Agent Foskett Academy • Lesson 43 • Investigating DeviceLogonEvents

Investigating DeviceLogonEvents in Microsoft Defender XDR

DeviceLogonEvents records user logons and authentication activity on endpoints protected by Microsoft Defender XDR.

It helps defenders determine who accessed a device, how they authenticated and whether the activity was legitimate.

In this lesson, you'll learn how to investigate logons, failed sign-ins, remote access and suspicious account activity using DeviceLogonEvents.

Agent Foskett Academy lesson explaining DeviceLogonEvents in Microsoft Defender XDR
Lesson overview

Learn how DeviceLogonEvents helps defenders investigate endpoint authentication, local account usage, RDP-style access and failed logon patterns.

Review successful and failed logons
Hunt for remote endpoint access
Pivot into device and identity telemetry

Why DeviceLogonEvents matters

DeviceInfo tells you what the device is. DeviceEvents tells you what happened on the device. DeviceLogonEvents helps you understand who accessed the endpoint.
Endpoint access proves contextProcess and file activity means more when you know which account had an active logon session on the device.
Failed logons reveal pressureRepeated failures across devices, accounts or remote IP addresses can indicate password guessing, stale credentials or lateral movement attempts.
LogonType guides the storyLocal, network and remote interactive logons can point to very different investigation paths and different levels of risk.

Investigation scenario

A suspicious process appeared on a workstation. DeviceProcessEvents showed execution, DeviceEvents showed supporting activity, and DeviceLogonEvents helped identify which account accessed the endpoint before the activity occurred.
The endpoint was knownDeviceInfo confirmed the device name, operating system and exposure context.
The behaviour was visibleDeviceEvents and DeviceProcessEvents showed endpoint activity around the alert window.
The access question remainedDeviceLogonEvents helped determine whether the account access was local, remote, successful, failed or suspicious.

Step 1 — Review recent DeviceLogonEvents activity

Start by reviewing recent endpoint logon activity and keep the fields that explain when the logon happened, which account was used, and how the access occurred.
devicelogonevents-recent-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
DeviceLogonEvents
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, ActionType, LogonType, AccountDomain,
                            AccountName, AccountUpn, AccountSid, RemoteIP, RemoteDeviceName,
                            InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId
| order by Timestamp desc

Step 2 — Find failed logon patterns

Failed logons are often noisy, but summarising them by account, device and logon type can reveal unusual pressure against a user or endpoint.
devicelogonevents-failed-logons.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
DeviceLogonEvents
| where Timestamp > ago(14d)
| where ActionType == "LogonFailed"
| summarize FailedLogons = count(), Devices = dcount(DeviceName),
                            RemoteIPs = dcount(RemoteIP), FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
                            by AccountDomain, AccountName, LogonType
| top 50 by FailedLogons desc

Step 3 — Hunt for remote interactive logons

Remote interactive logons can be normal for administrators, but they are also important during lateral movement investigations.
devicelogonevents-remote-interactive.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
DeviceLogonEvents
| where Timestamp > ago(30d)
| where ActionType == "LogonSuccess"
| where LogonType has_any ("RemoteInteractive", "Network")
| project Timestamp, DeviceName, AccountDomain, AccountName,
                            AccountUpn, LogonType, RemoteIP, RemoteDeviceName
| order by Timestamp desc

Step 4 — Build a timeline for one account

When an account becomes interesting, build a timeline showing where that account logged on and whether failures occurred before successful access.
devicelogonevents-account-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let TargetAccount = "replace-with-account-name";
DeviceLogonEvents
| where Timestamp between (ago(24h) .. now())
| where AccountName =~ TargetAccount or AccountUpn =~ TargetAccount
| project Timestamp, DeviceName, ActionType, LogonType,
                            RemoteIP, RemoteDeviceName, InitiatingProcessFileName, LogonId
| order by Timestamp asc

Step 5 — Join DeviceLogonEvents with DeviceInfo

DeviceLogonEvents tells you who accessed the endpoint. DeviceInfo adds device posture and operating system context.
devicelogonevents-join-deviceinfo.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
let RecentDeviceInfo = DeviceInfo
| where Timestamp > ago(30d)
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceId, OSPlatform, ExposureLevel, RiskScore;
DeviceLogonEvents
| where Timestamp > ago(7d)
| join kind=leftouter RecentDeviceInfo on DeviceId
| project Timestamp, DeviceName, OSPlatform, ExposureLevel,
                            RiskScore, ActionType, LogonType, AccountName, RemoteIP
| order by Timestamp desc

