IdentityInfo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index

Defender XDR Only: This table is available in Microsoft Defender XDR advanced hunting but is not available in the Azure Monitor Log Analytics table reference.

Account information from various sources, including Microsoft Entra ID

Attribute	Value
Category	Internal
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✗ No
Defender XDR Advanced Hunting Schema	View Documentation

Solutions (17)

This table is used by the following solutions:

Content Items Using This Table (34)

Analytic Rules (12)

In solution Azure Activity:

Analytic Rule	Selection Criteria
Suspicious granting of permissions to an account

In solution Business Email Compromise - Financial Fraud:

Analytic Rule	Selection Criteria
Authentication Method Changed for Privileged Account
Privileged Account Permissions Changed

In solution Microsoft Defender XDR:

Analytic Rule	Selection Criteria
Local Admin Group Changes

In solution Microsoft Entra ID:

Analytic Rule	Selection Criteria
Authentication Methods Changed for Privileged Account
MFA Rejected by User
Privileged Accounts - Sign in Failure Spikes
Successful logon from IP and failure from a different IP
User Accounts - Sign in Failure due to CA Spikes

In solution Microsoft Entra ID Protection:

Analytic Rule	Selection Criteria
Correlate Unfamiliar sign-in properties & atypical travel alerts

In solution Multi Cloud Attack Coverage Essentials - Resource Abuse:

Analytic Rule	Selection Criteria
Successful AWS Console Login from IP Address Observed Conducting Password Spray
Suspicious AWS console logins by credential access alerts

Hunting Queries (14)

In solution Business Email Compromise - Financial Fraud:

Hunting Query	Selection Criteria
Login attempts using Legacy Auth
Microsoft Entra ID signins from new locations
Risky Sign-in with new MFA method
Successful Signin From Non-Compliant Device
User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.
User Login IP Address Teleportation

In solution Cloud Identity Threat Protection Essentials:

Hunting Query	Selection Criteria
Detect Disabled Account Sign-in Attempts by Account Name
Sign-ins From VPS Providers
Sign-ins from Nord VPN Providers
Suspicious Sign-ins to Privileged Account

In solution Microsoft Business Applications:

Hunting Query	Selection Criteria
Dataverse - Identity management activity outside of privileged directory role membership

In solution Microsoft Defender XDR:

Hunting Query	Selection Criteria
Local Admin Group Changes

In solution UEBA Essentials:

Hunting Query	Selection Criteria
Anomalous connection from highly privileged user

GitHub Only:

Hunting Query	Selection Criteria
User not covered under display name impersonation

Workbooks (8)

In solution AzureSecurityBenchmark:

Workbook	Selection Criteria
AzureSecurityBenchmark

In solution ContinuousDiagnostics&Mitigation:

Workbook	Selection Criteria
ContinuousDiagnostics&Mitigation

In solution CybersecurityMaturityModelCertification(CMMC)2.0:

Workbook	Selection Criteria
CybersecurityMaturityModelCertification_CMMCV2

In solution MaturityModelForEventLogManagementM2131:

Workbook	Selection Criteria
MaturityModelForEventLogManagement_M2131

In solution MicrosoftPurviewInsiderRiskManagement:

Workbook	Selection Criteria
InsiderRiskManagement

In solution NISTSP80053:

Workbook	Selection Criteria
NISTSP80053

In solution SOC Handbook:

Workbook	Selection Criteria
InvestigationInsights

In solution ZeroTrust(TIC3.0):

Workbook	Selection Criteria
ZeroTrustTIC3

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index