Event ID 9003001 — Logon succeeded

Provider: Defender-DeviceLogonEvents
Channel: LogonSuccess

Description

Logon succeeded

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`LogonType`	—
`AccountName`	—
`AccountDomain`	—
`RemoteIP`	—
`RemotePort`	—
`IsLocalAdmin`	—

Detection Patterns #

Credential Access: Password Spraying

Defender-DeviceLogonEvents Event ID 9003001: Logon succeededANDEvent ID 9003002: Logon failedANDSecurity-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.

7 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Kusto Query Language

Password Spraying (source)

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Show 1 more (4 total)

SecurityEvent - Multiple authentication failures followed by a success (source)

Lateral Movement: Exploitation of Remote Services

Defender-DeviceLogonEvents Event ID 9003001: Logon succeeded→Security-Auditing Event ID 4624: An account was successfully logged on.

1 rule

Kusto Query Language

Service Accounts Performing Remote PS (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table