In the world of Windows security, comprehending different logon types found in security event logs is essential. Each logon type is designated by a unique number, providing valuable insight into user activities and potential security risks. Let’s delve into the main logon types that can be observed in a Windows environment.
Logon Type 2: Interactive Logon
This type of logon occurs when a user logs in interactively to a system, typically by entering their username and password at the computer’s physical keyboard and screen. Logon type 2 events are a regular occurrence on any system where users log in locally.
Logon Type 3: Network Logon
Network logons are logged when a user or a process accesses shared resources on a system, like a shared folder or printer, from a remote system. It’s important to note that the user isn’t interactively logging into the system; instead, they’re accessing resources over the network.
Logon Type 4: Batch Logon
When a scheduled task or batch job is initiated by the Windows Task Scheduler, it logs a logon type 4 event. This logon type allows tasks to run at a scheduled time, regardless of whether a user is actually logged into the system.
Logon Type 5: Service Logon
Windows logs a type 5 logon when a service starts and the service account logs into the local system. This event is typically initiated by the Service Control Manager, responsible for handling different services on the system.
Logon Type 7: Unlock Screen
When a user returns to their computer and unlocks the screen, Windows logs this as a type 7 logon event. This provides visibility into when a system is left unattended and then accessed by the logged-in user.
Logon Type 8: NetworkCleartext
A logon type 8 event signifies a user logging on with a network account using a plaintext password. Because this logon type involves passwords being sent in cleartext over the network, it is associated with higher security risks and should be investigated if seen frequently.
Logon Type 10: RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
This logon type records when a user remotely logs into a system, typically through Remote Desktop or Remote Assistance.
Each of these logon types can provide key insights into user activity and potential security incidents. By understanding these different types, security analysts and IT administrators can better interpret event logs and take appropriate action when anomalous behavior is detected.
Remember, security is all about awareness and understanding the intricacies of the systems you are tasked with protecting. Keep learning and stay vigilant.
About 360 SOC
At 360 SOC, we understand that no two organizations have the same security needs and requirements. That’s why we offer both Managed Detection and Response (MDR) and Security Operations Center as a Service (SOC as a Service), tailored to meet your unique security requirements. Our team of experts will work with you to understand your organization’s specific security needs and goals, and design a customized solution that delivers the protection and support you need to stay safe from cyber threats. With 360 SOC, you can feel confident that your organization’s networks and systems are in good hands, and that you have the tools and resources you need to effectively detect and respond to any security incidents.