Forum Discussion
DeviceLogonEvents "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock"
I'm trying to get "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock" from the DeviceLogonEvent table but I am only seeing LogonSuccess. I'm wondering if I need to configure something in my tenant for those events to show up in the DeviceLogonEvents table. I have both event ID's 8400 and 8401 showing in the local security event log.
It looks like these action types are not available in Defender XDR with the standard implementation.
3 Replies
I don't recall a limit for this, did you look far enough back?
DeviceLogonEvents
| make-series count() default =0 on Timestamp from ago(30d) to now() step 1d by ActionType
| render areachart
The only action types I am finding with any device in the log are LogonAttempted, LogonFailed, LogonFailedAggregratedReport, LogonSuccess, LogonSuccessAggregratedReport. There are no other action types in the log. I feel like it must be an Intune or MDE policy issue where we are excluding the other action types by accident.
It looks like these action types are not available in Defender XDR with the standard implementation.
