We're happy to share that Microsoft 365 Defender Streaming API support for the following event types (tables) is General Availability:
- Identity events
- IdentityLogonEvents
- IdentityQueryEvents
- IdentityDirectoryEvents
- CloudAppEvents
These new event types enable automating queries and enrichment about user accounts, on-premises and online services authentication activities, and queries about Active Directory objects and cloud app and identity-related events, significantly extending custom enrichment and analytics possibilities from endpoint and email to identity and cloud apps.
Identity use cases and queries that are now possible include account brute force attempts, credential access/dump attempts, reconnaissance and discovery activities, sensitive Active Directory group modification, sensitive LDAP queries, and much more.
Cloud app use cases and queries include cloud service-based exfiltration attempts such as adding mail permissions to applications, changing ADFS trust settings and other techniques - many of which have been used by actors.
Here are some links to related blogs about these tables being added to Microsoft 365 Defender Advanced Hunting that go deeper into queries and use cases these event types enable:
- Microsoft Defender for Identity Hunting:
- Microsoft Defender for Cloud Apps Hunting:
These event types are also now available in Microsoft Sentinel - for more information see:
- Connect data from Microsoft 365 Defender to Microsoft Sentinel
- What’s new: Closer integration between Microsoft Sentinel and Microsoft 365 Defender
Here are the Event Types/Tables' schemas for easy access (event type titles link directly to the respective online documentation):
The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.
|
Column name |
Data type |
Description |
|
Timestamp |
datetime |
Date and time when the event was recorded |
|
ActionType |
string |
Type of activity that triggered the event. See the in-portal schema reference for details |
|
Application |
string |
Application that performed the recorded action |
|
LogonType |
string |
Type of logon session, specifically:
|
|
Protocol |
string |
Network protocol used |
|
FailureReason |
string |
Information explaining why the recorded action failed |
|
AccountName |
string |
User name of the account |
|
AccountDomain |
string |
Domain of the account |
|
AccountUpn |
string |
User principal name (UPN) of the account |
|
AccountSid |
string |
Security Identifier (SID) of the account |
|
AccountObjectId |
string |
Unique identifier for the account in Azure AD |
|
AccountDisplayName |
string |
Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
|
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
|
DeviceType |
string |
Type of device |
|
OSPlatform |
string |
Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, etc. |
|
IPAddress |
string |
IP address assigned to the endpoint and used during related network communications |
|
Port |
string |
TCP port used during communication |
|
DestinationDeviceName |
string |
Name of the device running the server application that processed the recorded action |
|
DestinationIPAddress |
string |
IP address of the device running the server application that processed the recorded action |
|
DestinationPort |
string |
Destination port of related network communications |
|
TargetDeviceName |
string |
Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
|
TargetAccountDisplayName |
string |
Display name of the account that the recorded action was applied to |
|
Location |
string |
City, country, or other geographic location associated with the event |
|
Isp |
string |
Internet service provider (ISP) associated with the endpoint IP address |
|
ReportId |
long |
Unique identifier for the event |
|
AdditionalFields |
string |
Additional information about the entity or event |
The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains.
|
Column name |
Data type |
Description |
|
Timestamp |
datetime |
Date and time when the event was recorded |
|
ActionType |
string |
Type of activity that triggered the event. See the in-portal schema reference for details |
|
Application |
string |
Application that performed the recorded action |
|
QueryType |
string |
Type of query, such as QueryGroup, QueryUser, or EnumerateUsers |
|
QueryTarget |
string |
Name of user, group, device, domain, or any other entity type being queried |
|
Query |
string |
String used to run the query |
|
Protocol |
string |
Protocol used during the communication |
|
AccountName |
string |
User name of the account |
|
AccountDomain |
string |
Domain of the account |
|
AccountUpn |
string |
User principal name (UPN) of the account |
|
AccountSid |
string |
Security Identifier (SID) of the account |
|
AccountObjectId |
string |
Unique identifier for the account in Azure AD |
|
AccountDisplayName |
string |
Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
|
DeviceName |
string |
Fully qualified domain name (FQDN) of the endpoint |
|
IPAddress |
string |
IP address assigned to the endpoint and used during related network communications |
|
Port |
string |
TCP port used during communication |
|
DestinationDeviceName |
string |
Name of the device running the server application that processed the recorded action |
|
DestinationIPAddress |
string |
IP address of the device running the server application that processed the recorded action |
|
DestinationPort |
string |
Destination port of related network communications |
|
TargetDeviceName |
string |
Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
|
TargetAccountUpn |
string |
User principal name (UPN) of the account that the recorded action was applied to |
|
TargetAccountDisplayName |
string |
Display name of the account that the recorded action was applied to |
|
Location |
string |
City, country, or other geographic location associated with the event |
|
ReportId |
long |
Unique identifier for the event |
|
AdditionalFields |
string |
Additional information about the entity or event |
The IdentityDirectoryEvents table in the advanced hunting schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity.
