MDI data in IdentityLogonEvents and LogonType

Copper Contributor

MS documentation states that LogonType in the table "IdentityLogonEvents" in the MS Defender "Advanced hunting" portal - value of "Interactive" indicates a logon via a physical act - keyboard and screen for example.  https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogoneven...

LogonTypestringType of logon session, specifically:

- Interactive - User physically interacts with the machine using the local keyboard and screen

 

I have countless records of what we call "Service Accounts" with LogonType of "Interactive".  We block Interactive Logons on our "Service Accounts".  I would expect these to be logged as "Service" or "Batch" based on the documentation.

Am I misunderstanding something?

2 Replies

Hey @MycroftPennywise 

 

What kind of service accounts are they, are they group managed service accounts or another type?

@BillClarksonAntill 

Sorry for the delayed response here!  It's a mix, we do have some MSA's / GMSA's, but for the most part they are standard user accounts where we configure things so interactive logon is not allowed.  I do not see any Interactive logons for our few GMSA's.