Step 6 — Compare endpoint logons with identity logons

DeviceLogonEvents can be joined with IdentityLogonEvents when you need to compare endpoint authentication with broader identity activity.
devicelogonevents-join-identitylogonevents.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let EndpointFailures = DeviceLogonEvents
| where Timestamp > ago(7d)
| where ActionType == "LogonFailed"
| project Timestamp, DeviceName, AccountSid, AccountName, LogonType;
EndpointFailures
| join kind=leftouter (
                            IdentityLogonEvents
                            | where Timestamp > ago(7d)
                            | project AccountSid, Protocol, FailureReason, IPAddress
) on AccountSid
| project Timestamp, DeviceName, AccountName, LogonType, Protocol, FailureReason, IPAddress

Common investigation uses

DeviceLogonEvents is most useful when defenders need to connect endpoint behaviour to account access.
Investigate suspicious endpoint accessUse DeviceLogonEvents to determine whether an account logged onto a device locally, remotely or over the network.
Detect failed access patternsSummarise failed logons by account, device and remote IP to find repeated attempts or authentication pressure.
Support lateral movement investigationsRemote interactive and network logons can help defenders understand whether an attacker moved between endpoints.

Common mistakes

Endpoint logon data is powerful, but it needs to be interpreted carefully with device, process and identity context.
Looking only at successful logonsFailed logons can show attacker pressure before a successful sign-in, especially across multiple devices.
Ignoring LogonTypeA local console logon, network logon and remote interactive logon can mean very different things during an investigation.
Not pivoting into process evidenceOnce you know who logged on, pivot into DeviceProcessEvents to see what happened during that session.
DeviceLogonEvents answers the endpoint access question.
Use it to connect accounts to devices, identify failed attempts, and decide where to pivot next.
Back to Academy →

What you learned

DeviceLogonEvents records endpoint authenticationYou can use it to investigate successful logons, failed logons, account usage and device access.
LogonType changes the meaningThe same account on the same device can look very different depending on whether access was local, network-based or remote interactive.
Endpoint logons support pivotsInteresting logons can lead into DeviceInfo, DeviceEvents, DeviceProcessEvents, AlertEvidence and IdentityLogonEvents.

Related Agent Foskett Academy lessons

Investigating DeviceInfoUnderstand the endpoint context before reviewing device logon activity.
Investigating DeviceEventsReview broader endpoint actions around the same device and timeframe.
Investigating DeviceProcessEventsPivot from logon activity into process execution and command-line evidence.
Investigating IdentityLogonEventsCompare endpoint authentication with broader identity logon activity.
Investigating AlertEvidenceConnect alerts to the users, devices and accounts involved.
Connecting Tables with joinJoin DeviceLogonEvents with DeviceInfo, IdentityLogonEvents and process telemetry.
Building Investigation TimelinesTurn endpoint logon records into a clear access timeline.
Creating Investigation ParametersUse reusable account, device and time-window parameters during logon investigations.

Coming next

Lesson 44 — Investigating EmailAttachmentInfo in Microsoft Defender XDR Next, Agent Foskett Academy will return to email investigations with EmailAttachmentInfo, helping defenders investigate attachments, hashes, filenames and suspicious payloads connected to phishing and malware delivery.
Why this matters After learning how to investigate endpoint access, defenders also need to connect email evidence to files that appeared on endpoints and later became part of a wider incident timeline.
What you'll learn next Learn how to track attachment names, file hashes, malware payloads and email-delivered files across Microsoft Defender XDR investigations.

Final thought

DeviceLogonEvents is where the endpoint starts answering who had access before the rest of the evidence unfolded.
Agent Foskett mindset Do not investigate endpoint activity without asking who logged on. The account, logon type and timeframe often explain why the process tree looks the way it does.
Follow the identity Attackers rarely appear as a process first. They usually appear as an account. Understanding authentication activity often explains everything that follows.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD

Investigating DeviceLogonEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 43 teaches defenders how to use DeviceLogonEvents to investigate endpoint authentication, local and remote logons, failed access attempts and account usage in Microsoft Defender XDR.

Learn DeviceLogonEvents for Microsoft Defender XDR hunting

This lesson explains how DeviceLogonEvents supports Microsoft Defender XDR investigations by helping defenders review ActionType, LogonType, account fields, remote IP addresses and device access timelines.