Listen to this Post

The new IdentityInfo table in Microsoft Sentinel provides a unified schema that offers a single, enriched view of identity-related data, integrating insights from Sentinel UEBA and Microsoft Defender for Identity (MDI). This enhancement enables:
- Comprehensive Identity Context – Aggregates identity data from multiple sources.
- Faster Investigations – Eliminates cross-referencing between different tables.
- Improved Threat Detection – Enriched identity attributes enhance anomaly detection.
- Better Incident Correlation – Easier linking of identity activities to security incidents.
🔗 More Info: The Power of a Unified SIEM+XDR IdentityInfo Schema
You Should Know:
1. Querying IdentityInfo with KQL
Extract identity insights using Kusto Query Language (KQL):
IdentityInfo | where TimeGenerated > ago(7d) | summarize Count = count() by AccountName, AccountDomain | sort by Count desc
2. Enriching Alerts with Identity Context
Join SecurityAlert and IdentityInfo for deeper analysis:
SecurityAlert | where TimeGenerated > ago(1d) | join kind=inner (IdentityInfo) on $left.AccountName == $right.AccountName | project AlertName, AccountName, JobTitle, Department
3. Detecting Suspicious Logins
Check for unusual sign-ins from high-risk locations:
IdentityInfo | where TimeGenerated > ago(1d) | where RiskLevel == "High" | join (SigninLogs) on $left.AccountObjectId == $right.UserId | project AccountName, IPAddress, Location, RiskDetail
4. Hunting for Compromised Accounts
Find accounts with multiple failed logins:
IdentityInfo | join (SecurityEvent | where EventID == 4625 | summarize FailedLogins=count() by TargetAccount) on $left.AccountName == $right.TargetAccount | where FailedLogins > 5 | project AccountName, Department, FailedLogins
5. Windows Command for Identity Verification
Check local user accounts on a Windows system:
Get-LocalUser | Select Name, Enabled, LastLogon
6. Linux Command for User Session Auditing
List active user sessions on Linux:
who -a
What Undercode Say:
Unified identity schemas like IdentityInfo significantly enhance SOC efficiency by reducing data fragmentation. Security teams can now correlate threats faster, automate investigations with KQL, and reduce mean time to detection (MTTD).
For blue teams, mastering KQL and integrating UEBA + MDI is critical. Automation scripts (PowerShell/Bash) should be deployed to validate identity logs across Windows & Linux environments.
Expected Output:
- KQL queries for identity threat hunting.
- Windows/Linux commands for real-time identity verification.
- Automated correlation between alerts and identity data.
Prediction:
As identity-based attacks rise, expect more AI-driven identity analytics in SIEM/XDR platforms, with deeper Active Directory & cloud identity integrations.
References:
Reported By: Mmihalos The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


