Windows Event ID 4624: Successful Logon Analysis
December 19, 2024
Event ID 4624: Successful Account Logon
Event ID 4624 is a Windows Security event that records successful account logons. It is commonly used for monitoring authentication activities and identifying potential unauthorized access.
Logon Types in Event ID 4624
| Logon Type | Name | Description | Use Case |
|---|---|---|---|
| 2 | Interactive | User logged on directly to the system | Physical access, admin login |
| 3 | Network | User logged on over the network | Shared folders, SMB connections |
| 4 | Batch | Logon for batch-processing tasks | Scheduled tasks, scripts |
| 5 | Service | Service account logon | Services running under user accounts |
| 7 | Unlock | User unlocked a workstation | Resuming after lock screen |
| 8 | Network Cleartext | Credentials sent in clear text | Outdated/insecure auth |
| 9 | New Credentials | Process logged on with explicit credentials | Impersonation, different credentials |
| 10 | Remote Interactive | RDP session logon | Remote desktop, terminal services |
| 11 | Cached Interactive | Cached credentials used | Offline authentication |
Detailed Logon Type Breakdown
Type 2: Interactive
A user logged on directly to the system, usually at the console (keyboard, mouse, or remote desktop using the console session).
Common Scenarios:
- Physical user access to workstation
- Administrator login at console
- Local user authentication
Type 3: Network
A user or computer logged on over the network.
Common Scenarios:
- Accessing shared network folders
- Connecting to network printers
- SMB file server connections
Type 4: Batch
Logon for batch-processing tasks.
Common Scenarios:
- Scheduled tasks running under specific accounts
- Automated scripts and batch jobs
- Background processing tasks
Type 5: Service
Service account logon.
Common Scenarios:
- Windows services configured to run under user accounts
- Application services requiring specific permissions
- Database services with dedicated accounts
Type 7: Unlock
A user unlocked a workstation.
Common Scenarios:
- Resuming work after screen lock
- Returning from sleep/hibernation
- Unlocking after security timeout
Type 8: Network Cleartext
A user logged on with credentials sent in clear text over the network.
Security Concerns:
- Outdated authentication mechanisms
- Credentials transmitted unencrypted
- Should be avoided in modern environments
Type 9: New Credentials
A process logged on with explicit credentials using the
LogonUserAPI.
Common Scenarios:
- Application impersonation
- Running processes under different user contexts
- Service account elevation
Type 10: Remote Interactive
Remote Desktop Protocol (RDP) session logon.
Common Scenarios:
- Remote desktop connections
- Terminal services sessions
- Remote administration
Type 11: Cached Interactive
Cached credentials were used to log on.
Common Scenarios:
- Laptop users logging in while offline
- Domain-joined computers without network connectivity
- Cached domain credentials
Key Fields in Event 4624
| Field Category | Field Name | Description | Example |
|---|---|---|---|
| Subject | Account Name | The account initiating the logon | DOMAIN\username |
| Logon Info | Logon Type | Type of logon (2-11) | 10 (Remote Interactive) |
| Logon Info | Workstation Name | Source computer name | WORKSTATION01 |
| Network | Source Network Address | Source IP address | 192.168.1.100 |
| Network | Source Port | Source port number | 49152 |
| Auth | Logon Process | Authentication protocol | Kerberos, NTLM |
| Auth | Authentication Package | Auth package used | Negotiate |
Security Use Cases
Detection & Monitoring
- Unauthorized Access: Identify unusual or suspicious logon attempts
- Pattern Analysis: Look for excessive RDP logons (
Type 10) or outdated mechanisms (Type 8) - Anomaly Detection: Monitor for logons outside business hours or from unexpected locations
Forensic Analysis
- Incident Response: Use detailed fields to trace security incidents
- Timeline Analysis: Correlate logon events with other security events
- Attribution: Identify source systems and user accounts involved in incidents
Compliance & Auditing
- Access Reviews: Maintain logs for regular access reviews
- Regulatory Compliance: Meet requirements for authentication logging
- Security Assessments: Provide evidence for security assessments and audits
High-Risk Indicators
- Type 8 Logons: Network cleartext authentication (should be rare)
- Multiple Failed Logons: Followed by successful Type 2/10 logons
- Unusual Times: Logons outside normal business hours
- Geographic Anomalies: Logons from unexpected locations
Splunk Query Examples
Basic Queries
All Event ID 4624 Logons
index=main sourcetype="WinEventLog:Security" EventCode=4624Filter by Logon Type
index=main sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10Search for Specific User
index=main sourcetype="WinEventLog:Security" EventCode=4624 Account_Name="admin"Search by Source IP
index=main sourcetype="WinEventLog:Security" EventCode=4624 Source_Network_Address="192.168.1.100"Security Monitoring Queries
High-Risk Logon Types
index=main sourcetype="WinEventLog:Security" EventCode=4624 (Logon_Type=8 OR Logon_Type=9)
| table _time Account_Name Logon_Type Source_Network_Address Workstation_NameRDP Logons (Type 10)
index=main sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count by Account_Name Source_Network_Address
| sort -countLogons Outside Business Hours
index=main sourcetype="WinEventLog:Security" EventCode=4624
| eval hour=strftime(_time, "%H")
| search hour<8 OR hour>18
| table _time Account_Name Logon_Type Source_Network_Address hourAdvanced Analysis Queries
Logon Type Breakdown with Descriptions
index=main sourcetype="WinEventLog:Security" EventCode=4624
| eval Logon_Type_Desc=case(
Logon_Type==2, "Interactive",
Logon_Type==3, "Network",
Logon_Type==4, "Batch",
Logon_Type==5, "Service",
Logon_Type==7, "Unlock",
Logon_Type==8, "Network Cleartext",
Logon_Type==9, "New Credentials",
Logon_Type==10, "Remote Interactive",
Logon_Type==11, "Cached Interactive",
1=1, "Unknown"
)
| table _time Account_Name Logon_Type Logon_Type_Desc Source_Network_Address Workstation_Name
| sort -_timeTop Logon Sources
index=main sourcetype="WinEventLog:Security" EventCode=4624
| stats count by Source_Network_Address Account_Name
| sort -count
| head 20Authentication Method Analysis
index=main sourcetype="WinEventLog:Security" EventCode=4624
| stats count by Logon_Process Authentication_Package
| sort -count