User Logon

Windows 10 Windows 7 Windows 8 Windows 8.1 Windows 11 Security User Activity

Enabled by default

Service: Microsoft Windows security auditing.

Log type: Security

A users login will likely be the first sign of an attack and can indicate suspicious behavior. It can also give an analyst a starting time to create a timeline of events. This log is recquired in the HIPAA and PCI DSS regulations and is recommended by the NSA Event Forwarding Guidance and JPCERT.

View Logs

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4624'} -MaxEvents 1 | Format-List

Check Logging Status

auditpol /get /subcategory:"logon"

Disable Logging

auditpol /set /subcategory:"logon" /Success:Disable /Failure:Disable

Enable Logging

auditpol /set /subcategory:"logon" /Success:Enable /Failure:Enable

Language: PowerShell

Back to Windows

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

PCI DSS

Level: Required

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

JPCERT/CC

Level: Recommended

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

Windows 10 Professional does not log this by default. To enable logging of this activity, launch the Group Policy Editor. From here, expand the Windows settings folder and open the Security Settings tab. Finally, expand the Local Policies tab and click to enter the Audit Policy header. In order to turn on login auditing, double click "Audit login events". Clicking the Success box will allow for the auditing of all successful login attempts.

Windows 10 Home does not require login auditing be turned on and is done by default.

To view this log in the Event Viewer, open the event viewer and navigate to the Windows Logs heading and then the Security Tab. From here, select the find function and search for the value 4624 , or filter the log for the ID 4624.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4624'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4624)]]"

Additional References

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5c586681f4e1fced3ce1308b/1549297281905/Windows+Logging+Cheat+Sheet_ver_Feb_2019.pdf