{
	"id": "98c5384a-1491-4f35-912d-3fe1868a4c3f",
	"created_at": "2026-04-06T01:28:58.613796Z",
	"updated_at": "2026-04-10T03:20:39.911794Z",
	"deleted_at": null,
	"sha1_hash": "390773ce2304e565be8ab9fb2dd6a6c736f9e9a3",
	"title": "Audit logon events - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35950,
	"plain_text": "Audit logon events - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-06 00:45:11 UTC\r\nDetermines whether to audit each instance of a user logging on to or logging off from a device.\r\nAccount logon events are generated on domain controllers for domain account activity and on local devices for\r\nlocal account activity. If both account logon and logon audit policy categories are enabled, logons that use a\r\ndomain account generate a logon or logoff event on the workstation or server, and they generate an account logon\r\nevent on the domain controller. Additionally, interactive logons to a member server or workstation that use a\r\ndomain account generate a logon event on the domain controller as the logon scripts and policies are retrieved\r\nwhen a user logs on. For more info about account logon events, see Audit account logon events.\r\nIf you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event\r\ntype at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit\r\nentry when a logon attempt fails.\r\nTo set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these\r\npolicy settings check box and clear the Success and Failure check boxes.\r\nFor information about advanced security policy settings for logon events, see the Logon/logoff section in\r\nAdvanced security audit policy settings.\r\nYou can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows\r\nSettings\\Security Settings\\Local Policies\\Audit Policy.\r\nLogon\r\nevents\r\nDescription\r\n4624\r\nA user successfully logged on to a computer. For information about the type of logon, see the\r\nLogon Types table below.\r\n4625\r\nLogon failure. A logon attempt was made with an unknown user name or a known user name\r\nwith a bad password.\r\n4634 The logoff process was completed for a user.\r\n4647 A user initiated the logoff process.\r\n4648\r\nA user successfully logged on to a computer using explicit credentials while already logged on\r\nas a different user.\r\n4779 A user disconnected a terminal server session without logging off.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events\r\nPage 1 of 2\n\nWhen event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The\r\nfollowing table describes each logon type.\r\nLogon\r\ntype\r\nLogon title Description\r\n2 Interactive A user logged on to this computer.\r\n3 Network A user or computer logged on to this computer from the network.\r\n4 Batch\r\nBatch logon type is used by batch servers, where processes may be\r\nexecuting on behalf of a user without their direct intervention.\r\n5 Service A service was started by the Service Control Manager.\r\n7 Unlock This workstation was unlocked.\r\n8 NetworkCleartext\r\nA user logged on to this computer from the network. The user's password\r\nwas passed to the authentication package in its unhashed form. The built-in\r\nauthentication packages all hash credentials before sending them across the\r\nnetwork. The credentials do not traverse the network in plaintext (also called\r\ncleartext).\r\n9 NewCredentials\r\nA caller cloned its current token and specified new credentials for outbound\r\nconnections. The new logon session has the same local identity, but uses\r\ndifferent credentials for other network connections.\r\n10 RemoteInteractive\r\nA user logged on to this computer remotely using Terminal Services or\r\nRemote Desktop.\r\n11 CachedInteractive\r\nA user logged on to this computer with network credentials that were stored\r\nlocally on the computer. The domain controller was not contacted to verify\r\nthe credentials.\r\nBasic security audit policy settings\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events"
	],
	"report_names": [
		"basic-audit-logon-events"
	],
	"threat_actors": [],
	"ts_created_at": 1775438938,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/390773ce2304e565be8ab9fb2dd6a6c736f9e9a3.pdf",
		"text": "https://archive.orkl.eu/390773ce2304e565be8ab9fb2dd6a6c736f9e9a3.txt",
		"img": "https://archive.orkl.eu/390773ce2304e565be8ab9fb2dd6a6c736f9e9a3.jpg"
	}
}