- Thread Author
-
- #1
Hello All,
Greetings!!!
In our environment we monitor windows events 4624 and 4625 on AD for other workstations as all workstations can not integrated in a SIEM.
However, in event 4624 and 4625, we are not getting any type 10 or type 2 logon type that could tell us the interactive logon has been triggered on the workstation. I have tested it by using my credentials, however we got type 3 even though it was interactive logon.
This information is critical for us to detect some malicious activity.
Is there any way to get this information from AD? Is there any policy that needs to be pushed?
Please guide.Thanks in advance.
Regards,
Ameer Mane
Greetings!!!
In our environment we monitor windows events 4624 and 4625 on AD for other workstations as all workstations can not integrated in a SIEM.
However, in event 4624 and 4625, we are not getting any type 10 or type 2 logon type that could tell us the interactive logon has been triggered on the workstation. I have tested it by using my credentials, however we got type 3 even though it was interactive logon.
This information is critical for us to detect some malicious activity.
Is there any way to get this information from AD? Is there any policy that needs to be pushed?
Please guide.Thanks in advance.
Regards,
Ameer Mane
Solution
- Joined
- Jul 4, 2015
- Messages
- 8,998
Well for starters I wouldn't monitor workstations for login attempts that won't scale well, but rather monitor only your DC's.
As far as group policy the only thing you should need is Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy > Audit Policy. Enable 'Audit account logon events' and 'Audit logon events'
As far as group policy the only thing you should need is Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy > Audit Policy. Enable 'Audit account logon events' and 'Audit logon events'
Solution
- Thread Author
-
- #3
Hello Neemobeer,
Thanks for the replay.
We have a use case in the environment which needs to collect interactive logon on the PCs.
Also, considering normal scenario in which we want to check if any service user account is getting used for interactive log on. It is essential to have interactive logon type in logs. In this case, it is not possible to check each and every PC, also wa can not integrate such PCs in the SIEM as the quantity on logs will be huge and unnecesary.
Thus, I am looking for a way to get such infomartion from AD itself as all PCs communicate with AD for authentication.
Regards,
Ameer Mane
Sent from my Moto G (4) using Tapatalk
Thanks for the replay.
We have a use case in the environment which needs to collect interactive logon on the PCs.
Also, considering normal scenario in which we want to check if any service user account is getting used for interactive log on. It is essential to have interactive logon type in logs. In this case, it is not possible to check each and every PC, also wa can not integrate such PCs in the SIEM as the quantity on logs will be huge and unnecesary.
Thus, I am looking for a way to get such infomartion from AD itself as all PCs communicate with AD for authentication.
Regards,
Ameer Mane
Sent from my Moto G (4) using Tapatalk