NTLM Network Logon To Critical Device
Query
let NetworkLogons = DeviceLogonEvents
| where Timestamp > ago(4h)
| where LogonType == "Network"
| where Protocol == "NTLM"
| extend ShortDeviceName = toupper(split(DeviceName, ".")[0]);
NetworkLogons
| join kind=inner ( ExposureGraphNodes
| where Categories has "device"
| where isnotnull(NodeProperties.rawData.criticalityLevel)
| extend ShortNodeName = toupper(split(NodeName, ".")[0])
| extend TargetCriticalityScore = toint(NodeProperties.rawData.criticalityLevel.criticalityLevel)
| extend TargetCriticalityRule = tostring(NodeProperties.rawData.criticalityLevel.ruleName)
| project ShortNodeName, TargetCriticalityScore, TargetCriticalityRule
) on $left.ShortDeviceName == $right.ShortNodeName
| where TargetCriticalityScore >= 3About this query
NTLM Network Logon to Critical Device
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1078 | Valid Accounts | https://attack.mitre.org/techniques/T1078 |
Description
This rule detects NTLM network logon events to devices identified as critical (criticality score >= 3). This could indicate an adversary attempting to move laterally or access sensitive systems using NTLM authentication, which is generally less secure than Kerberos.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
Defender XDR
Explanation
This query is designed to detect potentially suspicious network logon events using NTLM authentication on critical devices. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at logon events from devices, specifically focusing on events from the last 4 hours.
-
Filter Criteria:
- It filters these events to only include those where the logon type is "Network" and the authentication protocol used is "NTLM".
- It extracts the short name of the device by taking the part of the device name before the first period and converting it to uppercase.
-
Join with Critical Devices:
- The query then joins this filtered logon data with another dataset that contains information about devices, specifically those marked as critical.
- It checks if the device name from the logon events matches the device name in the critical devices list.
-
Criticality Check:
- It further filters the results to only include devices that have a criticality score of 3 or higher, indicating they are considered critical.
The purpose of this query is to identify NTLM network logons to critical devices, which could suggest an adversary is trying to move laterally or access sensitive systems using a less secure authentication method.
Details

Benjamin Zulliger
Released: May 27, 2026
Tables
Keywords
Operators
MITRE Techniques