Direct Inward Dialing: +1 408 916 9892
Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event, Event ID 4625 documents failed logon attempts.
Event 4624 applies to the following operating systems: Windows Server 2008 R2 and Windows 7, Windows Server 2012 R2 and Windows 8.1, and Windows Server 2016 and Windows 10. Corresponding events in Windows Server 2003 and earlier included both 528 and 540 for successful logons.
Event ID 4624 looks a little different across Windows Server 2008, 2012, and 2016. Highlighted in the screenshots below are the important fields across each of these versions.
The important information that can be derived from Event 4624 includes:
- Interactive logon
Occurs when a user logs on using a computer's local keyboard and screen.
+ Network logon
Occurs when a user accesses remote file shares or printers. Also, most logons to Internet Information Services (IIS) are classified as network logons (except for IIS logons which are logged as logon type 8).
+ Batch logon
Occurs during scheduled tasks, i.e. when the Windows Scheduler service starts a scheduled task.
+ Service logon
Occurs when services and service accounts log on to start a service.
+ Unlock logon
Occurs when a user unlocks their Windows machine.
+ NetworkClearText logon
Occurs when a user logs on over a network and the password is sent in clear text. Most often indicates a logon to IIS using "basic authentication."
+ NewCredentials logon
Occurs when a user runs an application using the RunAs command and specifies the /netonly switch.
+ RemoteInteractive logon
Occurs when a user logs on to their computer using RDP-based applications like Terminal Services, Remote Desktop, or Remote Assistance.
+ CachedInteractive logon
Occurs when a user logs on to their computer using network credentials that were stored locally on the computer (i.e. the domain controller was not contacted to verify the credentials).
Other information that can be obtained from Event 4624:
To prevent privilege abuse, organizations need to be vigilant about what actions privileged users are performing, starting with logons.
To detect abnormal and potentially malicious activity, like a logon from an inactive or restricted account, users logging on outside of normal working hours, concurrent logons to many resources, etc.
To get information on user activity like user attendance, peak logon times, etc.
To comply with regulatory mandates precise information surrounding successful logons is necessary.
In a typical IT environment, the number of events with ID 4624 (successful logons) can run into the thousands per day. However, all these successful logon events are not important; even the important events are useless in isolation, without any connection established with other events.
For example, while Event 4624 is generated when an account logs on and Event 4647 is generated when an account logs off, neither of these events reveal the duration of the logon session. To find the logon duration, you have to correlate Event 4624 with the corresponding Event 4647 using the Logon ID.
Thus, event analysis and correlation needs to be done. Native tools and PowerShell scripts demand expertise and time when employed to this end, and so a third-party tool is truly indispensable.
Applying machine learning, ADAudit Plus creates a baseline of normal activities specific to each user and only notifies security personnel when there is a deviation from this norm.
For example, a user who consistently accesses a critical server outside of business hours wouldn't trigger a false positive alert because that behavior is typical for that user. On the other hand, ADAudit Plus would instantly alert security teams when that same user accesses that server during a time they've never accessed it before, even though the access falls within business hours.
ManageEngine ADAudit Plus employs machine learning to alert you whenever a user with possibly malicious intent logs on.