Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Windows Event ID 4624 – Successful logon

Introduction

Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event, Event ID 4625 documents failed logon attempts.

Event 4624 applies to the following operating systems: Windows Server 2008 R2 and Windows 7, Windows Server 2012 R2 and Windows 8.1, and Windows Server 2016 and Windows 10. Corresponding events in Windows Server 2003 and earlier included both 528 and 540 for successful logons.

Event ID 4624 looks a little different across Windows Server 2008, 2012, and 2016. Highlighted in the screenshots below are the important fields across each of these versions.  

Event 4624 (Windows 2008)

Event 4624 (Windows 2008)

Event 4624 (Windows 2012)

Event 4624 (Windows 2016)

Description of Event Fields

The important information that can be derived from Event 4624 includes:

  • Logon Type: This field reveals the kind of logon that occurred. In other words, it points out how the user logged on. There are a total of nine different types of logons, the most common logon types are: logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) is a red flag.
  • New Logon: This section reveals the Account Name of the user for whom the new logon was created and the Logon ID, a hexadecimal value that helps correlate this event with other events.
Logon Type Description
2
- Interactive logon

Occurs when a user logs on using a computer's local keyboard and screen.

3
+ Network logon

Occurs when a user accesses remote file shares or printers. Also, most logons to Internet Information Services (IIS) are classified as network logons (except for IIS logons which are logged as logon type 8).

4
+ Batch logon

Occurs during scheduled tasks, i.e. when the Windows Scheduler service starts a scheduled task.

5
+ Service logon

Occurs when services and service accounts log on to start a service.

7
+ Unlock logon

Occurs when a user unlocks their Windows machine.

8
+ NetworkClearText logon

Occurs when a user logs on over a network and the password is sent in clear text. Most often indicates a logon to IIS using "basic authentication."

9
+ NewCredentials logon

Occurs when a user runs an application using the RunAs command and specifies the /netonly switch.

10
+ RemoteInteractive logon

Occurs when a user logs on to their computer using RDP-based applications like Terminal Services, Remote Desktop, or Remote Assistance.

11
+ CachedInteractive logon

Occurs when a user logs on to their computer using network credentials that were stored locally on the computer (i.e. the domain controller was not contacted to verify the credentials).

Other information that can be obtained from Event 4624:

  • The Subject section reveals the account on the local system (not the user) that requested the logon.
  • The Impersonation Level section reveals the extent to which a process in the logon session can impersonate a client. Impersonation Levels determine the operations a server can perform in the client's context.
  • The Process Information section reveals details surrounding the process that attempted the logon.
  • The Network Information section reveals where the user was when they logged on. If the logon was initiated from the same computer, this information will either be blank or reflect the local computer's workstation name and source network address. 
  • The Authentication Information reveals information about the authentication package used for logon.

Reasons for monitoring successful logons

  Security

To prevent privilege abuse, organizations need to be vigilant about what actions privileged users are performing, starting with logons.

To detect abnormal and potentially malicious activity, like a logon from an inactive or restricted account, users logging on outside of normal working hours, concurrent logons to many resources, etc.

  Operational

To get information on user activity like user attendance, peak logon times, etc.

  Compliance

To comply with regulatory mandates precise information surrounding successful logons is necessary.

The need for a third-party tool

In a typical IT environment, the number of events with ID 4624 (successful logons) can run into the thousands per day. However, all these successful logon events are not important; even the important events are useless in isolation, without any connection established with other events.  

For example, while Event 4624 is generated when an account logs on and Event 4647 is generated when an account logs off, neither of these events reveal the duration of the logon session. To find the logon duration, you have to correlate Event 4624 with the corresponding Event 4647 using the Logon ID. 

Thus, event analysis and correlation needs to be done. Native tools and PowerShell scripts demand expertise and time when employed to this end, and so a third-party tool is truly indispensable.

Applying machine learning, ADAudit Plus creates a baseline of normal activities specific to each user and only notifies security personnel when there is a deviation from this norm.

For example, a user who consistently accesses a critical server outside of business hours wouldn't trigger a false positive alert because that behavior is typical for that user. On the other hand, ADAudit Plus would instantly alert security teams when that same user accesses that server during a time they've never accessed it before, even though the access falls within business hours.

If you want to explore the product for yourself, download the free, fully-functional 30-day trial.

If you want an expert to take you through a personalized tour of the product, schedule a demo.

anageEngine User Academy

The 8 most critical Windows security events you must monitor.

 

Thank you for your interest!

We’ve sent the guide to your inbox.

Thanks for visiting.

Before you leave, check out our guide on the 8 most critical Windows security events you must monitor.

  •  
     
  • By clicking 'Get the free guide' you agree to processing of personal data according to the Privacy Policy.

ADAudit Plus Trusted By