EVID 4624 : Remote Interactive User Logon Success (XML - Security)

Event Details

Event Type	Audit Logon
Event Description	4624(S) : An account was successfully logged on.
Event ID	4624, Logn Type: 10

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Provider	N/A	N/A
EventID	<vmid>	<vmid>
Version	N/A	N/A
Level	<severity>	<severity>
Task	<vendorinfo>	<vendorinfo>
Opcode	N/A	N/A
Keywords	N/A	<result>
TimeCreated	N/A	N/A
EventRecordID	N/A	N/A
Correlation	N/A	N/A
Execution	N/A	N/A
Channel	N/A	N/A
Computer	<dname>	<dname>
SubjectUserSid	N/A	N/A
SubjectUserName	N/A	N/A
SubjectDomainName	N/A	N/A
SubjectLogonId	N/A	N/A
TargetUserSid	N/A	N/A
TargetUserName	<login>, <tag2>	<login>, <tag1>
TargetDomainName	<domainimpacted>	<domainorigin>
TargetLogonId	<session>	<session>
LogonType	<sessiontype>, <tag1>, <command>	<sessiontype>, <tag2>
LogonProcessName	<object>	<object>
AuthenticationPackageName	N/A	<objectname>
WorkstationName	N/A	N/A
LogonGuid	N/A	N/A
TransmittedServices	N/A	N/A
LmPackageName	N/A	<objecttype>
KeyLength	<size>	<size>
ProcessId	N/A	<processid>
ProcessName	<process>	<process>
IpAddress	<sip>	<sip>
IpPort	<sport>	<sport>
ImpersonationLevel	N/A	N/A
RestrictedAdminMode	N/A	N/A
TargetOutboundUserName	N/A	<account>
TargetOutboundDomainName	N/A	N/A
VirtualAccount	N/A	N/A
TargetLinkedLogonId	N/A	N/A
ElevatedToken	N/A	<tag3>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1007742	EVID 4624 : Logon Events	Base Rule	Authentication Activity	Authentication Success
	EVID 4624 : Logon Type 2	Sub Rule	User Logon	Authentication Success
	EVID 4624 : Logon Type 3	Sub Rule	User Logon	Authentication Success
	EVID 4624 : Logon Type 4	Sub Rule	User Logon	Authentication Success
	EVID 4624 : Logon Type 7	Sub Rule	User Logon	Authentication Success
	EVID 4624 : Logon Type 8	Sub Rule	User Logon	Authentication Success
	EVID 4624 : Logon Type 10	Sub Rule	User Logon	Authentication Success
	EVID 4624 : Logon Type 11	Sub Rule	User Logon	Authentication Success
	EVID 4624 : Logon Type 5	Sub Rule	Service Logon	Authentication Success
	EVID 4624 : Anonymous Logon Type 3	Sub Rule	Authentication Activity	Authentication Success
	EVID 4624 : Administrator Logon Type 3	Sub Rule	Authentication Activity	Authentication Success
	EVID 4624 : System Logon Type 3	Sub Rule	Computer Logon	Authentication Success
	EVID 4624 : System Logon Type 2	Sub Rule	Computer Logon	Authentication Success
	EVID 4624 : System Logon Type 4	Sub Rule	Computer Logon	Authentication Success
	EVID 4624 : System Logon Type 7	Sub Rule	Computer Logon	Authentication Success
	EVID 4624 : System Logon Type 8	Sub Rule	Computer Logon	Authentication Success
	EVID 4624 : System Logon Type 10	Sub Rule	Computer Logon	Authentication Success
	EVID 4624 : System Logon Type 11	Sub Rule	Computer Logon	Authentication Success
	EVID 4624 : System Logon Type 5	Sub Rule	Computer Logon	Authentication Success

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1012617	V 2.0 : Remote Interactive User Logon Success	Base Rule	User Logon	Authentication Success
	V 2.0 : EVID 4624 : Remote Intractv Usr Logon Succ	Sub Rule	User Logon	Authentication Success
	V 2.0 : EVID 4624 : Administrator Logon Type 10	Sub Rule	User Logon	Authentication Success
	V 2.0 : EVID 4624 : Anonymous Logon Type 10	Sub Rule	User Logon	Authentication Success
	V 2.0 : EVID 4624 : System Logon Type 10	Sub Rule	Computer Logon	Authentication Success