Forum Discussion
Paul_Brock
Jan 24, 2025Brass Contributor
DeviceLogonEvents "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock"
I'm trying to get "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock" from the DeviceLogonEvent table but I am only seeing LogonSuccess. I'm wondering if I need to configure something in my tenant for those events to show up in the DeviceLogonEvents table. I have both event ID's 8400 and 8401 showing in the local security event log.
It looks like these action types are not available in Defender XDR with the standard implementation.
3 Replies
Sort By
- Clive_WatsonBronze Contributor
I don't recall a limit for this, did you look far enough back?
DeviceLogonEvents
| make-series count() default =0 on Timestamp from ago(30d) to now() step 1d by ActionType
| render areachart
- Paul_BrockBrass Contributor
The only action types I am finding with any device in the log are LogonAttempted, LogonFailed, LogonFailedAggregratedReport, LogonSuccess, LogonSuccessAggregratedReport. There are no other action types in the log. I feel like it must be an Intune or MDE policy issue where we are excluding the other action types by accident.
- Paul_BrockBrass Contributor
It looks like these action types are not available in Defender XDR with the standard implementation.