Oct 08 2021 11:28 AM
I create a custom detection that starts like this:
DeviceLogonEvents
| where ActionType == "LogonSuccess"
| where DeviceName has_any (Array of the backup servers)
| where not(AccountName has_any (Array of the expected accounts))
...with the idea of catching an unexpected account successfully logging into backup servers (through compromise/privelege escalation).
Should work, right? But upon testing, I've come to realize that RDP logons don't register in the DeviceLogonEvents table. Is that by design?? Could Microsoft fix this?
Oct 12 2021 08:14 PM - edited Oct 13 2021 10:38 AM
We do capture RDP logons, check the LogonType field for RemoteInteractive in the DeviceLogonEvents table. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicelogonevents-...
Thanks,
Jake
Oct 13 2021 06:47 AM
Oct 13 2021 10:52 AM
SolutionOct 14 2021 06:43 AM
Oct 13 2021 10:52 AM
Solution