Event ID 4624 - An account was successfully logged on
Json log sample:
{
"EventTime": "2017-10-09 05:00:00",
"Hostname": "LPWXDC.ChangeMe.local",
"Keywords": -9214364837600034816,
"EventType": "AUDIT_SUCCESS",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 4624,
"SourceName": "Microsoft-Windows-Security-Auditing",
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"Version": 1,
"Task": 12544,
"OpcodeValue": 0,
"RecordNumber": 409583434,
"ProcessID": 824,
"ThreadID": 19048,
"Channel": "Security",
"Message": "An account was successfully logged on.",
"Category": "Logon",
"Opcode": "Info",
"SubjectUserSid": "S-1-0-0",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"TargetUserSid": "S-1-5-18",
"TargetUserName": "LPW",
"TargetDomainName": "LP",
"TargetLogonId": "0x1828eb397",
"LogonType": "3",
"LogonProcessName": "Kerberos",
"AuthenticationPackageName": "Kerberos",
"LogonGuid": "{FD1B49BA-A5E9-5D7D-D3F4-D925B43807F2}",
"TransmittedServices": "-",
"LmPackageName": "-",
"KeyLength": "0",
"ProcessName": "-",
"WorkstationName": "LPLONSERVDBVM",
"IpAddress": "10.0.2.10",
"IpPort": "60208",
"ImpersonationLevel": "%%1833",
"EventReceivedTime": "2017-10-09 05:00:00",
"SourceModuleName": "wineventlog_in",
"SourceModuleType": "im_msvistalog"
}
This event is very important and highly valuable. It documents all successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.
Subject User Information:
"SubjectUserSid"
"SubjectUserName"
"SubjectDomainName"
"SubjectLogonId"
This provides an information of account that request logon but not the actual user who logged on. This information are in general not that important from audit perspective but still there could be some cases where you would want to look into this. To find information regarding user who logged on we need to refer to Target User Information as below.
Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
"TargetLogonId" -> This is unique number between each reboot and it identifies each logon session. This can be used to correlate with logoff events 4634, 4647.
This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name. If they match, the account is a local account on that system, otherwise a domain account.
Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows
Impersonation Level:
Network Information:
"SubjectUserSid"
"SubjectUserName"
"SubjectDomainName"
"SubjectLogonId"
This provides an information of account that request logon but not the actual user who logged on. This information are in general not that important from audit perspective but still there could be some cases where you would want to look into this. To find information regarding user who logged on we need to refer to Target User Information as below.
Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
"TargetLogonId" -> This is unique number between each reboot and it identifies each logon session. This can be used to correlate with logoff events 4634, 4647.
This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name. If they match, the account is a local account on that system, otherwise a domain account.
Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows
| logon_type | description | |
| 2 | Interactive | |
| 3 | Network | |
| 4 | Batch | |
| 5 | Service | |
| 7 | Unlock | |
| 8 | NetworkCleartext | |
| 9 | NewCredentials | |
| 10 | RemoteInteractive | |
| 11 | CachedInteractive |
Impersonation Level:
| impersonation level | description | |
| %%1832 | Identification | |
| %%1833 | Impersonation | |
| %%1840 | Delegation | |
| %%1841 | Denied by Process Trust Label ACE | |
| %%1842 | Yes | |
| %%1843 | No | |
| %%1844 | System | |
| %%1845 | Not Available | |
| %%1846 | Default | |
| %%1847 | DisallowMmConfig | |
| %%1848 | Off | |
| %%1849 | Auto |
Network Information:
"IpAddress" -> IP address of the computer where the user is physically present
"IpPort" -> source TCP port of the logon request
"IpPort" -> source TCP port of the logon request
"WorkstationName" -> the computer name of the computer where the user is physically present. Workstation may be blank in some Kerberos logons.
No comments:
Post a Comment