Listen to this Post
Microsoft is unifying the Microsoft Defender for Identity (MDI) and Microsoft Sentinel IdentityInfo tables into a single table in Advanced Hunting. This update introduces new identity attributes from Sentinel UEBA and supports third-party Identity Providers (IDPs), requiring potential query adjustments.
Rollout Timeline
- Early May 2025: Rollout begins.
- Late May 2025: Expected global completion.
Key Changes
1. New Columns
OnPremObjectId: Active Directory object ID (string).TenantMembershipType: User type in Microsoft Entra ID (Guest, Member).RiskStatus: User risk status (None, AtRisk, ConfirmedCompromised).UserAccountControlSettings: Security attributes of Active Directory accounts.
2. Breaking Changes for Third-Party IDPs
– `IdentityEnvironment` replaces `SourceProvider` (values: CloudOnly, Hybrid, On-premises).
– `SourceProviders` now lists identity sources dynamically (ActiveDirectory, EntraID, Okta).
Preparation Recommendations
- Update security workflows, queries, custom rules, and playbooks referencing
IdentityInfo. - Review Sentinel UEBA field mappings for compatibility.
Impact
- Enhanced identity threat detection with unified data.
- No admin action required—changes apply automatically.
You Should Know:
KQL Query Adjustments
Check existing Advanced Hunting queries for `IdentityInfo` dependencies:
// Old Query (Before Update) IdentityInfo | where SourceProvider == "ActiveDirectory" // New Query (After Update) IdentityInfo | where IdentityEnvironment == "On-premises" | extend SourceProviders = todynamic(SourceProviders) | where array_contains(SourceProviders, "ActiveDirectory")
PowerShell for AD User Risk Status
Export Active Directory users with risk status:
Get-ADUser -Filter -Properties UserAccountControl | Select-Object Name, UserPrincipalName, UserAccountControl | Export-Csv -Path "AD_User_Risk_Status.csv" -NoTypeInformation
Azure Sentinel UEBA Integration
Verify UEBA data flow:
SecurityAlert | where ProviderName == "UEBA" | project TimeGenerated, AlertName, RiskScore
Linux Log Analysis for Hybrid Environments
Check authentication logs for hybrid identity issues:
journalctl -u sssd --no-pager | grep "authentication failure"
Windows Event Log for Identity Threats
Monitor security events related to compromised accounts:
Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4625]]"
What Undercode Say
This update streamlines identity threat detection but requires query updates for seamless operation. Key takeaways:
– KQL admins must revise queries for `IdentityEnvironment` and SourceProviders.
– SOC teams should validate UEBA risk status mappings.
– Hybrid environments need log correlation between AD, Entra ID, and third-party IDPs.
Expected Output:
- Updated Advanced Hunting queries.
- Validated risk status reports from Sentinel UEBA.
- Reviewed playbooks for identity-based alerts.
Reference:
Microsoft Message Center – MC105216
References:
Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
