Forum Discussion

Paul_Brock's avatar
Paul_Brock
Brass Contributor
Jan 24, 2025
Solved

DeviceLogonEvents "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock"

I'm trying to get "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock" from the DeviceLogonEvent table but I am only seeing LogonSuccess. I'm wondering if I need to configure something in my...
microsoft defender for endpoint
microsoft sentinel
  • Paul_Brock's avatar
    Paul_Brock
    Jan 24, 2025

    It looks like these action types are not available in Defender XDR with the standard implementation. 

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jan 24, 2025

I don't recall a limit for this, did you look far enough back?

DeviceLogonEvents

| make-series count() default =0 on Timestamp from ago(30d) to now() step 1d by ActionType

| render areachart

  • Paul_Brock's avatar
    Paul_Brock
    Brass Contributor
    Jan 24, 2025

    The only action types I am finding with any device in the log are LogonAttempted, LogonFailed, LogonFailedAggregratedReport, LogonSuccess, LogonSuccessAggregratedReport. There are no other action types in the log. I feel like it must be an Intune or MDE policy issue where we are excluding the other action types by accident. 

    • Paul_Brock's avatar
      Paul_Brock
      Brass Contributor
      Jan 24, 2025

      It looks like these action types are not available in Defender XDR with the standard implementation. 

Resources