Streamlining IdentityInfo in Unified Security Operations

Listen to this Post

Featured Image
The new IdentityInfo table in Microsoft Sentinel provides a unified schema that offers a single, enriched view of identity-related data, integrating insights from Sentinel UEBA and Microsoft Defender for Identity (MDI). This enhancement enables:

  • Comprehensive Identity Context – Aggregates identity data from multiple sources.
  • Faster Investigations – Eliminates cross-referencing between different tables.
  • Improved Threat Detection – Enriched identity attributes enhance anomaly detection.
  • Better Incident Correlation – Easier linking of identity activities to security incidents.

🔗 More Info: The Power of a Unified SIEM+XDR IdentityInfo Schema

You Should Know:

1. Querying IdentityInfo with KQL

Extract identity insights using Kusto Query Language (KQL):

IdentityInfo 
| where TimeGenerated > ago(7d) 
| summarize Count = count() by AccountName, AccountDomain 
| sort by Count desc 

2. Enriching Alerts with Identity Context

Join SecurityAlert and IdentityInfo for deeper analysis:

SecurityAlert 
| where TimeGenerated > ago(1d) 
| join kind=inner (IdentityInfo) on $left.AccountName == $right.AccountName 
| project AlertName, AccountName, JobTitle, Department 

3. Detecting Suspicious Logins

Check for unusual sign-ins from high-risk locations:

IdentityInfo 
| where TimeGenerated > ago(1d) 
| where RiskLevel == "High" 
| join (SigninLogs) on $left.AccountObjectId == $right.UserId 
| project AccountName, IPAddress, Location, RiskDetail 

4. Hunting for Compromised Accounts

Find accounts with multiple failed logins:

IdentityInfo 
| join (SecurityEvent 
| where EventID == 4625 
| summarize FailedLogins=count() by TargetAccount) 
on $left.AccountName == $right.TargetAccount 
| where FailedLogins > 5 
| project AccountName, Department, FailedLogins 

5. Windows Command for Identity Verification

Check local user accounts on a Windows system:

Get-LocalUser | Select Name, Enabled, LastLogon 

6. Linux Command for User Session Auditing

List active user sessions on Linux:

who -a 

What Undercode Say:

Unified identity schemas like IdentityInfo significantly enhance SOC efficiency by reducing data fragmentation. Security teams can now correlate threats faster, automate investigations with KQL, and reduce mean time to detection (MTTD).

For blue teams, mastering KQL and integrating UEBA + MDI is critical. Automation scripts (PowerShell/Bash) should be deployed to validate identity logs across Windows & Linux environments.

Expected Output:

  • KQL queries for identity threat hunting.
  • Windows/Linux commands for real-time identity verification.
  • Automated correlation between alerts and identity data.

Prediction:

As identity-based attacks rise, expect more AI-driven identity analytics in SIEM/XDR platforms, with deeper Active Directory & cloud identity integrations.

References:

Reported By: Mmihalos The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram