Forum Discussion
MDI data in IdentityLogonEvents and LogonType
MS documentation states that LogonType in the table "IdentityLogonEvents" in the MS Defender "Advanced hunting" portal - value of "Interactive" indicates a logon via a physical act - keyboard and screen for example. https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide
| LogonType | string | Type of logon session, specifically: - Interactive - User physically interacts with the machine using the local keyboard and screen |
I have countless records of what we call "Service Accounts" with LogonType of "Interactive". We block Interactive Logons on our "Service Accounts". I would expect these to be logged as "Service" or "Batch" based on the documentation.
Am I misunderstanding something?
Hey MycroftPennywise
What kind of service accounts are they, are they group managed service accounts or another type?
BillClarksonAntill
Sorry for the delayed response here! It's a mix, we do have some MSA's / GMSA's, but for the most part they are standard user accounts where we configure things so interactive logon is not allowed. I do not see any Interactive logons for our few GMSA's.
