Event ID 4647 - User initiated logoff

Event ID 4647 - User initiated logoff

Json log sample:

{
"EventTime": "2017/08/25 14:09:12"
"Hostname": "gh2dcs-adc1.changeme.com"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4647
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 12545
"OpcodeValue": 0
"RecordNumber": 2975449150
"ProcessID": 772
"ThreadID": 10432
"Channel": "Security"
"Message": "User initiated logoff"
"Category": "Logoff"
"Opcode": "Info"
"TargetUserSid": "S-1-5-21-1210427511-1310429627-2740863702-2325"
"TargetUserName": "marks_admin"
"TargetDomainName": "changeme"
"TargetLogonId": "0x1b0efd69e"
"EventReceivedTime": "2017/08/25 14:09:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}

This event is very important and highly valuable. It documents user logoff event from the local computer. This event returns the end of logon session and it can be correlated back to 4624 using TargetLogonId to find user session duration. This event is logged in case of interactive and remote logon session initiated by user. However, in case of other-logon, windows logs 4634 when user logoff is seen.

Target User Information:

"TargetUserSid" -> SID of an account

"TargetUserName" -> user who logged in

"TargetDomainName" -> domain name of user

"TargetLogonId" -> This is unique number between each reboot and it identifies each logon  session.

This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name.  If they match, the account is a local account on that system, otherwise a domain account.