Kyrouz
Occasional Contributor

‎Oct 08 2021 11:28 AM

‎Oct 08 2021 11:28 AM

DeviceLogon events doesn't capture RDP connections (?!?!)

I create a custom detection that starts like this:

 

DeviceLogonEvents
| where ActionType == "LogonSuccess"
| where DeviceName has_any (Array of the backup servers)

| where not(AccountName has_any (Array of the expected accounts))

 

...with the idea of catching an unexpected account successfully logging into backup servers (through compromise/privelege escalation).

 

Should work, right?  But upon testing, I've come to realize that RDP logons don't register in the DeviceLogonEvents table.  Is that by design??  Could Microsoft fix this?

 

 

315 Views
0 Likes
4 Replies
Reply
Jake_Mowrer

‎Oct 12 2021 08:14 PM - edited ‎Oct 13 2021 10:38 AM

‎Oct 12 2021 08:14 PM - edited ‎Oct 13 2021 10:38 AM

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

We do capture RDP logons, check the LogonType field for RemoteInteractive in the DeviceLogonEvents table. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicelogonevents-...

Thanks,
Jake

0 Likes
Reply
Kyrouz

‎Oct 13 2021 06:47 AM

‎Oct 13 2021 06:47 AM

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

Are there circumstances where RemoteInteractive logons aren't captured? I have a Server 2019 (Version 1809 Build 17763) host where I've personally done successful RDP logons, but I can search across the last month of logon events a la

DeviceLogonEvents
| where DeviceName contains "hostname"
| summarize by LogonType

Only two logon types are returned. "Network" and "Unknown". For the record, the "Unknowns" are relatively few and do not include my own RDP logons.
0 Likes
Reply
best response confirmed by Kyrouz (Occasional Contributor)
Jake_Mowrer

‎Oct 13 2021 10:52 AM

‎Oct 13 2021 10:52 AM

Solution

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

I will take a guess here, but it seems like I saw once where a customer had their audit policy overriding the items that Defender turns on. Try running this from an elevated command prompt and ensure the logon successes and failures are enabled:
auditpol /get /category:*

If this looks OK, I recommend opening case with our support team.

Jake
0 Likes
Reply
Kyrouz

‎Oct 14 2021 06:43 AM

‎Oct 14 2021 06:43 AM

Re: DeviceLogon events doesn't capture RDP connections (?!?!)

Thanks I'll take a look
0 Likes
Reply
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE