KQL Search

Query Details

HomeAI ToolsDevice Query

Noise Logon Events

Query

// SecurityEvent - Logon Noise Analysis (EventID 4624/4625)
// Successful and failed logon events are typically the #2 cost driver.
// Identifies noisy logon types, accounts, and machines that can be
// filtered via DCR transform or reduced via GPO audit policy.
// =====================================================================

let _Window = 7d;
// --- Part 1: Logon Type Breakdown ---
let _LogonTypeBreakdown =
    SecurityEvent
    | where TimeGenerated > ago(_Window)
    | where EventID in (4624, 4625)
    | extend LogonTypeName = case(
        LogonType == 2, "Interactive",
        LogonType == 3, "Network",
        LogonType == 4, "Batch",
        LogonType == 5, "Service",
        LogonType == 7, "Unlock",
        LogonType == 8, "NetworkCleartext",
        LogonType == 9, "NewCredentials",
        LogonType == 10, "RemoteInteractive",
        LogonType == 11, "CachedInteractive",
        strcat("Type ", tostring(LogonType))
    )
    | summarize 
        EventCount = count(),
        DistinctAccounts = dcount(TargetAccount),
        DistinctComputers = dcount(Computer),
        FailedCount = countif(EventID == 4625),
        SuccessCount = countif(EventID == 4624)
        by LogonType, LogonTypeName
    | extend PctOfTotal = round(toreal(EventCount) * 100.0 / toscalar(
        SecurityEvent | where TimeGenerated > ago(_Window) | where EventID in (4624, 4625) | count
    ), 1)
    | extend FilterAction = case(
        LogonType == 3 and PctOfTotal > 40, "FILTER: Network logons dominate - Filter machine-to-machine via DCR",
        LogonType == 5 and PctOfTotal > 20, "FILTER: Service logons noisy - Filter known service accounts",
        LogonType == 7 and PctOfTotal > 10, "FILTER: Unlock events low-value - Strong DCR exclude candidate",
        LogonType == 4 and PctOfTotal > 10, "FILTER: Batch logons - Review if needed, often low-value",
        "KEEP"
    );
// --- Part 2: Noisiest Accounts ---
let _NoisyAccounts =
    SecurityEvent
    | where TimeGenerated > ago(_Window)
    | where EventID in (4624, 4625)
    | summarize EventCount = count() by TargetAccount
    | top 20 by EventCount desc
    | extend 
        AccountType = case(
            TargetAccount has "$", "Machine Account",
            TargetAccount has_any ("svc", "service", "scan", "monitor", "backup", "ndes"), "Likely Service Account",
            "User Account"
        ),
        FilterAction = case(
            TargetAccount has "$", "FILTER: Machine account - Typically redundant, filter in DCR",
            TargetAccount has_any ("svc", "service", "scan", "monitor"), "REVIEW: Service account - Often noisy, low detection value",
            "KEEP: User account - Review individually"
        );
// Output both parts
_LogonTypeBreakdown
| project Section = "LOGON_TYPE", Name = LogonTypeName, EventCount, PctOfTotal, Detail = strcat("Success: ", SuccessCount, " | Failed: ", FailedCount), FilterAction
| union (
    _NoisyAccounts
    | project Section = "NOISY_ACCOUNT", Name = TargetAccount, EventCount, PctOfTotal = 0.0, Detail = AccountType, FilterAction
)
| order by Section asc, EventCount desc

Explanation

This query analyzes security log data to identify patterns in logon events, focusing on both the types of logons and the accounts involved. Here's a simple breakdown:

  1. Time Frame: The analysis looks at logon events from the past 7 days.

  2. Logon Type Breakdown:

    • It examines successful (EventID 4624) and failed (EventID 4625) logon events.
    • Each logon event is categorized by type (e.g., Interactive, Network, Service).
    • For each logon type, it calculates:
      • Total number of events.
      • Number of distinct accounts and computers involved.
      • Counts of successful and failed logons.
      • Percentage of total logon events that each type represents.
    • Based on the percentage, it suggests actions:
      • Filtering out certain types if they dominate or are considered low-value.

  3. Noisiest Accounts:

    • Identifies the top 20 accounts with the most logon events.
    • Classifies each account as a machine account, likely service account, or user account.
    • Provides recommendations:
      • Filtering machine accounts.
      • Reviewing service accounts due to potential noise.
      • Keeping user accounts for individual review.

  4. Output:

    • Combines results from both analyses.
    • Displays logon type details and noisy account information.
    • Orders the output by section and event count for easy review.

Overall, the query helps in identifying and managing logon noise by suggesting filtering strategies to reduce unnecessary data processing and improve audit efficiency.

Details

David Alonso profile picture

David Alonso

Released: April 8, 2026

Tables

SecurityEvent

Keywords

SecurityEventLogonTypeTargetAccountComputerEventIDTimeGenerated

Operators

letwhereinextendcasesummarizecountdcountcountifbyroundtorealtoscalaragotopdeschashas_anyprojectstrcatunionorder by

Actions