInfo, IdentitylogonEvents, IdentityQueryEvents and IdentityDirectoryEvents.
These tables can be used to create relevant KQL queries.
- Is this table also available via the API?
- igaralf
Yes this is available via api as well -
https://docs.microsoft.com/en-US/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide
