In this next Security Log Exposed webinar I will explain how the much misunderstood Logon/Logoff category of the Windows security log works. First I’ll explain the difference between logon events and authentication (aka Account Logon) events in Windows. Then I’ll help you interpret these events based whether you observe them on workstations, member servers or domain controllers.
You will learn about Windows 2008 event IDs 4624, 4625 as well as Windows 2003 event IDs 528, 540, 529 and many more. You will learn how to track logon attempts back to the computer where the user is located and how to interpret the Logon Type and Logon ID fields that appear in some events.
I’ll deal with the issue of anonymous logon events which causes much concern and investigation as well as other “weird” logon events that are sometimes encountered.
I’ll finish up by spending a few minutes on my Rosetta Audit Logging Kit which provides prescriptive guidance on what to audit, what to alert on and what reports you should implement in your log management / SIEM solution.
This will be technical, real training for free so don’t miss it!