Query Details

Active Directory - User last logon

AD Account Last Logon

Query

IdentityInfo
| summarize arg_max(Timestamp, *) by AccountObjectId
| join kind=leftouter (
    IdentityLogonEvents
    | where Application == @"Active Directory"
    | extend LastLogonTime = Timestamp
    | summarize arg_max(Timestamp, *) by AccountObjectId, AccountSid, AccountDomain
    | where ActionType == @"LogonSuccess")
    on $left.AccountObjectId == $right.AccountObjectId
| extend NoLogon = iff(isempty(LastLogonTime), "True", "False")
| project
    AccountName,
    AccountDomain,
    AccountObjectId,
    LastLogonTime,
    Type,
    DistinguishedName,
    IsAccountEnabled,
    CreatedDateTime,
    NoLogon
    | where NoLogon == "True"

About this query

Active Directory - User last logon

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1110.003Credential Access: Brute Force: Password Sprayinghttps://attack.mitre.org/techniques/T1110/003/

Description

Use the below query to identify User account last logon activity. Those that did not have activity for the defined lookback period can be considered to be disabled depending on your company policies.

References

Microsoft Defender XDR

Explanation

This KQL query is designed to identify user accounts in Active Directory that have not logged on within a specified period. Here's a simple breakdown of what the query does:

  1. Data Source: The query uses two tables: IdentityInfo and IdentityLogonEvents.

  2. Summarization:

    • It first summarizes the IdentityInfo table to get the most recent information for each user account by AccountObjectId.
    • It then summarizes the IdentityLogonEvents table to find the most recent successful logon event for each user account, specifically for those using Active Directory.
  3. Joining Data:

    • The query performs a left outer join between the summarized IdentityInfo and IdentityLogonEvents tables based on the AccountObjectId. This means it keeps all records from IdentityInfo and matches them with logon events if available.
  4. Determine Logon Status:

    • It checks if there is a LastLogonTime for each account. If there isn't, it marks the account with NoLogon as "True", indicating no logon activity.
  5. Projection and Filtering:

    • The query projects (selects) specific fields such as AccountName, AccountDomain, AccountObjectId, LastLogonTime, and others.
    • It filters the results to only show accounts where NoLogon is "True", meaning these accounts have not logged on recently.
  6. Purpose:

    • The main goal is to identify user accounts that have not logged on within a certain timeframe, which could indicate they are inactive or should be disabled according to company policies.

This query helps in maintaining security and compliance by identifying potentially inactive accounts that might need attention.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

IdentityInfoIdentityLogonEvents

Keywords

ActiveDirectoryUserAccountLogonActivity

Operators

summarizearg_maxjoinkind=leftouterwhereextendiffisemptyproject

MITRE Techniques

Actions

GitHub