Interactive LogOn type in windows AD events

amane

New Member
Joined
Apr 7, 2018
Hello All,

Greetings!!!

In our environment we monitor windows events 4624 and 4625 on AD for other workstations as all workstations can not integrated in a SIEM.

However, in event 4624 and 4625, we are not getting any type 10 or type 2 logon type that could tell us the interactive logon has been triggered on the workstation. I have tested it by using my credentials, however we got type 3 even though it was interactive logon.

This information is critical for us to detect some malicious activity.

Is there any way to get this information from AD? Is there any policy that needs to be pushed?

Please guide.Thanks in advance.

Regards,
Ameer Mane
 
Well for starters I wouldn't monitor workstations for login attempts that won't scale well, but rather monitor only your DC's.

As far as group policy the only thing you should need is Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy > Audit Policy. Enable 'Audit account logon events' and 'Audit logon events'
 
Hello Neemobeer,

Thanks for the replay.

We have a use case in the environment which needs to collect interactive logon on the PCs.

Also, considering normal scenario in which we want to check if any service user account is getting used for interactive log on. It is essential to have interactive logon type in logs. In this case, it is not possible to check each and every PC, also wa can not integrate such PCs in the SIEM as the quantity on logs will be huge and unnecesary.

Thus, I am looking for a way to get such infomartion from AD itself as all PCs communicate with AD for authentication.

Regards,
Ameer Mane

Sent from my Moto G (4) using Tapatalk
 
If they're domain joined systems those logs will exist on the DCs. In most environments that should only be a handful of systems. That information won't exist in AD itself.
 
Is there any way to fetvh thisinfomration in the AD. We have around 100 pcs in the environment. And, we cannot integrate allbof them into the SIEM.

Sent from my Moto G (4) using Tapatalk
 
Back
Top Bottom