Hi all

I’m doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I’m trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve

1.) Raise an alert when a domain account is granted the “Logon as a Service” right on any machine. 

2.) When an account that has never logged on as service suddenly does so.

3.) Perhaps detect when a user account’s ServicePrincipalName attribute is populayed or updated.

So the service account logon query looks like this:

DeviceLogonEvents
| where Timestamp >= ago(30d)
| where LogonType == “Service” or LogonType == “Batch”
| where AccountDomain =~ “saica”
| summarize count() by AccountName, DeviceName, LogonType
| sort by count_ desc

The other ones seem to be a bit trickier.

Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs. 

​Hi all I’m doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I’m trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve 1.) Raise an alert when a domain account is granted the “Logon as a Service” right on any machine. 2.) When an account that has never logged on as service suddenly does so.3.) Perhaps detect when a user account’s ServicePrincipalName attribute is populayed or updated. So the service account logon query looks like this:DeviceLogonEvents| where Timestamp >= ago(30d)| where LogonType == “Service” or LogonType == “Batch”| where AccountDomain =~ “saica”| summarize count() by AccountName, DeviceName, LogonType| sort by count_ desc The other ones seem to be a bit trickier. Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs.      Read More

​