Agent Foskett Academy • Lesson 38 • Investigating IdentityDirectoryEvents

Investigating IdentityDirectoryEvents in Microsoft Defender XDR

IdentityDirectoryEvents records changes made to identity objects such as users, groups, devices and directory-related activity inside Microsoft Defender XDR.

This table helps defenders investigate account modifications, group membership changes, privileged activity, directory updates and identity-based attack behaviour.

In this lesson, you will learn how to use IdentityDirectoryEvents to follow directory evidence, review account and group changes, and support Microsoft Defender XDR investigations.

Agent Foskett Academy lesson explaining IdentityDirectoryEvents in Microsoft Defender XDR
Lesson overview

Learn how IdentityDirectoryEvents helps defenders investigate account changes, group updates and directory-based attack activity.

Review user and group changes
Investigate privileged activity
Correlate directory changes with logons

Why IdentityDirectoryEvents matters

Many identity investigations do not stop at the login. The next question is often: what changed after access was granted?
Directory changes leave evidenceUser modifications, group updates and permission changes can reveal attacker activity after a successful sign-in.
Privilege escalation often appears hereAdding users to groups or changing directory objects can be a sign that an attacker is moving from access to control.
Changes belong in the timelineIdentityDirectoryEvents helps connect successful logons to administrative activity, group membership updates and downstream endpoint behaviour.

Investigation scenario

A sign-in succeeded. The account looked legitimate. But shortly afterwards, the same user was added to a sensitive group and another account was modified.
The login was only the beginningIdentityLogonEvents showed access, but IdentityDirectoryEvents showed what happened after access was granted.
The group change matteredA normal user appearing inside a sensitive group changed the investigation from suspicious sign-in to possible privilege escalation.
The next step was correlationThe directory change became the pivot point for checking logons, endpoint activity and any later administrative actions.

Step 1 — Review recent directory activity

Start broad. Review recent directory activity and keep the core investigation fields visible.
identitydirectoryevents-recent-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
IdentityDirectoryEvents
| where Timestamp > ago(7d)
| project Timestamp, ActionType, AccountName,
                            AccountDomain, TargetAccountName,
                            TargetAccountDomain, AdditionalFields
| order by Timestamp desc

Step 2 — Look for group membership changes

Group changes are important because they can quietly increase access without triggering obvious endpoint alerts.
identitydirectoryevents-group-changes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
IdentityDirectoryEvents
| where Timestamp > ago(14d)
| where ActionType has_any ("Group", "member", "Membership")
| project Timestamp, ActionType, AccountName,
                            TargetAccountName, AdditionalFields
| order by Timestamp desc

Step 3 — Investigate privileged activity

Search for directory activity involving sensitive groups, privileged roles or administrative terms.
identitydirectoryevents-privileged-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
IdentityDirectoryEvents
| where Timestamp > ago(30d)
| where AdditionalFields has_any (
                            "Global Administrator", "Domain Admin",
                            "Security Administrator", "Privileged")
| project Timestamp, ActionType, AccountName,
                            TargetAccountName, AdditionalFields
| order by Timestamp desc

Step 4 — Focus on one target account

Once a target account becomes interesting, review every directory change associated with that identity.
identitydirectoryevents-target-account.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
IdentityDirectoryEvents
| where Timestamp > ago(30d)
| where TargetAccountName =~ "rebecca"
| project Timestamp, ActionType, AccountName,
                            TargetAccountName, AdditionalFields
| order by Timestamp asc

Step 5 — Summarise directory changes

Summarising directory activity helps reveal noisy accounts, frequent administrative actions and unusual change patterns.
identitydirectoryevents-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
IdentityDirectoryEvents
| where Timestamp > ago(30d)
| summarize DirectoryChanges = count(),
                            FirstSeen = min(Timestamp),
                            LastSeen = max(Timestamp)
                            by AccountName, ActionType
| order by DirectoryChanges desc

Step 6 — Correlate with identity logons

A suspicious directory change should be correlated with the logon activity that happened before it.
identitydirectoryevents-logon-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
let UserAccount = "rebecca";
IdentityLogonEvents
| where Timestamp > ago(24h)
| where AccountName =~ UserAccount
| project Timestamp, ActionType, AccountName,
                            DeviceName, IPAddress, LogonType, Protocol
| order by Timestamp asc

Common investigation uses

IdentityDirectoryEvents becomes powerful when it is treated as evidence of change, not just administrative noise.
Group membership changesInvestigate when accounts are added to or removed from sensitive groups.
Privileged account activityReview directory changes involving administrative accounts, security roles and privileged identities.
Post-compromise changesUse directory events to understand what changed after a suspicious login succeeded.

Common mistakes

Directory investigations can go wrong when administrative changes are assumed to be normal without context.
Ignoring who made the changeThe target account matters, but the account that performed the action is often the most important clue.
Missing group contextA group name may look harmless until you understand what that group can access.
Not checking what happened beforeA directory change should be tied back to prior logons, MFA activity, device activity and other investigation evidence.
The directory change may be the privilege escalation.
Do not stop at who logged in. Ask what changed next.
Back to Academy →

What you learned

IdentityDirectoryEvents records directory evidenceYou can use it to investigate user changes, group updates, account modifications and administrative activity.
Changes need contextA directory action may be normal or suspicious depending on the actor, target, timestamp and surrounding logon activity.
Directory evidence should be correlatedFollow suspicious changes into IdentityLogonEvents, DeviceProcessEvents, DeviceNetworkEvents and other Microsoft Defender XDR telemetry.

Related Agent Foskett Academy lessons

Investigating IdentityLogonEventsReview the logon activity that happened before suspicious directory changes.
Building Investigation TimelinesConnect logons, directory changes and endpoint evidence into one investigation timeline.
Connecting Tables with joinCombine directory evidence with authentication, endpoint and email telemetry.
Using let Statements to Reuse EvidenceStore users, groups and devices for reuse across related investigation queries.
Creating Investigation ParametersBuild flexible identity investigations using reusable accounts, devices and time ranges.
Investigating DeviceProcessEventsFollow endpoint activity after directory changes or suspicious identity actions.
Investigating DeviceNetworkEventsReview outbound network activity after suspicious identity or directory events.
Investigating DeviceRegistryEventsInvestigate registry-based persistence associated with compromised accounts.

Final thought

Directory activity is where identity investigations often become access investigations. A login shows entry. A directory change may show intent.
Agent Foskett mindsetDo not just ask who signed in. Ask what they changed, who they targeted, and whether the change belonged in the environment.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating IdentityDirectoryEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 38 teaches defenders how to use IdentityDirectoryEvents to investigate directory changes, group membership updates and privileged activity.

Learn IdentityDirectoryEvents for Microsoft Defender XDR hunting

This lesson explains how IdentityDirectoryEvents supports Microsoft Defender XDR investigations by connecting identity logons, directory changes, user modifications and endpoint evidence.