https://www.verboon.info/tags/defender-for-identity/Recent content in Defender for Identity on Anything About ITHugoen-usSat, 06 Dec 2025 12:27:02 +0000https://www.verboon.info/2025/12/exploring-identityaccountinfo-building-a-kql-query-to-assess-identity-password-security-posture/Sat, 06 Dec 2025 12:27:02 +0000https://www.verboon.info/2025/12/exploring-identityaccountinfo-building-a-kql-query-to-assess-identity-password-security-posture/<p>Recently Microsoft Defender XDR introduced a new table called <a href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-identityaccountinfo-table">IdentityAccountInfo</a>, and this one immediately caught my attention. It brings several interesting attributes into Advanced Hunting, including <code>LastPasswordChangeTime</code> and even the sensitivity classification of an identity.</p> <p>Naturally, my first thought was: this is perfect material for some hunting logic, so let&rsquo;s build a KQL query out of it.</p> <p>Why am I excited about this? Because it finally allows us to query identity hygiene data straight from Defender. No external inventory dumps, no AD scripting, just KQL.</p>https://www.verboon.info/2025/11/defender-for-identity-automatic-windows-event-auditing-configuration/Sat, 22 Nov 2025 14:29:46 +0000https://www.verboon.info/2025/11/defender-for-identity-automatic-windows-event-auditing-configuration/<p>One of the most common issues we encounter during Defender for Identity assessments is misconfiguration. Many organizations assume that installing the sensor is the final step, but proper post-installation configuration is just as important.</p> <p>In particular, enabling the required Windows event auditing policies is essential for full detection capabilities. Without these settings, functionality is degraded and health notifications start to appear.</p> <p> <img src="images/defender-for-identity-automatic-windows-event-auditing-configuration-01.png" alt=""> </p> <p>Defender for Identity relies on specific Windows audit categories and subcategories to capture critical events.</p>https://www.verboon.info/2025/07/shedding-light-on-dormant-sensitive-accounts/Tue, 08 Jul 2025 15:34:54 +0000https://www.verboon.info/2025/07/shedding-light-on-dormant-sensitive-accounts/<p>Dormant sensitive accounts are a high-risk identity exposure. In Microsoft Defender XDR, the recommendation <strong>Remove dormant accounts from sensitive groups</strong> helps surface these accounts, including whether they are inactive, disabled, or have expired credentials.</p> <p> <img src="images/shedding-light-on-dormant-sensitive-accounts-01.png" alt=""> </p> <p>You can export the detected entities, but the export often contains limited context. In many cases, you only get entity names or SID values, which makes remediation harder when you need ownership and organizational details.</p> <p> <img src="images/shedding-light-on-dormant-sensitive-accounts-02.png" alt=""> </p> <p>A practical approach is to use the SID values to enrich the result set with identity attributes from <code>IdentityInfo</code>. You can quickly build a SID variable list using KustoVars, then query Defender XDR for additional context.</p>