Defender-DeviceLogonEvents

4 ActionTypes

ActionTypeTitle
anyLogon activity (any)
LogonSuccessLogon succeeded
LogonFailedLogon failed
LogonAttemptedLogon attempted (no result yet)

any: Logon activity (any)

#
Provider
Defender-DeviceLogonEvents
Channel
DeviceLogonEvents

Description

Logon activity (any)

Fields #

NameDescription
DeviceId
Timestamp
ActionType
LogonTypeLogon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive).
AccountName
AccountDomain
AccountSid
RemoteIP
RemotePort
IsLocalAdmin
InitiatingProcessFileName
FailureReason

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
userends_with$1 ruleelastic, kusto
ProtocoleqNTLM1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • Password Spray source: Below queries detect password spray attacks using sliding window count plugin. Because of implementation of the sliding window, queries work better than the bin() usage, but may create duplicate alerts. Grouping can be used in such cases. Sentinel Query:
  • Potential NTLM Relay Attack to Domain Controller source: Below query detects NTLM authentication coming from Domain Controller machine accounts. This is not an expected behavior and it's an indication of NTLM relay attack.
    If NTLM Relaying is done towards a Linux machine, this query won't detect that. The attacker must have access to a Linux device in that case though.

References #

LogonSuccess: Logon succeeded

#
Provider
Defender-DeviceLogonEvents
Channel
LogonSuccess

Description

Logon succeeded

Fields #

NameDescription
DeviceId
Timestamp
LogonTypeLogon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive).
AccountName
AccountDomain
RemoteIP
RemotePort
IsLocalAdmin

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqLogonSuccess2 ruleskusto
RemoteIPTypeneLoopback2 ruleskusto
parent_process_nameeqwsmprovhost.exe1 ruleelastic, kusto, splunk
DestinationPortin801 rulekusto, splunk
EventTypeeqPowerShellCommand1 rulekusto
ProtocoleqNTLM1 rulekusto
TargetDomainNameinPUT YOUR AD DOMAINS HERE!1 rulekusto
TargetDomainNameincontoso1 rulekusto
TargetDomainNameincontoso.local1 rulekusto
subnetis_null1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • Password Spraying source medium: This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint.↳ also matchesLogonFailed: Logon failed
  • Service Accounts Performing Remote PS source high: Service Accounts Performing Remote PowerShell. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases to the detection: Identify service accounts, Find remote PS cmdlets being ran by these accounts. To accomplish this, we utilize DeviceLogonEvents and DeviceEvents to find cmdlets ran that meet the criteria. One of the main advantages of this method is that only requires server telemetry, and not the attacking client. The first phase relies on the DeviceLogonEvents to determine whether an account is a service account or not, consider the following accounts with logons:. Random_user has DeviceLogonEvents with type 2, 3, 7, 10, 11 & 13. Random_service_account 'should' only have DeviceLogonEvents with type 3,4 or 5.
  • NTLM Relay Attack source: This query searches for successful NTLM network logins where the device name contained in the NTLM authentication message contains a device that is known to MDE, but the source IP address is different from the known source IP address for that specific device. This could indicate an attacker is relaying the NTLM authentication information. To remove false positives, this query also searches for an outgoing network connection from the initiator to the attacker.
Show 1 more (4 total)

References #

LogonFailed: Logon failed

#
Provider
Defender-DeviceLogonEvents
Channel
LogonFailed

Description

Logon failed

Fields #

NameDescription
DeviceId
Timestamp
LogonTypeLogon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive).
AccountName
AccountDomain
RemoteIP
FailureReason

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
RemoteIPTypeneLoopback1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • Password Spraying source medium: This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint.↳ also matchesLogonSuccess: Logon succeeded

References #

LogonAttempted: Logon attempted (no result yet)

#
Provider
Defender-DeviceLogonEvents
Channel
LogonAttempted

Description

Logon attempted (no result yet)

Fields #

NameDescription
DeviceId
Timestamp
LogonTypeLogon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive).
AccountName
RemoteIP

References #