|
Column name |
Data type |
Description |
|
Timestamp |
datetime |
Date and time when the event was recorded |
|
ActionType |
string |
Type of activity that triggered the event. See the in-portal schema reference for details |
|
Application |
string |
Application that performed the recorded action |
|
TargetAccountUpn |
string |
User principal name (UPN) of the account that the recorded action was applied to |
|
TargetAccountDisplayName |
string |
Display name of the account that the recorded action was applied to |
|
TargetDeviceName |
string |
Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
|
DestinationDeviceName |
string |
Name of the device running the server application that processed the recorded action |
|
DestinationIPAddress |
string |
IP address of the device running the server application that processed the recorded action |
|
DestinationPort |
string |
Destination port of the activity |
|
Protocol |
string |
Protocol used during the communication |
|
AccountName |
string |
User name of the account |
|
AccountDomain |
string |
Domain of the account |
|
AccountUpn |
string |
User principal name (UPN) of the account |
|
AccountSid |
string |
Security Identifier (SID) of the account |
|
AccountObjectId |
string |
Unique identifier for the account in Azure Active Directory |
|
AccountDisplayName |
string |
Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
|
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
|
IPAddress |
string |
IP address assigned to the device during communication |
|
Port |
string |
TCP port used during communication |
|
Location |
string |
City, country, or other geographic location associated with the event |
|
ISP |
string |
Internet service provider associated with the IP address |
|
ReportId |
long |
Unique identifier for the event |
|
AdditionalFields |
string |
Additional information about the entity or event |
The CloudAppEvents table in the advanced hunting schema contains information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps.
|
Column name |
Data type |
Description |
|
Timestamp |
datetime |
Date and time when the event was recorded |
|
ActionType |
string |
Type of activity that triggered the event |
|
Application |
string |
Application that performed the recorded action |
|
ApplicationId |
string |
Unique identifier for the application |
|
AccountObjectId |
string |
Unique identifier for the account in Azure Active Directory |
|
AccountId |
string |
An identifier for the account as found by Microsoft Defender for Cloud Apps. Can be Azure Active Directory ID, user principal name, or other identifiers. |
|
AccountDisplayName |
string |
Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
|
IsAdminOperation |
string |
Indicates whether the activity was performed by an administrator |
|
DeviceType |
string |
Type of device based on purpose and functionality, such as "Network device", "Workstation", "Server", "Mobile", "Gaming console", or "Printer" |
|
OSPlatform |
string |
Platform of the operating system running on the device. This column indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, etc. |
|
IPAddress |
string |
IP address assigned to the endpoint and used during related network communications |
|
IsAnonymousProxy |
string |
Indicates whether the IP address belongs to a known anonymous proxy |
|
CountryCode |
string |
Two-letter code indicating the country where the client IP address is geolocated |
|
City |
string |
City where the client IP address is geolocated |
|
Isp |
string |
Internet service provider (ISP) associated with the IP address |
|
UserAgent |
string |
User agent information from the web browser or other client application |
|
ActivityType |
string |
Type of activity that triggered the event |
|
ActivityObjects |
dynamic |
List of objects, such as files or folders, that were involved in the recorded activity |
|
ObjectName |
string |
Name of the object that the recorded action was applied to |
|
ObjectType |
string |
Type of object, such as a file or a folder, that the recorded action was applied to |
|
ObjectId |
string |
Unique identifier of the object that the recorded action was applied to |
|
ReportId |
string |
Unique identifier for the event |
|
RawEventData |
string |
Raw event information from the source application or service in JSON format |
|
AdditionalFields |
dynamic |
Additional information about the entity or event |
|
AccountType |
string |
Type of user account, indicating its general role and access levels, such as Regular, System, Admin, DcAdmin, System, Application |
|
IsExternalUser |
boolean |
Indicates whether a user inside the network doesn't belong to the organization's domain |
|
IsImpersonated |
boolean |
Indicates whether the activity was performed by one user for another (impersonated) user |
|
IPTags |
dynamic |
Customer-defined information applied to specific IP addresses and IP address ranges |
|
IPCategory |
string |
Additional information about the IP address |
|
UserAgentTags |
dynamic |
More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Possible values: Native client, Outdated browser, Outdated operating system, Robot |
We would love to hear your feedback about these additions to Microsoft 365 Defender Streaming API: how you're making use of them, what scenarios they enable, and anything else you would like to share by emailing m365dapis@microsoft.com.
Microsoft 365 Defender API team
Microsoft
