Query Details

Anomalous Increase In Unique Device Logon Count Per User

Query

# *Anomalous Increase in Unique Device Logon Count per User*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1078 | Valid Accounts | https://attack.mitre.org/techniques/T1078 |
| T1021 | Remote Services | https://attack.mitre.org/techniques/T1021 |

#### Description

This rule detects potential account compromise or lateral movement by monitoring for significant spikes in the number of unique devices a single user account is logging into. It calculates a rolling baseline of daily device usage per account over the last 30 days and triggers an alert when an account's maximum daily unique device count exceeds its average by more than 5 times, with a minimum threshold of 10 unique devices, excluding known system accounts and infrastructure servers.


#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### Possible false positives
- A system administrator or a dedicated service account runs a scheduled script, a software deployment patch, or a vulnerability scan across the network.
- Helpdesk Escalation or On-Call Shift Support
- IT Administrative "Jump Boxes"

## Defender XDR
```KQL
// Definition of exclusions
let ExcludedRegex = @"^(dwm|umfd)-\d+$";
let StaticExclusions = dynamic(["-", "", "himds", "local service","iusr","defaultapppool"]);
let ExcludedServersRegex = @"^(srvA|srvB).*";
// Exclude your DCs
let ExcludedDCsRegex = @"^(dce|dca).*";
// Exclude your AzADConnectServers
let ExcludedAzADConnect = @"^AzAD[rn]{2}v13[0156].*";
//
DeviceLogonEvents
| where TimeGenerated > ago(30d)
// Filter out excluded accounts
| where AccountName !in (StaticExclusions)
| where not(AccountName matches regex ExcludedRegex)
// Filter out devices (separate lines act as strict AND logic)
| where not(DeviceName matches regex ExcludedServersRegex)
| where not(DeviceName matches regex ExcludedDCsRegex)
| where not(DeviceName matches regex ExcludedAzADConnect)
// Track daily machine count and names per account
| summarize DailyCount = dcount(DeviceName), DailyDevices = make_set(DeviceName) by AccountName, bin(TimeGenerated, 1d)
// Calculate baseline and aggregate all distinct Devices seen over the month
| summarize
	AvgDailyDevices = avg(DailyCount),
	MaxDailyDevices = max(DailyCount),
	DaysActive = dcount(bin(TimeGenerated, 1d)),
	DeviceList = make_set(DailyDevices)
	by AccountName
// Filter for critical deviations (Spikes)
| where MaxDailyDevices >= AvgDailyDevices * 2.5 and MaxDailyDevices > 10
| extend SpikeFactor = round(tolong(MaxDailyDevices) / AvgDailyDevices, 2)
| sort by SpikeFactor desc 
| where SpikeFactor >5
```

Explanation

This query is designed to detect unusual activity that might indicate a compromised user account or unauthorized lateral movement within a network. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies significant increases in the number of unique devices that a user account logs into, which could suggest suspicious activity.

  2. Baseline Calculation: The query looks at the past 30 days of logon data to establish a normal pattern of device usage for each user account.

  3. Exclusions: Certain accounts and devices are excluded from analysis to avoid false positives. These include known system accounts, infrastructure servers, domain controllers, and Azure AD Connect servers.

  4. Anomaly Detection: The query calculates the average and maximum number of unique devices a user logs into daily. It flags accounts where the maximum daily device count is more than five times the average and exceeds 10 devices.

  5. Output: The results are sorted by the severity of the anomaly, with the most significant deviations listed first.

  6. False Positives: The query acknowledges that legitimate activities, such as administrative tasks or scheduled scripts, might trigger alerts.

Overall, this query helps security teams identify potential security incidents by highlighting unusual patterns in user logon behavior.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: July 1, 2026

Tables

DeviceLogonEvents

Keywords

DevicesUserAccountDeviceLogonEventsTimeGeneratedAccountNameDeviceNameDailyCountDailyDevicesAvgDailyDevicesMaxDailyDevicesDaysActiveDeviceListSpikeFactor

Operators

letinmatches regexnotsummarizedcountmake_setbybinavgmaxextendroundtolongsort bydescwhere>>=and

Actions