cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

DeviceLogon events doesn't capture RDP connections (?!?!)

Kyrouz
Copper Contributor

‎Oct 08 2021 11:28 AM

‎Oct 08 2021 11:28 AM

DeviceLogon events doesn't capture RDP connections (?!?!)

I create a custom detection that starts like this:

 

DeviceLogonEvents
| where ActionType == "LogonSuccess"
| where DeviceName has_any (Array of the backup servers)

| where not(AccountName has_any (Array of the expected accounts))

 

...with the idea of catching an unexpected account successfully logging into backup servers (through compromise/privelege escalation).

 

Should work, right?  But upon testing, I've come to realize that RDP logons don't register in the DeviceLogonEvents table.  Is that by design??  Could Microsoft fix this?

 

 

1,708 Views
0 Likes
4 Replies
Reply
4 Replies
Jake_Mowrer

‎Oct 12 2021 08:14 PM - edited ‎Oct 13 2021 10:38 AM

‎Oct 12 2021 08:14 PM - edited ‎Oct 13 2021 10:38 AM

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

We do capture RDP logons, check the LogonType field for RemoteInteractive in the DeviceLogonEvents table. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicelogonevents-...

Thanks,
Jake

0 Likes
Reply
Kyrouz

‎Oct 13 2021 06:47 AM

‎Oct 13 2021 06:47 AM

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

Are there circumstances where RemoteInteractive logons aren't captured? I have a Server 2019 (Version 1809 Build 17763) host where I've personally done successful RDP logons, but I can search across the last month of logon events a la

DeviceLogonEvents
| where DeviceName contains "hostname"
| summarize by LogonType

Only two logon types are returned. "Network" and "Unknown". For the record, the "Unknowns" are relatively few and do not include my own RDP logons.
0 Likes
Reply
best response confirmed by Kyrouz (Copper Contributor)
Jake_Mowrer

‎Oct 13 2021 10:52 AM

‎Oct 13 2021 10:52 AM

Solution

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

I will take a guess here, but it seems like I saw once where a customer had their audit policy overriding the items that Defender turns on. Try running this from an elevated command prompt and ensure the logon successes and failures are enabled:
auditpol /get /category:*

If this looks OK, I recommend opening case with our support team.

Jake
0 Likes
Reply
Kyrouz

‎Oct 14 2021 06:43 AM

‎Oct 14 2021 06:43 AM

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

Thanks I'll take a look
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Kyrouz (Copper Contributor)
Jake_Mowrer

‎Oct 13 2021 10:52 AM

‎Oct 13 2021 10:52 AM

Solution

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

I will take a guess here, but it seems like I saw once where a customer had their audit policy overriding the items that Defender turns on. Try running this from an elevated command prompt and ensure the logon successes and failures are enabled:
auditpol /get /category:*

If this looks OK, I recommend opening case with our support team.

Jake

View solution in original post

0 Likes
Reply