IdentityQueryEvents

IdentityQueryEvents Schema #

Table description #

TableSection	TableType	TableSectionName	Description
Itp	Regular		Query activities performed against Active Directory objects, such as users, groups, devices, and domains

Table retention #

HotDays	ColdDays	TotalInteractiveDays
30	0	30

Schema #

Name	Description	Type
AccountDisplayName	Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user.	String
AccountDomain	Domain of the account	String
AccountName	User name of the account	String
AccountObjectId	Unique identifier for the account in Microsoft Entra ID	String
AccountSid	Security Identifier (SID) of the account	String
AccountUpn	User principal name (UPN) of the account	String
ActionType	Type of activity that triggered the event	String
AdditionalFields	Additional information about the entity or event	Object
Application	Application that performed the recorded action	String
DestinationDeviceName	Name of the device running the server application that processed the recorded action	String
DestinationIPAddress	IP address of the device running the server application that processed the recorded action	String
DestinationPort	Destination port of the activity	Int32
DeviceName	Fully qualified domain name (FQDN) of the device	String
IPAddress	IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts	String
Location	City, country, or other geographic location associated with the event	String
Port	TCP port used during communication	Int32
Protocol	Protocol used during the communication	String
Query	String used to run the query	String
QueryTarget	User, group, domain, or any other entity being queried	String
QueryType	Type of the query	String
ReportId	Unique identifier for the event	String
SourceSystem		String
TargetAccountDisplayName	Display name of the account that the recorded action was applied to	String
TargetAccountUpn	User principal name (UPN) of the account that the recorded action was applied to	String
TargetDeviceName	Fully qualified domain name (FQDN) of the device that the recorded action was applied to	String
TenantId		String
TimeGenerated		DateTime
Timestamp	Date and time when the record was generated	DateTime
Type		String

Action types #

Name	Description
DNS query	Type of query user performed against the domain controller (AXFR, TXT, MX, NS, SRV, ANY, DNSKEY)
LDAP query	An LDAP query was performed.
LdapQuery	An LDAP query was performed.
SAMR query	A SAMR query was performed.

Schema changes #

Date	Action
2026-01-02	Column _IsBillable removed
2026-01-02	Column _BilledSize removed
2024-10-18	Table added to tracking