advanced-hunting-identityqueryevents-table.md

title	IdentityQueryEvents table in the advanced hunting schema
description	Learn about Active Directory query events in the IdentityQueryEvents table of the advanced hunting schema
search.appverid	met150
ms.service	defender-xdr
ms.subservice	adv-hunting
f1.keywords	NOCSH
ms.author	pauloliveria
author	poliveria
ms.localizationpriority	medium
manager	dansimp
audience	ITPro
ms.collection	m365-security tier3
ms.custom	cx-ti cx-ah
appliesto	Microsoft Defender XDR Microsoft Sentinel in the Microsoft Defender portal
ms.topic	reference
ms.date	03/28/2025

IdentityQueryEvents

[!INCLUDE Microsoft Defender XDR rebranding]

The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains. Use this reference to construct queries that return information from this table.

Tip

For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.

This advanced hunting table is populated by records from Microsoft Defender for Identity or Microsoft Sentinel and Mirosoft Entra ID. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Identity in Defender XDR, read Deploy supported services. For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name	Data type	Description
Timestamp	datetime	Date and time when the event was recorded
ActionType	string	Type of activity that triggered the event. See the in-portal schema reference for details
Application	string	Application that performed the recorded action
QueryType	string	Type of query, such as QueryGroup, QueryUser, or EnumerateUsers
QueryTarget	string	Name of user, group, device, domain, or any other entity type being queried
Query	string	String used to run the query
Protocol	string	Protocol used during the communication
AccountName	string	User name of the account
AccountDomain	string	Domain of the account
AccountUpn	string	User principal name (UPN) of the account
AccountSid	string	Security Identifier (SID) of the account
AccountObjectId	string	Unique identifier for the account in Microsoft Entra ID
AccountDisplayName	string	Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname.
DeviceName	string	Fully qualified domain name (FQDN) of the device
IPAddress	string	IP address assigned to the endpoint and used during related network communications
Port	int	TCP port used during communication
DestinationDeviceName	string	Name of the device running the server application that processed the recorded action
DestinationIPAddress	string	IP address of the device running the server application that processed the recorded action
DestinationPort	int	Destination port of related network communications
TargetDeviceName	string	Fully qualified domain name (FQDN) of the device that the recorded action was applied to
TargetAccountUpn	string	User principal name (UPN) of the account that the recorded action was applied to
TargetAccountDisplayName	string	Display name of the account that the recorded action was applied to
Location	string	City, country/region, or other geographic location associated with the event
ReportId	string	Unique identifier for the event
AdditionalFields	dynamic	Additional information about the entity or event

Related topics

• Advanced hunting overview
• Learn the query language
• Use shared queries
• Hunt across devices, emails, apps, and identities
• Understand the schema
• Apply query best practices [!INCLUDE Microsoft Defender XDR rebranding]