SOLVED

query defender for identity logs

Occasional Contributor

hi - how can i query using either sentinel or kql the data witin defender for identity.  i want to do some analysis on our service accounts and the data will help with this.  thanks

4 Replies
best response confirmed by Sanjit Hayer (Occasional Contributor)
Solution

@Sanjit Hayer You can use Advanced Hunting feature from Microsoft 365 Security Portal - https://security.microsoft.com/advanced-hunting 

You'll find tables for IdentityInfo, IdentitylogonEvents, IdentityQueryEvents and IdentityDirectoryEvents.

These tables can be used to create relevant KQL queries.

Is this table also available via the API?