V 2.0 : Network Logon Success

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Network Logon Success	Base Rule	User Logon	Authentication Success
V 2.0 : EVID 4624 : Network User Logon Success	Sub Rule	User Logon	Authentication Success
V 2.0 : EVID 4624 : Administrator Logon Type 3	Sub Rule	User Logon	Authentication Success
V 2.0 : EVID 4624 : Anonymous Logon Type 3	Sub Rule	User Logon	Authentication Success
V 2.0 : EVID 4624 : System Logon Type 3	Sub Rule	Computer Logon	Authentication Success

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Provider	N/A	N/A	Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID	<vmid>	Number	The identifier that the provider used to identify the event.
Version	N/A	N/A	The version number of the event's definition.
Level	<severity>	Text/String	The severity level defined in the event.
Task	<vendorinfo>	Text/String	The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Opcode	N/A	N/A	The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Keywords	<result>	Text/String	A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreated	N/A	N/A	The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordID	N/A	N/A	The record number assigned to the event when it was logged.
Correlation	N/A	N/A	The activity identifiers that consumers can use to group related events together.
Execution	N/A	N/A	Contains information about the process and thread that logged the event.
Channel	N/A	N/A	The channel to which the event was logged.
Computer	<dname>	Text/String	The name of the computer on which the event occurred.
SubjectUserSid	N/A	N/A	The SID of account that reported information about successful logon or invokes it.
SubjectUserName	N/A	N/A	The name of the account that reported information about successful logon.
SubjectDomainName	N/A	N/A	The subject's domain or computer name. Formats vary, and include the following: Domain NETBIOS name. Example: CONTOSO Lowercase full domain name: contoso.local Uppercase full domain name: CONTOSO.LOCAL For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is NT AUTHORITY. For local user accounts, this field will contain the name of the computer or device that this account belongs to
SubjectLogonId	N/A	N/A	A hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID.
TargetUserSid	N/A	N/A	The SID of account for which logon was performed.
TargetUserName	<login> <tag1>	Text/String/Number	The name of the account for which logon was performed.
TargetDomainName	<domainorigin>	Text/String	The target's domain or computer name. Formats vary, and include the following: Domain NETBIOS name example: CONTOSO Lowercase full domain name: contoso.local Uppercase full domain name: CONTOSO.LOCAL For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is NT AUTHORITY. For local user accounts, this field will contain the name of the computer or device that this account belongs to
TargetLogonId	<session>	Number	The hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID.
LogonType	<sessiontype> <tag2>	Number	The type of logon which was used.
LogonProcessName	<object>	Text/String	The name of the trusted logon process that was used for the logon.
AuthenticationPackageName	<objectname>	Text/String	The name of the authentication package which was used for the logon authentication process. The most common authentication packages are: NTLM – NTLM-family Authentication Kerberos – Kerberos authentication. Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
WorkstationName	N/A	<Text/String>	The machine name to which logon attempt was performed.
LogonGuid	N/A	N/A	A GUID that can help you correlate this event with another event that can contain the same Logon GUID. This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}.”
TransmittedServices	N/A	N/A	The list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user.
LmPackageName	<objecttype>	<Text/String>	The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon. Possible values are: NTLM V1 NTLM V2 LM Only populated if Authentication Package = NTLM.
KeyLength	<size>	Number	The length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if Authentication Package = Kerberos, because it is not applicable for Kerberos protocol. This field will also have 0 value if Kerberos was negotiated using Negotiate authentication package.
ProcessId	<processid>	Number	A hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
ProcessName	<process>	Text/String	The full path and the name of the executable for the process.
IpAddress	<sip>	Ip address	The IP address of machine from which logon attempt was performed. IPv6 address or ::ffff:IPv4 address of a client. ::1 or 127.0.0.1 means localhost.
IpPort	<sport>	Number	The source port which was used for logon attempt from remote machine. 0 for interactive logons.
ImpersonationLevel	N/A	N/A	This attribute can have one of these four values: SecurityAnonymous (displayed as empty string): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero. SecurityIdentification (displayed as Identification): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context. SecurityImpersonation (displayed as Impersonation): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type. SecurityDelegation (displayed as Delegation): The server process can impersonate the client's security context on remote systems.
RestrictedAdminMode	N/A	N/A	Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. If not a RemoteInteractive logon, then this will be "-" string.
TargetOutboundUserName	<account>	Text/String	The user name that will be used for outbound (network) connections. Valid only for NewCredentials logon type. If not NewCredentials logon, then this will be a "-" string.
TargetOutboundDomainName	N/A	N/A	Domain for the user that will be used for outbound (network) connections. Valid only for NewCredentials logon type. If not NewCredentials logon, then this will be a "-" string.
VirtualAccount	N/A	N/A	This is a Yes/No flag indicating if the account is a virtual account (e.g., Managed Service Account), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using NetworkService.
TargetLinkedLogonId	N/A	N/A	A hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is 0x0.
ElevatedToken	<tag3>	Number	This is a Yes/No flag. If Yes, then the session this event represents is elevated and has administrator privileges.