Share via

Advanced Hunting IdentityLogonEvents don't have a matching eventlog on DC

RT-7199 511 Reputation points
2021-01-26T17:45:47.057+00:00

I am running IdentityLogonEvents for a specific user and I see failed login result from a server. I can see that kerberos traffic crossing the firewall as well.
But I don't find that event in security eventlog of our Domain Controller. Attached screenshot of log.

60702-screenshot-2021-01-26-092446.jpg
60664-screenshot-2021-01-26-090715.jpg

If I check audit policy on our DC's is see this. Is there anything we need to enable to have it logged in event logs?

And is the defender giving more information than there is in the event logs and should we need to enable anything more in Audit Policy if everything is logged by Defender?

I also don't find either the DC or the offending source server from where the Logon request is coming in DeviceNetworkEvents. So where is the Defender picking this information if not from the DC or Server. If its picking from them, then why not pick network events?

This is from security.microsoft.com portal

60634-screenshot-2021-01-26-100940.jpg

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,536 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,910 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,276 Reputation points
    2021-01-27T02:20:49.543+00:00

    Hello,

    Thank you so much for posting here.

    To track users logon/logoff, we need to enable Auditing by using Group Policy. There are two types of auditing that address logging on, they are Audit Logon Events and Audit Account Logon Events.

    Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).
    Audit "Account Logon" Events tracks logons to the domain, and the results appear in the Security Log on domain controllers only.

    Reference:
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-logon-events

    As for the event 4625: An account failed to log on, It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation. That's to say, it will not be recorded in the event logs on domain controller.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. RT-7199 511 Reputation points
    2021-01-27T04:49:48.987+00:00

    @Hannah Xiong I understand audit logs have to be enabled. But what i don't understand how the detections are ending up in security.microsoft.com portal.
    We do have these agents running on our DC's. But does that mean they don't need auditing enabled to detect logons.

    60795-screenshot-2021-01-26-204712.jpg

    0 comments
  3. Hannah Xiong 6,276 Reputation points
    2021-01-27T06:25:10.823+00:00

    Hello,

    Thank you so much for your kindly reply.

    According to our description, are we using the Azure AD? If so, so sorry that we are not professional with Azure AD since we mainly focus on on-premises AD. If it is related with Azure AD, we could turn to the dedicated forum by selecting the tag "Azure-Active-Directory".

    Besides, we have researched for the below information. Hope it could be some helpful.
    https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection

    Thanks so much for your understanding and support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. RT-7199 511 Reputation points
    2021-01-27T06:59:06.623+00:00

    @Hannah Xiong This is not about Azure AD, but on Prem only. I am clear on that part we don't have proper Audit logs enabled.
    But how do cloud portals are getting this information about logons, this is my issue.
    And that info in cloud also seems partial in comparison to what workstations are sending with endpoint protection.

    0 comments
  5. Hannah Xiong 6,276 Reputation points
    2021-01-27T07:54:07.74+00:00

    Hello,

    Thank you so much for your feedback.

    So sorry that we are not professional with cloud portal. We mainly focus on the audit group policy. Since now we have other issue, I am afraid that I'm at the end of what help I can offer. Maybe someone else has ran into something similar before and can share their knowledge and experience here.

    As for the cloud issue, maybe we could turn to Azure forum by selecting the tag "Azure-service-specific" for further assistance. Hope our issue could be resolved soon.

    Thanks again for your time and support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.