Event ID 4624

SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

The name of the account that reported information about successful logon.

Subject’s domain or computer name. Formats vary, and include the following:

Domain NETBIOS name example: DOMAIN

Lowercase full domain name: domain.local

Uppercase full domain name: DOMAIN.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputerName”.

Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4672(S): Special privileges assigned to new logon.”

SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

The name of the account for which logon was performed.

Subject’s domain or computer name. Formats vary, and include the following:

Domain NETBIOS name example: DOMAIN

Lowercase full domain name: domain.local

Uppercase full domain name: DOMAIN.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputerName”.

Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4672(S): Special privileges assigned to new logon.”

The type of logon which was performed. The table on the description contains the list of possible values for this field.

The name of the trusted logon process that was used for the logon. See event “4611: A trusted logon process has been registered with the Local Security Authority” description for more information.

The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name.

The most common authentication packages are:

NTLM – NTLM-family Authentication

Kerberos – Kerberos authentication.

Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.

Machine name from which logon attempt was performed.

A GUID that can help you correlate this event with another event that can contain the same Logon GUID, “4769(S, F): A Kerberos service ticket was requested event on a domain controller.

Transmitted services are populated if the logon was a result of a Service For User logon process.

Related info: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level

[Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate authentication package.

Hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process.

Full path and the name of the executable for the process.

IP address of machine from which logon attempt was performed.

Source port which was used for logon attempt from remote machine.
0 for interactive logons.

Only populated for RemoteInteractive and CachedRemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.

Reference: http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx.

User name that will be used for outbound (network) connections. Valid only for NewCredentials logon type.

Domain for the user that will be used for outbound (network) connections. Valid only for NewCredentials logon type.

a “Yes” or “No” flag, which indicates if the account is a virtual account (e.g., "Managed Service Account"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService".

A hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is “0x0”.

a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and has administrator privileges.