Defender-DeviceLogonEvents

4 events across 4 channels

Event ID	Title	Channel
9003000	Logon activity (any)	DeviceLogonEvents
9003001	Logon succeeded	LogonSuccess
9003002	Logon failed	LogonFailed
9003003	Logon attempted (no result yet)	LogonAttempted

Event ID 9003000 — Logon activity (any)

Provider: Defender-DeviceLogonEvents
Channel: DeviceLogonEvents

Description

Logon activity (any)

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`ActionType`	—
`LogonType`	—
`AccountName`	—
`AccountDomain`	—
`AccountSid`	—
`RemoteIP`	—
`RemotePort`	—
`IsLocalAdmin`	—
`InitiatingProcessFileName`	—
`FailureReason`	—

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table

Event ID 9003001 — Logon succeeded

Provider: Defender-DeviceLogonEvents
Channel: LogonSuccess

Description

Logon succeeded

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`LogonType`	—
`AccountName`	—
`AccountDomain`	—
`RemoteIP`	—
`RemotePort`	—
`IsLocalAdmin`	—

Detection Patterns #

Credential Access: Password Spraying

Defender-DeviceLogonEvents Event ID 9003001: Logon succeededANDEvent ID 9003002: Logon failedANDSecurity-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.

7 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Kusto Query Language

Password Spraying (source)

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Show 1 more (4 total)

SecurityEvent - Multiple authentication failures followed by a success (source)

Lateral Movement: Exploitation of Remote Services

Defender-DeviceLogonEvents Event ID 9003001: Logon succeeded→Security-Auditing Event ID 4624: An account was successfully logged on.

1 rule

Kusto Query Language

Service Accounts Performing Remote PS (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table

Event ID 9003002 — Logon failed

Provider: Defender-DeviceLogonEvents
Channel: LogonFailed

Description

Logon failed

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`LogonType`	—
`AccountName`	—
`AccountDomain`	—
`RemoteIP`	—
`FailureReason`	—

Detection Patterns #

Credential Access: Password Spraying

Defender-DeviceLogonEvents Event ID 9003001: Logon succeededANDEvent ID 9003002: Logon failedANDSecurity-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.

7 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Kusto Query Language

Password Spraying (source)

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Show 1 more (4 total)

SecurityEvent - Multiple authentication failures followed by a success (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table

Event ID 9003003 — Logon attempted (no result yet)

Provider: Defender-DeviceLogonEvents
Channel: LogonAttempted

Description

Logon attempted (no result yet)

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`LogonType`	—
`AccountName`	—
`RemoteIP`	—

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table