Which local process initiated the logon.
A user logged on with cached credentials because the domain controller was unavailable. Security Analysis and Troubleshooting event id 4624
The specific protocol used (e.g., NTLM, Kerberos). Critical Field: Logon Types Which local process initiated the logon
While Event ID 4625 (Failed Logon) is the primary tool for finding why accounts lock out, Event ID 4624 helps confirm when a user finally succeeds, helping investigators map the timeline of a brute-force attempt. How to Enable Logging for Event ID 4624 Critical Field: Logon Types While Event ID 4625
The source IP address and workstation name (if applicable).
📍 Always correlate the "New Logon" account name with the "Logon Type" to verify if the activity matches the user's expected role. To help you dive deeper into your security logs:
Every time a user or service successfully authenticates, Windows generates an Event ID 4624. Unlike other events, this one provides granular detail about how the logon occurred, who performed it, and where they came from. The event log contains several key fields: