Update Network Logons with Local Accounts.md

Updated local address logic
2020-11-04 11:55:37 -05:00 · 2020-11-04 11:55:37 -05:00 · 15e42ca548
--- a/Movement/Network
+++ b/Movement/Network
@ -6,7 +6,7 @@ This query looks for a large number of network-based authentications using local
 ```
 DeviceLogonEvents
 | where Timestamp > ago(30d)
-| where AccountDomain == DeviceName and ((isnotempty( RemoteIP) and RemoteIP !in ('::1','-', '0.0.0.0') and RemoteIP !startswith "127.") or tobool(parse_json(AdditionalFields).IsLocalLogon) == false)
+| where AccountDomain == DeviceName and isnotempty( RemoteIP) and RemoteIP !in ('::1','-', '0.0.0.0') and RemoteIP !startswith "127."
 | summarize LogonAttempts = count(), DistinctMachines = dcount(DeviceId), Successes = countif(ActionType == 'Success'), RemoteDeviceName = any(RemoteDeviceName)  by RemoteIP, Protocol, LogonType, AccountName
 | order by Successes desc, LogonAttempts desc
 ```