KQL Search

Query Details

MDI Sensitive Identity Logins

Query

# Defender for Identity - Sensitive Identity Logins

## Query Information

### Description

The query below detects Defender for Identity logins which involves a sensitive user account. 

#### References

- [Leveraging the convergence of Microsoft Defender for Identity in Microsoft 365 Defender Portal
](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/leveraging-the-convergence-of-microsoft-defender-for-identity-in/ba-p/3856321)

### Microsoft 365 Defender


```kql
//Detect all sensitive logins
IdentityLogonEvents
| where Application == "Active Directory" //Logins detected by Defender for Identity
| where LogonType == "Interactive" //Interactive login type
| join kind=inner (
IdentityInfo
| where Tags contains "Sensitive" //Only Sensitive identities
) on $left.AccountSid == $right.OnPremSid
| summarize SensitiveLogins = count(LogonType) by AccountDisplayName1, DeviceName
```

Explanation

This query detects logins in Microsoft Defender for Identity that involve a sensitive user account. It looks for logins in Active Directory that are of the interactive type and then joins them with sensitive identity information. The query summarizes the results by the display name of the account and the device name.

Details

Alex Verboon

Released: October 5, 2023

Tables

IdentityLogonEventsIdentityInfo

Keywords

IdentityLogonEvents,Application,ActiveDirectory,LogonType,Interactive,IdentityInfo,Tags,Sensitive,AccountSid,OnPremSid,AccountDisplayName1,DeviceName

Operators

where==|joinkind=inneron$left.$right.containssummarizecountby

KQL Search

MDI Sensitive Identity Logins

Query

Explanation

Details

Actions