IdentityLogonEvents

Applies to:

  • Microsoft 365 Defender

The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Cloud App Security. Use this reference to construct queries that return information from this table.

Tip

For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

Note

This table covers Azure Active Directory (AD) logon activities tracked by Cloud App Security, specifically interactive sign-ins and authentication activities using ActiveSync and other legacy protocols. Non-interactive logons that are not available in this table can be viewed in the Azure AD audit log. Learn more about connecting Cloud App Security to Microsoft 365

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
ActionType string Type of activity that triggered the event. See the in-portal schema reference for details
LogonType string Type of logon session, specifically:

- Interactive - User physically interacts with the machine using the local keyboard and screen

- Remote interactive (RDP) logons - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- Network - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- Batch - Session initiated by scheduled tasks

- Service - Session initiated by services as they start
Application string Application that performed the recorded action
Protocol string Network protocol used
FailureReason string Information explaining why the recorded action failed
AccountName string User name of the account
AccountDomain string Domain of the account
AccountUpn string User principal name (UPN) of the account
AccountSid string Security Identifier (SID) of the account
AccountObjectId string Unique identifier for the account in Azure AD
AccountDisplayName string Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname.
DeviceName string Fully qualified domain name (FQDN) of the device
DeviceType string Type of device
OSPlatform string Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.
IPAddress string IP address assigned to the endpoint and used during related network communications
DestinationDeviceName string Name of the device running the server application that processed the recorded action
DestinationIPAddress string IP address of the device running the server application that processed the recorded action
TargetDeviceName string Fully qualified domain name (FQDN) of the device that the recorded action was applied to
TargetAccountDisplayName string Display name of the account that the recorded action was applied to
Location string City, country, or other geographic location associated with the event
Isp string Internet service provider (ISP) associated with the endpoint IP address
ReportId long Unique identifier for the event
AdditionalFields string Additional information about the entity or event