Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Defender XDR Only: This table is available in Microsoft Defender XDR advanced hunting but is not available in the Azure Monitor Log Analytics table reference.
Account information from various sources, including Microsoft Entra ID
| Attribute | Value |
|---|---|
| Category | Internal |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| AccountDisplayName | string | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |
| AccountDomain* | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountObjectId | string | Unique identifier for the account in Microsoft Entra ID |
| AccountUpn | string | User principal name (UPN) of the account |
| Address | string | Address of the account user |
| AssignedRoles* | dynamic | For identities from Microsoft Entra-only, the roles assigned to the account user |
| BlastRadius** | string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions; possible values: Low, Medium, High |
| ChangeSource* | string | Identifies which identity provider or process triggered the addition of the new row. For example, theSystem-UserPersistencevalue is used for any rows added by an automated process. |
| City | string | City where the account user is located |
| CloudSid | string | Cloud security identifier of the account |
| CompanyName** | string | Name of the company for which the user works |
| Country | string | Country/Region where the account user is located |
| CreatedDateTime* | datetime | Date and time when the account user was created |
| CriticalityLevel | int | The criticality score of the account |
| DeletedDateTime** | datetime | Date and time when the user account was deleted |
| Department | string | Name of the department that the account user belongs to |
| DistinguishedName* | string | The user'sdistinguished name |
| EmailAddress | string | SMTP address of the account |
| EmployeeId** | string | Employee identifier assigned to the user by the organization |
| GivenName | string | Given name or first name of the account user |
| GroupMembership** | dynamic | Microsoft Entra ID groups where the user account is a member |
| IdentityEnvironment | string | Environment where the identity is used; possible values: CloudOnly, Hybrid, On-premises |
| IsAccountEnabled | boolean | Indicates whether the account is enabled or not |
| JobTitle | string | Job title of the account user |
| Manager* | string | The listed manager of the account user |
| OnPremObjectId | string | Active Directory object ID of the user |
| OnPremSid | string | On-premises security identifier (SID) of the account |
| OtherMailAddresses** | dynamic | Additional email addresses of the user account |
| Phone* | string | The listed phone number of the account user |
| PrivilegedEntraPimRoles(Preview)*** | dynamic | A snapshot of privileged role assignment schedules and eligibility schedules for the account as maintained by Microsoft Entra Privileged Identity Management (excluding activated assignments) |
| ReportId* | string | Unique identifier for the event |
| RiskLevel | string | Microsoft Entra ID risk level of the user account; possible values: Low, Medium, High |
| RiskLevelDetails | string | Details regarding the Microsoft Entra ID risk level |
| RiskStatus | string | Status of the user's risk; possible values: None, ConfirmedSafe, Remediated, Dismissed, AtRisk, ConfirmedCompromised, UnknownFutureValue |
| SipProxyAddress | string | Voice over IP (VOIP) session initiation protocol (SIP) address of the account |
| SourceProviders | dynamic | Source providers of the accounts for the identity; possible values: ActiveDirectory, EntraID, Okta |
| SourceSystem* | string | The source system for the record |
| State** | string | State where the sign-in occurred, if available |
| Surname | string | Surname, family name, or last name of the account user |
| Tags* | dynamic | Tags assigned to the account user by Defender for Identity |
| TenantId | string | Unique identifier representing your organization's instance of Microsoft Entra ID |
| TenantMembershipType | string | User type in Microsoft Entra ID; possible values: Guest, Member |
| Timestamp* | datetime | The date and time that the line was written to the database.This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added. |
| Type* | string | Type of identity; possible values: User, ServiceAccount |
| UserAccountControl | string | Security attributes of the user account in the Active Directory domain |
This table is used by the following solutions:
In solution Azure Activity:
| Analytic Rule | Selection Criteria |
|---|---|
| Suspicious granting of permissions to an account |
In solution Business Email Compromise - Financial Fraud:
| Analytic Rule | Selection Criteria |
|---|---|
| Authentication Method Changed for Privileged Account | |
| Privileged Account Permissions Changed |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Local Admin Group Changes |
In solution Microsoft Entra ID:
In solution Microsoft Entra ID Protection:
| Analytic Rule | Selection Criteria |
|---|---|
| Correlate Unfamiliar sign-in properties & atypical travel alerts |
In solution Multi Cloud Attack Coverage Essentials - Resource Abuse:
| Analytic Rule | Selection Criteria |
|---|---|
| Successful AWS Console Login from IP Address Observed Conducting Password Spray | |
| Suspicious AWS console logins by credential access alerts |
Standalone Content:
GitHub Only:
| Analytic Rule | Selection Criteria |
|---|---|
| Suspicious VM Instance Creation Activity Detected |
In solution Business Email Compromise - Financial Fraud:
In solution Cloud Identity Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Detect Disabled Account Sign-in Attempts by Account Name | |
| Sign-ins From VPS Providers | |
| Sign-ins from Nord VPN Providers | |
| Suspicious Sign-ins to Privileged Account |
In solution Microsoft Business Applications:
| Hunting Query | Selection Criteria |
|---|---|
| Dataverse - Identity management activity outside of privileged directory role membership |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Local Admin Group Changes |
In solution UEBA Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Anomalous connection from highly privileged user |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| Login attempt by Blocked MFA user |
GitHub Only:
In solution AzureSecurityBenchmark:
| Workbook | Selection Criteria |
|---|---|
| AzureSecurityBenchmark |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0:
| Workbook | Selection Criteria |
|---|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution MicrosoftPurviewInsiderRiskManagement:
| Workbook | Selection Criteria |
|---|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| DoDZeroTrustWorkbook | |
| InvestigationInsights | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| User_Analytics_Workbook | |
| WorkspaceUsage | |
| ZeroTrustStrategyWorkbook |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