Redaguoti

Bendrinti naudojant


IdentityInfo

The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Microsoft Entra ID. Use this reference to construct queries that return information from this table.

This table was renamed from AccountInfo. During renames, all queries saved in the portal are automatically updated. Check queries you have saved elsewhere.

Microsoft Sentinel uses a slightly expanded version of this table in Log Analytics. For more information, see Microsoft Sentinel UEBA reference | IdentityInfo table

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp * datetime The date and time that the line was written to the database.

This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added.
ReportId * string Unique identifier for the event
AccountObjectId string Unique identifier for the account in Microsoft Entra ID
AccountUpn string User principal name (UPN) of the account
OnPremSid string On-premises security identifier (SID) of the account
AccountDisplayName string Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname.
AccountName string User name of the account
AccountDomain * string Domain of the account
Type * string Type of record
DistinguishedName * string The user's distinguished name
CloudSid string Cloud security identifier of the account
GivenName string Given name or first name of the account user
Surname string Surname, family name, or last name of the account user
Department string Name of the department that the account user belongs to
JobTitle string Job title of the account user
EmailAddress string SMTP address of the account
SipProxyAddress string Voice over IP (VOIP) session initiation protocol (SIP) address of the account
Address string Address of the account user
City string City where the account user is located
Country string Country/Region where the account user is located
IsAccountEnabled boolean Indicates whether the account is enabled or not
Manager * string The listed manager of the account user
Phone * string The listed phone number of the account user
CreatedDateTime * datetime Date and time when the account user was created
SourceProvider * string The identity's source, such as Microsoft Entra ID, Active Directory, or a hybrid identity synchronized from Active Directory to Azure Active Directory
ChangeSource * string Identifies which identity provider or process triggered the addition of the new row. For example, the System-UserPersistence value is used for any rows added by an automated process.
Tags * dynamic Tags assigned to the account user by Defender for Identity
AssignedRoles * dynamic For identities from Microsoft Entra-only, the roles assigned to the account user
TenantId string Unique identifier representing your organization's instance of Microsoft Entra ID
SourceSystem * string The source system for the record

* Available only for tenants with Microsoft Defender for Identity, Microsoft Defender for Cloud Apps or Microsoft Defender for Endpoint P2 licensing.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.