SecurityEvent Authentication
Audit Logon Activities
Within the windows SecurityEvent logs, there are a few Event IDs that provide you a view of user attempts (successful or failed) to log on to a computer and how.
- EventID 4624 (S) - An account was successfully logged on.
- EventID 4625 (F) - An account failed to log on.
- EventID 4648 (S) - A logon was attempted using explicit credentials.
- EventID 4675 (S) - SIDs were filtered.
What does Logon Type mean?
Within these Audit Logon Activities, two other columns of interest exist - (A) LogonType; (B) LogonTypeName. Full reference can be found here.
| LogonType | LogonTypeName | Description |
|---|---|---|
| 0 | System | Used only by the System account, for example at system startup. |
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| 12 | CashedRemoteInteractive | Same as RemoteInteractive. This is used for internal auditing. |
| 13 | CachedUnlock | Workstation logon. |
Azure AD Authentication
SigninLogs - Succeeded or Failed?
Within the Azure AD SigninLogs table, the column ResultType contains the Error Code of the sign in activity. To extend a column signifying whether it was a successful or failed login:
// To add a column representing successful / failed login status
SigninLogs
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
SigninLogs - Error Code Description
For more information on any specific Error Code, look up the number in this link.
