Audit category "Account Logon/Logoff" means *authentication*. It's different from "logon/logoff", it's not "logon/logoff"
There are 2 places in Windows/AD environment where authentication can happen,
- locally to SAM database (NTLM), or
- against AD.
[update] MS added 2 new features called "Local KDC" and IAkerb respectively. The former feature allows a local auth happens using Kerberos
You are going to see a lot of "logon/logoff" events either on member server, or on DC.
- When it's on member server, it could be local user or AD user established logon session after auth
- When it's on DC - you should see DC same as a resource member server, because logon/logoff events happens when a user accesses it as client. You will see almost all AD users have logon events on DCs with type 3 (remote) because users need to access DC in various ways in domain - e.g., pulling GPO from SYSVOL folder
This means to check only 4776-NTLM, 4768, Kerberos, see section below
- logon/off events
- 4624 : logon
Note: There are tons 4624 for all users on DC (logon type 3, remote) because user need to connect to SYSVOL etc. - Related events
- 4634: log off (e.g. log off session from a remote server)
- 4647: user initiated logoff (e.g. in interactive console logoff)
- 4625: failed to logon
- 4672: special logon (local)
- 4648: local logon
- AD auth events (a.k.a *Account* Logon/off events)
- 4776: If reported on DC, tried to validate credentials via NTLM.
- Fields to extract in Splunk:(when reported on local, SAM)
- user: user, or Logon_Account
- domain: dest|dest_nt_host, remove short host name
final query: EventCode=4776 | regex user!=".*\$$" | rex field=dest "^.*?\.(?
.*)"| strcat domain "\\" user ID - 4768 Kerberos TGT validation:
- Field to extract in Splunk
- user: user | Account_Name | src_user
- domain: user_account_domain | dest_nt_domain
- Related events:
- 4771: Kerberos pre-auth failed
- 4772: TGT request failed
- 4769 Kerberos Service Ticket requested (good for knowing what resource an account is accessing)
- 4770: ST renewed