Azure Sentinel query for local admin logons

Microsoft Defender for Endpoint collects logon events for all Defender for Endpoint protected devices. This data can be queried in the Defender for Endpoint table accessible either in “Advanced Hunting” in the Microsoft 365 admin portal, or in a Sentinel enabled Log Analytics workspace if integrated with Defender for Endpoint.

One use case is to query for local administrator logon events across all protected devices. A useful query if an organization has a policy preventing users from gaining local administrator. This query enables security operations to gain insights of security policy breach, or possibly uncovering malicious actors utilizing privilege escalation.

The query is simple, and quite extensible to customize further to better fit any given environment.

DeviceLogonEvents
| where IsLocalAdmin == 1
| summarize count() by AccountName,DeviceName

Further customizations could be to refine the results for only a subset of devices by filtering on the DeviceName, or displaying more relevant columns like for example AccountDomain.

Later, I’ll write up a new blog post featuring a Logic App automation based on this query, comparing the results with PIM eligible local admins, alerting and more.

Leave a Reply

Your email address will not be published. Required fields are marked *