IdentityQueryEvents
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender XDR
The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains. Use this reference to construct queries that return information from this table.
Tip
For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
ActionType |
string |
Type of activity that triggered the event. See the in-portal schema reference for details |
Application |
string |
Application that performed the recorded action |
QueryType |
string |
Type of query, such as QueryGroup, QueryUser, or EnumerateUsers |
QueryTarget |
string |
Name of user, group, device, domain, or any other entity type being queried |
Query |
string |
String used to run the query |
Protocol |
string |
Protocol used during the communication |
AccountName |
string |
User name of the account |
AccountDomain |
string |
Domain of the account |
AccountUpn |
string |
User principal name (UPN) of the account |
AccountSid |
string |
Security Identifier (SID) of the account |
AccountObjectId |
string |
Unique identifier for the account in Microsoft Entra ID |
AccountDisplayName |
string |
Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
DeviceName |
string |
Fully qualified domain name (FQDN) of the endpoint |
IPAddress |
string |
IP address assigned to the endpoint and used during related network communications |
Port |
string |
TCP port used during communication |
DestinationDeviceName |
string |
Name of the device running the server application that processed the recorded action |
DestinationIPAddress |
string |
IP address of the device running the server application that processed the recorded action |
DestinationPort |
string |
Destination port of related network communications |
TargetDeviceName |
string |
Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
TargetAccountUpn |
string |
User principal name (UPN) of the account that the recorded action was applied to |
TargetAccountDisplayName |
string |
Display name of the account that the recorded action was applied to |
Location |
string |
City, country/region, or other geographic location associated with the event |
ReportId |
long |
Unique identifier for the event |
AdditionalFields |
string |
Additional information about the entity or event |
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Submit and view feedback for