Kyrouz
Oct 08, 2021Copper Contributor
DeviceLogon events doesn't capture RDP connections (?!?!)
I create a custom detection that starts like this:
DeviceLogonEvents
| where ActionType == "LogonSuccess"
| where DeviceName has_any (Array of the backup servers)
| where not(AccountName has_any (Array of the expected accounts))
...with the idea of catching an unexpected account successfully logging into backup servers (through compromise/privelege escalation).
Should work, right? But upon testing, I've come to realize that RDP logons don't register in the DeviceLogonEvents table. Is that by design?? Could Microsoft fix this?
- I will take a guess here, but it seems like I saw once where a customer had their audit policy overriding the items that Defender turns on. Try running this from an elevated command prompt and ensure the logon successes and failures are enabled:
auditpol /get /category:*
If this looks OK, I recommend opening case with our support team.
Jake