Unauthorized Logon actions by Domain and Account
Visualization Unauthorized Logons By Account
Query
DeviceLogonEvents
| where isnotempty(FailureReason)
| where FailureReason == "UnauthorizedLogonType"
| summarize count() by AccountDomain, AccountName
| sort by count_
| render columnchart with(title="Unauthorized Logon by Domain and Account")About this query
Unauthorized Logon actions by Domain and Account
Defender XDR
Sentinel
DeviceLogonEvents
| where isnotempty(FailureReason)
| where FailureReason == "UnauthorizedLogonType"
| summarize count() by AccountDomain, AccountName
| sort by count_
| render columnchart with(title="Unauthorized Logon by Domain and Account")
Explanation
This query is designed to identify and visualize unauthorized logon attempts across different domains and accounts. Here's a simple breakdown of what it does:
-
Data Source: It uses the
DeviceLogonEventstable, which contains records of logon events. -
Filter for Unauthorized Logons: The query filters the data to only include events where there is a failure reason specified (
isnotempty(FailureReason)) and the failure reason is specifically "UnauthorizedLogonType". -
Count Unauthorized Attempts: It then counts the number of unauthorized logon attempts for each combination of account domain and account name.
-
Sort the Results: The results are sorted in ascending order based on the count of unauthorized logon attempts.
-
Visualize the Data: Finally, the query generates a column chart to visually represent the number of unauthorized logon attempts by domain and account, with the chart titled "Unauthorized Logon by Domain and Account".
Both the Defender XDR and Sentinel queries perform the same operations and produce the same output.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators