Query Details
Visualization Unauthorized Logons By Account
Query
# Unauthorized Logon actions by Domain and Account ### Defender For Endpoint ``` DeviceLogonEvents | where isnotempty(FailureReason) | where FailureReason == "UnauthorizedLogonType" | summarize count() by AccountDomain, AccountName | sort by count_ | render columnchart with(title="Unauthorized Logon by Domain and Account") ``` ### Sentinel ``` DeviceLogonEvents | where isnotempty(FailureReason) | where FailureReason == "UnauthorizedLogonType" | summarize count() by AccountDomain, AccountName | sort by count_ | render columnchart with(title="Unauthorized Logon by Domain and Account") ```
Explanation
The query retrieves unauthorized logon actions by domain and account from the Defender for Endpoint and Sentinel data sources. It filters the logon events to only include those with a failure reason of "UnauthorizedLogonType". It then groups the events by the account domain and account name, and counts the number of occurrences for each group. The results are sorted by the count in ascending order and displayed as a column chart with the title "Unauthorized Logon by Domain and Account".
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
DeviceLogonEvents
Keywords
Keywords:DeviceLogonEvents,isnotempty,FailureReason,UnauthorizedLogonType,summarize,count,by,AccountDomain,AccountName,sort,render,columnchart,with,title
Operators
DeviceLogonEventswhereisnotemptyFailureReason=="UnauthorizedLogonType"summarizecount()byAccountDomainAccountNamesort bycount_rendercolumnchartwith(title="Unauthorized Logon by Domain and Account")