More of the questions posted on my Security Log forum have to do with confusion between these 2 categories than any other.
In my next Security Log Secrets training webinar I will answer ‘What is the Difference between “Account Logon” events and “Logon/Logoff” Events?’.
It’s an important question because these 2 categories are very different and unless you understand them you will waste a lot of effort, fail to find the information you are looking for, miss important indicators of suspicious activity and draw erroneous conclusions.
The secret lies in the fact authentication and logon are really 2 different things in Windows and in some circumstances they occur on different computers. Further complicating the issue is the fact that there are 2 different types of accounts in Windows: local accounts and domain accounts.
In this webinar I’ll explain the difference between authentication and logon and how they relate to these 2 categories of events in the Windows security log.
You will learn about event IDs 528, 540, 672, 673, 680 and many more. You will learn how to track logon and authentication requests back to the computer where the user is located and how to interpret the Logon Type and Logon ID fields that appear in some events.
You will find out how to use domain controller security logs to track initial workstation logons as well as users’ subsequent access to different servers. Then you will find out how to go to a server’s local security log to find out more about the user’s activity on that computer.
This is indeed Real Training for Free (TM).