EVID 4624 : Remote Interactive User Logon Success (XML - Security)
Event Details
Event Type | Audit Logon |
---|---|
Event Description | 4624(S) : An account was successfully logged on. |
Event ID | 4624, Logn Type: 10 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 | ||
---|---|---|---|---|
Provider | N/A | N/A | ||
EventID | <vmid> | <vmid> | ||
Version | N/A | N/A | ||
Level | <severity> | <severity> | ||
Task | <vendorinfo> | <vendorinfo> | ||
Opcode | N/A | N/A | ||
Keywords | N/A | <result> | ||
TimeCreated | N/A | N/A | ||
EventRecordID | N/A | N/A | ||
Correlation | N/A | N/A | ||
Execution | N/A | N/A | ||
Channel | N/A | N/A | ||
Computer | <dname> | <dname> | ||
SubjectUserSid | N/A | N/A | ||
SubjectUserName | N/A | N/A | ||
SubjectDomainName | N/A | N/A | ||
SubjectLogonId | N/A | N/A | ||
TargetUserSid | N/A | N/A | ||
TargetUserName | <login>, <tag2> | <login>, <tag1> | ||
TargetDomainName | <domainimpacted> | <domainorigin> | ||
TargetLogonId | <session> | <session> | ||
LogonType | <sessiontype>, <tag1>, <command> | <sessiontype>, <tag2> | ||
LogonProcessName | <object> | <object> | ||
AuthenticationPackageName | N/A | <objectname> | ||
WorkstationName | N/A | N/A | ||
LogonGuid | N/A | N/A | ||
TransmittedServices | N/A | N/A | ||
LmPackageName | N/A | <objecttype> | ||
KeyLength | <size> | <size> | ||
ProcessId | N/A | <processid> | ||
ProcessName | <process> | <process> | ||
IpAddress | <sip> | <sip> | ||
IpPort | <sport> | <sport> | ||
ImpersonationLevel | N/A | N/A | ||
RestrictedAdminMode | N/A | N/A | ||
TargetOutboundUserName | N/A | <account> | ||
TargetOutboundDomainName | N/A | N/A | ||
VirtualAccount | N/A | N/A | ||
TargetLinkedLogonId | N/A | N/A | ||
ElevatedToken | N/A | <tag3> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1007742 | EVID 4624 : Logon Events | Base Rule | Authentication Activity | Authentication Success |
EVID 4624 : Logon Type 2 | Sub Rule | User Logon | Authentication Success | |
EVID 4624 : Logon Type 3 | Sub Rule | User Logon | Authentication Success | |
EVID 4624 : Logon Type 4 | Sub Rule | User Logon | Authentication Success | |
EVID 4624 : Logon Type 7 | Sub Rule | User Logon | Authentication Success | |
EVID 4624 : Logon Type 8 | Sub Rule | User Logon | Authentication Success | |
EVID 4624 : Logon Type 10 | Sub Rule | User Logon | Authentication Success | |
EVID 4624 : Logon Type 11 | Sub Rule | User Logon | Authentication Success | |
EVID 4624 : Logon Type 5 | Sub Rule | Service Logon | Authentication Success | |
EVID 4624 : Anonymous Logon Type 3 | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4624 : Administrator Logon Type 3 | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4624 : System Logon Type 3 | Sub Rule | Computer Logon | Authentication Success | |
EVID 4624 : System Logon Type 2 | Sub Rule | Computer Logon | Authentication Success | |
EVID 4624 : System Logon Type 4 | Sub Rule | Computer Logon | Authentication Success | |
EVID 4624 : System Logon Type 7 | Sub Rule | Computer Logon | Authentication Success | |
EVID 4624 : System Logon Type 8 | Sub Rule | Computer Logon | Authentication Success | |
EVID 4624 : System Logon Type 10 | Sub Rule | Computer Logon | Authentication Success | |
EVID 4624 : System Logon Type 11 | Sub Rule | Computer Logon | Authentication Success | |
EVID 4624 : System Logon Type 5 | Sub Rule | Computer Logon | Authentication Success |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1012617 | V 2.0 : Remote Interactive User Logon Success | Base Rule | User Logon | Authentication Success |
V 2.0 : EVID 4624 : Remote Intractv Usr Logon Succ | Sub Rule | User Logon | Authentication Success | |
V 2.0 : EVID 4624 : Administrator Logon Type 10 | Sub Rule | User Logon | Authentication Success | |
V 2.0 : EVID 4624 : Anonymous Logon Type 10 | Sub Rule | User Logon | Authentication Success | |
V 2.0 : EVID 4624 : System Logon Type 10 | Sub Rule | Computer Logon | Authentication Success |