An account was successfully logged on
An account was successfully logged on. Indicates a successful authentication and session creation on the target machine.
Event ID 4624 is generated whenever a user or computer account successfully authenticates to a Windows machine. It records essential authentication context including the Logon Type (e.g., Type 2 Interactive, Type 3 Network, Type 10 RDP), the user's Security Identifier (SID), Account Name, Logon Domain, and the Source Network Address (IP address). Analyzing Logon Types is vital for differentiating normal interactive console logins from lateral movement or remote access.
Failure Reason / Root Cause:
Normal user or service logon activity, scheduled task execution, system startup, or remote desktop (RDP) session initiation.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.861Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to An account was successfully logged on -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1078 | Valid Accounts | Initial Access |
T1021 | Remote Services | Lateral Movement |
Recommended actions
- Monitor for unexpected Logon Type 10 (Remote Interactive / RDP) or Logon Type 3 (Network) authentications from unusual IP addresses.
- Correlate rapid successive 4624 events across multiple endpoints to detect lateral movement or pass-the-hash activity.
- Verify that high-privileged administrative accounts only log onto designated secure workstations.