Jun 25 2024 07:11 AM
Hi all
I'm doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I'm trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve
1.) Raise an alert when a domain account is granted the "Logon as a Service" right on any machine.
2.) When an account that has never logged on as service suddenly does so.
3.) Perhaps detect when a user account's ServicePrincipalName attribute is populayed or updated.
So the service account logon query looks like this:
DeviceLogonEvents
| where Timestamp >= ago(30d)
| where LogonType == "Service" or LogonType == "Batch"
| where AccountDomain =~ "saica"
| summarize count() by AccountName, DeviceName, LogonType
| sort by count_ desc
The other ones seem to be a bit trickier.
Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs.