Forum Discussion
Solved
query defender for identity logs
hi - how can i query using either sentinel or kql the data witin defender for identity. i want to do some analysis on our service accounts and the data will help with this. thanks
Sanjit Hayer You can use Advanced Hunting feature from Microsoft 365 Security Portal - https://security.microsoft.com/advanced-hunting
You'll find tables for IdentityInfo, IdentitylogonEvents, IdentityQueryEvents and IdentityDirectoryEvents.
These tables can be used to create relevant KQL queries.
New writeup on IdentityInfo from Itay Argoety
https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037