KQL Search

Query Details

HomeAI ToolsDevice Query

AD Account Last Logon

Query

# Active Directory - User last logon

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1110.003 | Credential Access: Brute Force: Password Spraying | https://attack.mitre.org/techniques/T1110/003/ |

### Description

Use the below query to identify User account last logon activity. Those that did not have activity for the defined lookback period can be considered to be disabled depending
on your company policies.

#### References

### Microsoft Defender XDR

```kql
IdentityInfo
| summarize arg_max(Timestamp, *) by AccountObjectId
| join kind=leftouter (
    IdentityLogonEvents
    | where Application == @"Active Directory"
    | extend LastLogonTime = Timestamp
    | summarize arg_max(Timestamp, *) by AccountObjectId, AccountSid, AccountDomain
    | where ActionType == @"LogonSuccess")
    on $left.AccountObjectId == $right.AccountObjectId
| extend NoLogon = iff(isempty(LastLogonTime), "True", "False")
| project
    AccountName,
    AccountDomain,
    AccountObjectId,
    LastLogonTime,
    Type,
    DistinguishedName,
    IsAccountEnabled,
    CreatedDateTime,
    NoLogon
    | where NoLogon == "True"
```

Explanation

This query is designed to identify user accounts in Active Directory that have not logged on within a specified period. Here's a simplified breakdown of what the query does:

  1. Data Collection: It starts by collecting information about user accounts from the IdentityInfo table, focusing on the most recent data for each account (arg_max function).

  2. Logon Activity: It then looks for logon events specifically related to Active Directory from the IdentityLogonEvents table, again focusing on the most recent logon event for each account.

  3. Join Data: The query joins the user account information with the logon events data, matching them based on the account's unique identifier (AccountObjectId).

  4. Determine Logon Status: It checks if there is a recorded logon event for each account. If no logon event is found, it marks the account as having "NoLogon" (i.e., no logon activity).

  5. Filter Results: Finally, it filters the results to show only those accounts that have not logged on ("NoLogon" is "True").

  6. Output: The output includes details such as the account name, domain, object ID, last logon time, account type, distinguished name, whether the account is enabled, and the account creation date.

This query is useful for identifying potentially inactive accounts that may need to be reviewed or disabled according to company policies, especially in the context of security practices like monitoring for potential password spraying attacks.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 29, 2025

Tables

IdentityInfoIdentityLogonEvents

Keywords

ActiveDirectoryUserAccountLogonActivity

Operators

IdentityInfosummarizearg_maxjoinkind=leftouterwhereextendiffisemptyproject

Actions