{
  "id": "4624",
  "source": "windows_security",
  "category": "Logon",
  "name": "An account was successfully logged on",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4624 records a successful logon and provides the primary host-level record for determining who accessed a system, how they authenticated, and from where.",
  "trigger_scenarios": "Windows generates this event when a logon session is created successfully. It covers local console access, network access, RDP, scheduled tasks, services, and other authentication mechanisms.",
  "key_fields": [
    {
      "field": "New Logon / Account Name",
      "explanation": "The account associated with the new session. Review the domain, account type, and whether the identity is expected on the target system."
    },
    {
      "field": "Logon Type",
      "explanation": "Identifies the session type. Type 3 commonly represents SMB or other network access, Type 10 represents RDP, and Type 2 represents a local interactive session."
    },
    {
      "field": "Network Information",
      "explanation": "Workstation Name, Source Network Address, and Source Port identify the client when the logon is remote. These values are useful for lateral-movement timelines."
    },
    {
      "field": "Authentication Package / Logon Process",
      "explanation": "Shows the authentication path, such as Kerberos or NTLM. Unexpected NTLM use, unusual logon processes, or a mismatch with normal access patterns can be significant."
    }
  ],
  "false_positives": [
    "Service accounts, scheduled tasks, and management platforms may create large volumes of expected logons.",
    "Domain controllers and file servers commonly record Type 3 logons during normal application and SMB activity.",
    "Jump hosts and remote-management tooling can produce legitimate Type 10 logons outside normal business hours."
  ],
  "related_event_ids": [
    "4625",
    "4634",
    "4648",
    "4672"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1078",
      "technique_name": "Valid Accounts"
    },
    {
      "technique_id": "T1021",
      "technique_name": "Remote Services"
    }
  ],
  "detection_notes": "T1021 remote-service activity is indicated by Logon Type 10 for RDP or Logon Type 3 for SMB from a source that is not an approved jump host. A Type 10 4624 immediately after 4625 failures or a Type 3 logon to ADMIN$ should be correlated to 5140 and 4688; the Logon ID binds the session to follow-on execution.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4624 and LogonType in (3, 10)\n| project TimeGenerated, Computer, Account, LogonType, IpAddress, WorkstationName, AuthenticationPackageName\n| order by TimeGenerated desc",
  "spl_snippet": "index=wineventlog EventCode=4624 Logon_Type IN (3, 10)\n| table _time, host, Account_Name, Logon_Type, Source_Network_Address, Workstation_Name",
  "sample_log": "Subject: Security ID: S-1-0-0\nNew Logon: Security ID: CORP\\jsmith\nLogon Type: 10\nWorkstation Name: WS-014\nSource Network Address: 10.x.x.x\nAuthentication Package: Kerberos",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624",
  "route": "/windows-events/4624/",
  "canonical_url": "https://soceventlookup.com/windows-events/4624/",
  "json_url": "/api/events/windows-security/4624.json"
}
