New Blog Post | Using Microsoft Defender for Identity Data to Make Powerful Advanced Hunting Queries

%3CLINGO-SUB%20id%3D%22lingo-sub-2405342%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Using%20Microsoft%20Defender%20for%20Identity%20Data%20to%20Make%20Powerful%20Advanced%20Hunting%20Queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2405342%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JasonCohen1892_0-1622570268574.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F285410i4234E4A2DE4412CD%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22JasonCohen1892_0-1622570268574.png%22%20alt%3D%22JasonCohen1892_0-1622570268574.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fusing-microsoft-defender-for-identity-data-to-make-powerful%2Fba-p%2F2404305%22%20target%3D%22_blank%22%3EUsing%20Microsoft%20Defender%20for%20Identity%20Data%20to%20Make%20Powerful%20Advanced%20Hunting%20Queries%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EEvery%20effective%20threat%20hunting%20style%20investigation%20starts%20with%20understanding%20what%20users%20we%20are%20protecting%2C%20and%20this%20is%20what%20we%20are%20presented%20with%20using%20the%20IdentityInfo%20table.%20Although%20this%20data%20set%20is%20not%20exclusive%20to%20Defender%20for%20Identity%2C%20it%20does%20provide%20comprehensive%20details%20for%20the%20accounts%20being%20utilized%20in%20the%20environment.%20Using%20information%20made%20available%20from%20this%20data%20set%2C%20you%20can%20easily%20correlate%20different%20account%20attributes%20such%20as%20cloud%20%2F%20on-premises%20SID%2C%20UPN%2C%20and%20object%20ID.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2405342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Identity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

JasonCohen1892_0-1622570268574.png

Using Microsoft Defender for Identity Data to Make Powerful Advanced Hunting Queries - Microsoft Tec...

Every effective threat hunting style investigation starts with understanding what users we are protecting, and this is what we are presented with using the IdentityInfo table. Although this data set is not exclusive to Defender for Identity, it does provide comprehensive details for the accounts being utilized in the environment. Using information made available from this data set, you can easily correlate different account attributes such as cloud / on-premises SID, UPN, and object ID.

0 Replies