From 270351d0a717c8865636e4b34a0c9d9187a15470 Mon Sep 17 00:00:00 2001
From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com>
Date: Wed, 24 Jan 2024 13:29:56 +0100
Subject: [PATCH] Update event-4624.md

add note that not all fields will be populated always. Hair-splitter customers will complain about empty fields
---
 windows/security/threat-protection/auditing/event-4624.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index e49f286567..07fdf70e44 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -250,6 +250,9 @@ This event generates when a logon session is created (on destination machine). I
 - **Source Port** [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
 
     - 0 for interactive logons.
+ 
+  > [!NOTE]
+  The fields for IP address/port and workstation name are populated depending on the authentication context and protocol used. LSASS will audit the information the authenticating service shares with LSASS. For example, network logons with Kerberos likely have no workstation information, and NTLM logons have no TCP/IP details.
 
 **Detailed Authentication Information:**