Query Details

Unauthorized Logon actions by Domain and Account

Visualization Unauthorized Logons By Account

Query

DeviceLogonEvents
| where isnotempty(FailureReason)
| where FailureReason == "UnauthorizedLogonType"
| summarize count() by AccountDomain, AccountName
| sort by count_
| render columnchart with(title="Unauthorized Logon by Domain and Account")

About this query

Unauthorized Logon actions by Domain and Account

Defender XDR

Sentinel

DeviceLogonEvents
| where isnotempty(FailureReason)
| where FailureReason == "UnauthorizedLogonType"
| summarize count() by AccountDomain, AccountName
| sort by count_
| render columnchart with(title="Unauthorized Logon by Domain and Account")

Explanation

This query is designed to identify and visualize unauthorized logon attempts across different domains and accounts. Here's a simple breakdown of what it does:

  1. Data Source: It uses the DeviceLogonEvents table, which contains records of logon events.

  2. Filter for Unauthorized Logons: The query filters the data to only include events where there is a failure reason specified (isnotempty(FailureReason)) and the failure reason is specifically "UnauthorizedLogonType".

  3. Count Unauthorized Attempts: It then counts the number of unauthorized logon attempts for each combination of account domain and account name.

  4. Sort the Results: The results are sorted in ascending order based on the count of unauthorized logon attempts.

  5. Visualize the Data: Finally, the query generates a column chart to visually represent the number of unauthorized logon attempts by domain and account, with the chart titled "Unauthorized Logon by Domain and Account".

Both the Defender XDR and Sentinel queries perform the same operations and produce the same output.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceLogonEvents

Keywords

DeviceLogonEventsFailureReasonAccountDomainAccountName

Operators

whereisnotemptysummarizebysortrenderwith

Actions

GitHub