Event ID 4634 - An account was logged off
Json log sample:
{
"EventTime": "2017/08/25 14:09:12"
"Hostname": "MPWXDC.changeme.local"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4634
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 12545
"OpcodeValue": 0
"RecordNumber": 614393726
"ProcessID": 824
"ThreadID": 14128
"Channel": "Security"
"Message": "An account was logged off."
"Category": "Logoff"
"Opcode": "Info"
"TargetUserSid": "S-1-5-21-343361891-1219768270-4058147650-8884"
"TargetUserName": "MPWXEX2013-1$"
"TargetDomainName": "MP"
"TargetLogonId": "0x30cdec610"
"LogonType": "3"
"EventReceivedTime": "2017/08/25 14:09:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
This event is very important and highly valuable. It documents user logoff event from the local computer. This event returns the end of logon session and it can be correlated back to 4624 using TargetLogonId to find user session duration. However, in case of interactive logon, windows logs 4647 when user logoff is seen.
Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
"TargetLogonId" -> This is unique number between each reboot and it identifies each logon session.
This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name. If they match, the account is a local account on that system, otherwise a domain account.
Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows
logon_type | description | |
2 | Interactive | |
3 | Network | |
4 | Batch | |
5 | Service | |
7 | Unlock | |
8 | NetworkCleartext | |
9 | NewCredentials | |
10 | RemoteInteractive | |
11 | CachedInteractive |
No comments:
Post a Comment