KQL Search

Query Details

HomeAI ToolsDevice Query

MDI Dormant Accounts

Query

# Defender for Identity - Dormant Account Details

## Query Information

### Description

Use the below query to retrieve detailed information about ***Dormant Accounts***

#### References

### Author

- **Alex Verboon**

## Defender XDR

```kql
let sid_list = dynamic(['S-1-5-21-2026063863-2462317154-4127401698-00001', 'S-1-5-21-3621612571-1889916199-1199630630-00002', 'S-1-5-21-4055507806-322200393-1713978839-0002']);
IdentityInfo
| where TimeGenerated > ago(21d)
| where OnPremSid in~ (sid_list)
| summarize arg_max(TimeGenerated,*) by OnPremSid
| project AccountDisplayName, AccountName,AccountDomain, OnPremSid, OnPremObjectId, CompanyName, Department, Country, AccountUpn, DistinguishedName, IsAccountEnabled, Manager

```

Track account disablement activities

```kql
let sid_list = dynamic(['S-1-5-21-2026063863-2462317154-4127401698-00001', 'S-1-5-21-3621612571-1889916199-1199630630-00002', 'S-1-5-21-4055507806-322200393-1713978839-0002']);
IdentityDirectoryEvents
| where ActionType == "Account disabled"
| extend TargetAccountSid = tostring(AdditionalFields.TargetAccountSid)
| extend Initiator = AccountName
| project TimeGenerated, TargetAccountUpn, TargetAccountSid, Initiator
| where TargetAccountSid in(sid_list)
```

See changes

```kql
IdentityDirectoryEvents
| where ActionType == "Group Membership changed"
| extend MembershipChangeAction = tostring(AdditionalFields.MembershipChange)
| where MembershipChangeAction == "removed"
| extend TargetAccountSid = tostring(AdditionalFields.TargetAccountSid)
| extend Initiator = AccountName
| extend GroupName = tostring(AdditionalFields.["FROM.GROUP"])
| project TimeGenerated, TargetAccountUpn, TargetAccountSid, Initiator, GroupName
| where TargetAccountSid in(sid_list)
```

Explanation

This KQL query is designed to gather information about dormant accounts and track certain activities related to them within Microsoft Defender for Identity. Here's a simplified breakdown of what each part of the query does:

  1. Retrieve Dormant Account Details:

    • The query starts by defining a list of specific Security Identifiers (SIDs) for accounts of interest.
    • It then searches the IdentityInfo table for any records related to these SIDs that have been generated in the last 21 days.
    • The query summarizes the latest information for each SID and selects various account details such as display name, account name, domain, and other attributes.

  2. Track Account Disablement Activities:

    • This part of the query looks into the IdentityDirectoryEvents table for events where accounts have been disabled.
    • It extends the data to include the SID of the target account and the name of the person who initiated the action.
    • The query filters the results to only include events related to the specified SIDs.

  3. Monitor Group Membership Changes:

    • The final section checks for changes in group membership, specifically looking for instances where an account has been removed from a group.
    • It extends the data to include details about the membership change, the target account SID, the initiator of the change, and the group name.
    • Again, it filters the results to focus on the specified SIDs.

Overall, this query helps in monitoring dormant accounts by providing details about them, tracking when they are disabled, and observing any changes in their group memberships.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 22, 2025

Tables

IdentityInfoIdentityDirectoryEvents

Keywords

DormantAccountsIdentityInformationAccountDisablementActivitiesGroupMembershipChanges

Operators

letdynamicwherein~agosummarizearg_maxbyprojectextendtostring==in

Actions