In this next Security Log Exposed webinar, I will explain how the much-misunderstood Logon/Logoff category of the Windows security log works. First, I’ll explain the difference between logon events and authentication (aka Account Logon) events in Windows. Then I’ll help you interpret these events based on whether you observe them on workstations, member servers or domain controllers.
You will learn about Windows 2022 event IDs 4624, 4625 as well as many more. You will learn how to track logon attempts back to the computer where the user is located and how to interpret the Logon Type and Logon ID fields that appear in some events.
I’ll deal with the issue of anonymous logon events which causes much concern and investigation as well as other “weird” logon events that are sometimes encountered.
I will also explain why you see multiple logon events when a privileged user logs on – it has to do with User Account Control.
This session is sponsored by LOGbinder’s Supercharger for Windows Event Collection and Barry Vista will briefly show you how Supercharger can help you leverage native Windows Event Forwarding to aggregation logs without installing an agent on every endpoint.
This will be a technical, real training for free session so don’t miss it!