Defender-DeviceLogonEvents
4 ActionTypes
| ActionType | Title |
|---|---|
| any | Logon activity (any) |
| LogonSuccess | Logon succeeded |
| LogonFailed | Logon failed |
| LogonAttempted | Logon attempted (no result yet) |
any: Logon activity (any)
#Description
Logon activity (any)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
ActionType | |
LogonType | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). |
AccountName | |
AccountDomain | |
AccountSid | |
RemoteIP | |
RemotePort | |
IsLocalAdmin | |
InitiatingProcessFileName | |
FailureReason |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
user | ends_with | $ | 1 rule | elastic, kusto |
Protocol | eq | NTLM | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Password Spray source: Below queries detect password spray attacks using sliding window count plugin. Because of implementation of the sliding window, queries work better than the bin() usage, but may create duplicate alerts. Grouping can be used in such cases. Sentinel Query:
- Potential NTLM Relay Attack to Domain Controller source: Below query detects NTLM authentication coming from Domain Controller machine accounts. This is not an expected behavior and it's an indication of NTLM relay attack.
If NTLM Relaying is done towards a Linux machine, this query won't detect that. The attacker must have access to a Linux device in that case though.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicelogonevents/
LogonSuccess: Logon succeeded
#Description
Logon succeeded
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
LogonType | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). |
AccountName | |
AccountDomain | |
RemoteIP | |
RemotePort | |
IsLocalAdmin |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | LogonSuccess | 2 rules | kusto |
RemoteIPType | ne | Loopback | 2 rules | kusto |
parent_process_name | eq | wsmprovhost.exe | 1 rule | elastic, kusto, splunk |
DestinationPort | in | 80 | 1 rule | kusto, splunk |
EventType | eq | PowerShellCommand | 1 rule | kusto |
Protocol | eq | NTLM | 1 rule | kusto |
TargetDomainName | in | PUT YOUR AD DOMAINS HERE! | 1 rule | kusto |
TargetDomainName | in | contoso | 1 rule | kusto |
TargetDomainName | in | contoso.local | 1 rule | kusto |
subnet | is_null | | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Password Spraying source medium: This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint.↳ also matchesLogonFailed: Logon failed
- Service Accounts Performing Remote PS source high: Service Accounts Performing Remote PowerShell. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases to the detection: Identify service accounts, Find remote PS cmdlets being ran by these accounts. To accomplish this, we utilize DeviceLogonEvents and DeviceEvents to find cmdlets ran that meet the criteria. One of the main advantages of this method is that only requires server telemetry, and not the attacking client. The first phase relies on the DeviceLogonEvents to determine whether an account is a service account or not, consider the following accounts with logons:. Random_user has DeviceLogonEvents with type 2, 3, 7, 10, 11 & 13. Random_service_account 'should' only have DeviceLogonEvents with type 3,4 or 5.
- NTLM Relay Attack source: This query searches for successful NTLM network logins where the device name contained in the NTLM authentication message contains a device that is known to MDE, but the source IP address is different from the known source IP address for that specific device. This could indicate an attacker is relaying the NTLM authentication information. To remove false positives, this query also searches for an outgoing network connection from the initiator to the attacker.
Show 1 more (4 total)
- Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint source: The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicelogonevents/
LogonFailed: Logon failed
#Description
Logon failed
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
LogonType | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). |
AccountName | |
AccountDomain | |
RemoteIP | |
FailureReason |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
RemoteIPType | ne | Loopback | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Password Spraying source medium: This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint.↳ also matchesLogonSuccess: Logon succeeded
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicelogonevents/
LogonAttempted: Logon attempted (no result yet)
#Description
Logon attempted (no result yet)
Fields #
| Name | Description |
|---|---|
DeviceId | |
Timestamp | |
LogonType | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). |
AccountName | |
RemoteIP |
References #
- Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table
- xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/devicelogonevents/