KQL Search

Query Details

HomeAI ToolsDevice Query

MDI Identify Service Account O Us

Query

# MDI - Identify Service Account OU

## Query Information

### Description

This KQL query is designed to identify accounts in Microsoft Defender for Identity whose Organizational Unit (OU) in Active Directory contains the word "service." It extracts the OU from the DistinguishedName field and filters for accounts where the OU name includes "service," helping to pinpoint service accounts within the directory.

#### References

- [Discover and protect Service Accounts with Microsoft Defender for Identity](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/discover-and-protect-service-accounts-with-microsoft-defender-for-identity/4395347)
- [Investigate and protect Service Accounts](https://learn.microsoft.com/en-us/defender-for-identity/service-account-discovery)

### Author

- **Alex Verboon**

## Defender XDR

```kql
let OUPattern = @"^(CN=[^,]+,)?(.+)$";
IdentityInfo
| project AccountName, AccountDisplayName, DistinguishedName
| extend OU = extract(OUPattern, 2, DistinguishedName)
| project-rename DistinguishedName
| where OU contains "service"
| distinct OU
```

Explanation

This KQL query is designed to find service accounts in Microsoft Defender for Identity by looking at their Organizational Unit (OU) in Active Directory. Here's a simple breakdown of what the query does:

  1. Pattern Definition: It defines a pattern to extract the OU from the DistinguishedName field of each account.

  2. Data Selection: It selects the AccountName, AccountDisplayName, and DistinguishedName from the IdentityInfo table.

  3. OU Extraction: It uses the defined pattern to extract the OU part from the DistinguishedName.

  4. Filtering: It filters the results to only include those OUs that contain the word "service."

  5. Distinct OUs: Finally, it lists distinct OUs that match the criteria, effectively identifying potential service accounts.

This query helps in identifying and managing service accounts by focusing on their organizational placement within Active Directory.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 22, 2025

Tables

IdentityInfo

Keywords

MicrosoftDefenderForIdentity

Operators

letprojectextendextractproject-renamewherecontainsdistinct

Actions