Hunt for Local Admins with the most RemoteInteractive logins
Local Admins With The Most Devices Accessed
Query
DeviceLogonEvents
| where IsLocalAdmin == "True"
| where LogonType == "RemoteInteractive"
| extend IsLocalLogon = tostring(todynamic(AdditionalFields).IsLocalLogon)
| summarize DevicesAccessed = make_set(DeviceName) by AccountName, AccountDomain
| extend TotalDevices = array_length(DevicesAccessed)
| sort by TotalDevicesAbout this query
Hunt for Local Admins with the most RemoteInteractive logins
Query Information
Description
Hunt for Local Admins with the most RemoteInteractive logins
References
Defender XDR
Sentinel
DeviceLogonEvents
| where IsLocalAdmin == "True"
| where LogonType == "RemoteInteractive"
| extend IsLocalLogon = tostring(todynamic(AdditionalFields).IsLocalLogon)
| summarize DevicesAccessed = make_set(DeviceName) by AccountName, AccountDomain
| extend TotalDevices = array_length(DevicesAccessed)
| sort by TotalDevices
Explanation
This query is designed to identify local administrators who have logged in remotely to the most devices. Here's a simple breakdown of what the query does:
-
Data Source: It examines logon events from devices.
-
Filter for Local Admins: It specifically looks at logon events where the user is a local administrator (
IsLocalAdmin == "True"). -
Remote Logins: It focuses on logins that are of the type "RemoteInteractive," which typically means remote desktop or similar remote access methods.
-
Additional Information: It extracts additional fields to determine if the logon was local.
-
Summarization: It groups the data by user account name and domain, collecting a list of devices each user has accessed.
-
Count Devices: It calculates the total number of unique devices each user has accessed.
-
Sorting: Finally, it sorts the results by the number of devices accessed, allowing you to see which local admins have accessed the most devices remotely.
This query helps in identifying potentially risky behavior by local admins who are accessing many devices remotely, which could be a sign of misuse or a security threat.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators