Windows Event ID 4624 – Successful logon

Introduction

Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event, Event ID 4625 documents failed logon attempts.

Event 4624 applies to the following operating systems: Windows Server 2008 R2 and Windows 7, Windows Server 2012 R2 and Windows 8.1, and Windows Server 2016 and Windows 10. Corresponding events in Windows Server 2003 and earlier included both 528 and 540 for successful logons.

Event ID 4624 looks a little different across Windows Server 2008, 2012, and 2016. Highlighted in the screenshots below are the important fields across each of these versions.  

Event 4624 (Windows 2008)

Event 4624 (Windows 2012)

Event 4624 (Windows 2016)

Description of Event Fields

The important information that can be derived from Event 4624 includes:

• • Logon Type: This field reveals the kind of logon that occurred. In other words, it points out how the user logged on. There are a total of nine different types of logons, the most common logon types are: logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) is a red flag.
• • New Logon: This section reveals the Account Name of the user for whom the new logon was created and the Logon ID, a hexadecimal value that helps correlate this event with other events.

Other information that can be obtained from Event 4624:

• • The Subject section reveals the account on the local system (not the user) that requested the logon.
• • The Impersonation Level section reveals the extent to which a process in the logon session can impersonate a client. Impersonation Levels determine the operations a server can perform in the client's context.
• • The Process Information section reveals details surrounding the process that attempted the logon.
• • The Network Information section reveals where the user was when they logged on. If the logon was initiated from the same computer, this information will either be blank or reflect the local computer's workstation name and source network address. 
• • The Authentication Information reveals information about the authentication package used for logon.

The need for a third-party tool

In a typical IT environment, the number of events with ID 4624 (successful logons) can run into the thousands per day. However, all these successful logon events are not important; even the important events are useless in isolation, without any connection established with other events.  

For example, while Event 4624 is generated when an account logs on and Event 4647 is generated when an account logs off, neither of these events reveal the duration of the logon session. To find the logon duration, you have to correlate Event 4624 with the corresponding Event 4647 using the Logon ID. 

Thus, event analysis and correlation needs to be done. Native tools and PowerShell scripts demand expertise and time when employed to this end, and so a third-party tool is truly indispensable.

Applying machine learning, ADAudit Plus creates a baseline of normal activities specific to each user and only notifies security personnel when there is a deviation from this norm.

For example, a user who consistently accesses a critical server outside of business hours wouldn't trigger a false positive alert because that behavior is typical for that user. On the other hand, ADAudit Plus would instantly alert security teams when that same user accesses that server during a time they've never accessed it before, even though the access falls within business hours.