The Unified IdentityInfo Table in Microsoft Sentinel

By /

Listen to this Post

Featured Image
The unified IdentityInfo table is the most comprehensive way to identify users and their attributes in Microsoft Sentinel’s unified SOC experience. To leverage this feature, you must onboard your Sentinel workspace and enable User and Entity Behavior Analytics (UEBA) for advanced hunting.

🔗 Reference: What’s new in Microsoft Sentinel

You Should Know:

1. Enabling UEBA in Microsoft Sentinel

To utilize the IdentityInfo table, follow these steps:

1. Onboard Microsoft Sentinel Workspace:

 Connect to Azure 
Connect-AzAccount

Enable Sentinel on a Log Analytics workspace 
New-AzSentinel -WorkspaceName "YourWorkspace" -ResourceGroupName "YourResourceGroup"

2. Enable UEBA:

  • Navigate to Microsoft Sentinel → Configuration → UEBA → Enable.

3. Verify Data Ingestion:

// Check if IdentityInfo is populated 
IdentityInfo 
| take 10

2. Advanced Hunting with IdentityInfo

The IdentityInfo table contains critical user attributes like:

– `AccountName`
– `DisplayName`
– `Department`
– `JobTitle`

Example query to track user logins:

IdentityInfo 
| join (SigninLogs) on $left.AccountName == $right.UserPrincipalName 
| where TimeGenerated > ago(7d) 
| summarize LoginCount = count() by AccountName, DisplayName 
| sort by LoginCount desc

3. Automating Threat Detection

Create custom analytics rules using IdentityInfo:

SecurityAlert 
| where AlertName == "Suspicious PowerShell Execution" 
| join (IdentityInfo) on $left.AccountName == $right.AccountName 
| project AlertName, AccountName, DisplayName, JobTitle
  1. Linux & Windows Commands for SOC Integration
    • Extract User Logs (Linux): 
      grep "authentication failure" /var/log/auth.log
  • Check Active Directory Users (Windows): 
    Get-ADUser -Filter  -Properties  | Select-Object Name, Department,

  • Export Event Logs (Windows): 

    Get-WinEvent -LogName Security | Where-Object {$_.ID -eq 4624} | Export-CSV "Logins.csv"

What Undercode Say:

The IdentityInfo table enhances SOC efficiency by centralizing user identity data, enabling faster threat correlation. Combining UEBA with advanced hunting allows proactive detection of anomalies. Automation through PowerShell and KQL queries ensures rapid incident response.

🔗 Expected Output:

  • A fully integrated Microsoft Sentinel workspace with UEBA.
  • Custom KQL queries for identity-based threat detection.
  • Automated alerts tied to IdentityInfo attributes.

Prediction:

As identity-based attacks rise, IdentityInfo will become crucial in Zero Trust architectures, with deeper integrations into Azure AD and M365 Defender. Expect more AI-driven anomaly detection features in future Sentinel updates.

References:

Reported By: Fabianbader Whats – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: