KQL Search

Query Details

HomeAI ToolsDevice Query

Device Summarize Local Logon Activity

Query

//Summarize the local (non domain) logon activity for your devices for both successful and failed logons. You may have users using a local account to bypass security policy

//Data connector required for this query - M365 Defender - Device* tables

//Microsoft Sentinel query
DeviceLogonEvents
| where TimeGenerated > ago(30d)
//Find logons where AccountDomain == DeviceName indicating a local logon
| where AccountDomain == DeviceName
| where AdditionalFields.IsLocalLogon == true
| where LogonType == "Interactive"
| where RemoteIPType != "Loopback"
| summarize
    ['Count of successful local logon attempts']=countif(ActionType == "LogonSuccess"),
    ['Distinct count of successful local logon attempts']=dcountif(AccountName, ActionType == "LogonSuccess"),
    ['List of succesful local account logons']=make_set_if(AccountName, ActionType == "LogonSuccess"),
    ['Count of failed local logon attempts']=countif(ActionType == "LogonFailed"),
    ['Distinct count of failed local logon attempts']=dcountif(AccountName, ActionType == "LogonFailed"),
    ['List of failed local account logons']=make_set_if(AccountName, ActionType == "LogonFailed")
    by DeviceName
| project-reorder
    DeviceName,
    ['Count of successful local logon attempts'],
    ['Distinct count of successful local logon attempts'],
    ['List of succesful local account logons'],
    ['Count of failed local logon attempts'],
    ['Distinct count of failed local logon attempts'],
    ['List of failed local account logons']

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceLogonEvents
| where Timestamp > ago(30d)
| where AccountDomain == DeviceName
| where LogonType == @"Interactive"
| where RemoteIPType != "Loopback"
| summarize
    ['Count of successful local logon attempts']=countif(ActionType == "LogonSuccess"),
    ['Distinct count of successful local logon attempts']=dcountif(AccountName, ActionType == "LogonSuccess"),
    ['List of succesful local account logons']=make_set_if(AccountName, ActionType == "LogonSuccess"),
    ['Count of failed local logon attempts']=countif(ActionType == "LogonFailed"),
    ['Distinct count of failed local logon attempts']=dcountif(AccountName, ActionType == "LogonFailed"),
    ['List of failed local account logons']=make_set_if(AccountName, ActionType == "LogonFailed")
    by DeviceName
| project-reorder
    DeviceName,
    ['Count of successful local logon attempts'],
    ['Distinct count of successful local logon attempts'],
    ['List of succesful local account logons'],
    ['Count of failed local logon attempts'],
    ['Distinct count of failed local logon attempts'],
    ['List of failed local account logons']

Explanation

This query summarizes the local logon activity for devices, including both successful and failed logons. It specifically looks for logons where the account domain matches the device name, indicating a local logon. The query also filters for interactive logons and excludes loopback IP addresses. The results are then summarized by device name, providing counts and distinct counts of successful and failed logon attempts, as well as lists of the corresponding account names.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceLogonEvents

Keywords

DeviceLogonEvents,TimeGenerated,AccountDomain,DeviceName,AdditionalFields.IsLocalLogon,LogonType,RemoteIPType,ActionType,AccountName,Timestamp

Operators

where>ago()==!=summarizecountif()dcountif()make_set_if()byproject-reorder|

Actions