Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,264 questions
How to get User SID and UPN from Defender Alert's Device Evidence
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 12%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEZ%3C/text%3E%3C/svg%3E)
Ernar Zhanadil
20
Reputation points
I need to get User SID and UserPrincipalName from Alert's Device Evidence. Device Evidence contains loggedOnUsers that consists of accountName and domainName based on info here: https://learn.microsoft.com/en-us/graph/api/resources/security-loggedonuser?view=graph-rest-1.0.
How can I enrich loggedOnUsers information with User SID and UserPrincipalName using Graph Security hunting query?
Sign in to answer