SOC Event Lookup
Event ID 4624LogonP1

Windows Event ID 4624: An account was successfully logged on

Windows Security Event ID 4624 records a successful logon and provides the primary host-level record for determining who accessed a system, how they authenticated, and from where.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

Windows generates this event when a logon session is created successfully. It covers local console access, network access, RDP, scheduled tasks, services, and other authentication mechanisms.

Key Fields

New Logon / Account Name

The account associated with the new session. Review the domain, account type, and whether the identity is expected on the target system.

Logon Type

Identifies the session type. Type 3 commonly represents SMB or other network access, Type 10 represents RDP, and Type 2 represents a local interactive session.

Network Information

Workstation Name, Source Network Address, and Source Port identify the client when the logon is remote. These values are useful for lateral-movement timelines.

Authentication Package / Logon Process

Shows the authentication path, such as Kerberos or NTLM. Unexpected NTLM use, unusual logon processes, or a mismatch with normal access patterns can be significant.

Common False Positives

  • Service accounts, scheduled tasks, and management platforms may create large volumes of expected logons.
  • Domain controllers and file servers commonly record Type 3 logons during normal application and SMB activity.
  • Jump hosts and remote-management tooling can produce legitimate Type 10 logons outside normal business hours.

Related Events

MITRE ATT&CK Mapping

  • T1078Valid Accounts
  • T1021Remote Services

Detection Notes

T1021 remote-service activity is indicated by Logon Type 10 for RDP or Logon Type 3 for SMB from a source that is not an approved jump host. A Type 10 4624 immediately after 4625 failures or a Type 3 logon to ADMIN$ should be correlated to 5140 and 4688; the Logon ID binds the session to follow-on execution.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4624 and LogonType in (3, 10)
| project TimeGenerated, Computer, Account, LogonType, IpAddress, WorkstationName, AuthenticationPackageName
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4624 Logon_Type IN (3, 10)
| table _time, host, Account_Name, Logon_Type, Source_Network_Address, Workstation_Name
Sample Log
Subject: Security ID: S-1-0-0
New Logon: Security ID: CORP\jsmith
Logon Type: 10
Workstation Name: WS-014
Source Network Address: 10.x.x.x
Authentication Package: Kerberos

Source