IdentityLogonEvents

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Authentication events on Active Directory and Microsoft online services

Attribute	Value
Category	Security, XDR
Basic Logs Eligible	✓ Yes (source)
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✗ No
Azure Monitor Tables Reference	View Documentation
Defender XDR Advanced Hunting Schema	View Documentation

Schema
Solutions
Connectors
Content Items

Schema (33 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account
AccountDisplayName	string	Name of the account user displayed in the address book
AccountDomain	string	Domain of the account
AccountName	string	User name of the account
AccountObjectId	string	Unique identifier for the account in Azure AD
AccountSid	string	Security Identifier (SID) of the account
AccountUpn	string	User principal name (UPN) of the account
ActionType	string	Type of activity that triggered the event
AdditionalFields	dynamic	Additional information about the entity or event
Application	string	Application that performed the recorded action
DestinationDeviceName	string	Name of the device running the server application that processed the recorded action
DestinationIPAddress	string	IP address of the device running the server application that processed the recorded action
DestinationPort	string	Destination port of related network communications
DeviceName	string	Fully qualified domain name (FQDN) of the device
DeviceType	string	Type of device
FailureReason	string	Information explaining why the recorded action failed
IPAddress	string	IP address assigned to the endpoint and used during related network communications
ISP	string	Internet service provider (ISP) associated with the endpoint IP address
LastSeenForUser	dynamic	Number of days since each statistical feature for the user was last seen
Location	string	City, country, or other geographic location associated with the event
LogonType	string	Type of logon session
OSPlatform	string	Platform of the operating system running on the machine
Port	string	TCP port used during communication
Protocol	string	Network protocol used
ReportId	string	Unique identifier for the event
SourceSystem	string	The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics
TargetAccountDisplayName	string	Display name of the account that the recorded action was applied to
TargetDeviceName	string	Fully qualified domain name (FQDN) of the device that the recorded action was applied to
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Date and time (UTC) when the record was generated
Type	string	The name of the table
UncommonForUser	dynamic	List of features observed to be statistically uncommon for the user that performed the activity

Solutions (2)

This table is used by the following solutions:

Connectors (1)

This table is ingested by the following connectors:

Connector	Selection Criteria
Microsoft Defender XDR

Content Items Using This Table (10)

Analytic Rules (1)

In solution Microsoft Defender XDR: ActionType == "LogonSuccess"

Analytic Rule
Detect Potential Kerberoast Activities

Hunting Queries (6)

In solution Microsoft Defender XDR: ActionType == "LogonSuccess"

Hunting Query
Detect Potential kerberoast Activities

Standalone Content:

Hunting Query	Selection Criteria
Kerberos AS authentications

GitHub Only:

Hunting Query	Selection Criteria
Detect potential kerberoast activities	`ActionType == "LogonSuccess"`
Detect-Not-Active-AD-User-Accounts
Device Logons from Unknown IPs
logon-attempts-after-malicious-email

Workbooks (3)

In solution Microsoft Defender XDR:

Workbook	Selection Criteria
MicrosoftDefenderForIdentity