From 9aea41f0cbf9329bb163f7697587646ead054629 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 23 Sep 2020 11:10:42 +0500 Subject: [PATCH 1/2] Updating logon event In this page, logon events were listed for Windows Xp, 7. I have updated them to Windows 10. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/7178 --- .../auditing/basic-audit-logon-events.md | 33 ++++--------------- 1 file changed, 6 insertions(+), 27 deletions(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 5c7672c13a..e03cf0d1ce 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -38,33 +38,12 @@ You can configure this security setting by opening the appropriate policy under | Logon events | Description | | - | - | -| 528 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. | -| 529 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. | -| 530 | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. | -| 531 | Logon failure. A logon attempt was made using a disabled account. | -| 532 | Logon failure. A logon attempt was made using an expired account. | -| 533 | Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer. | -| 534 | Logon failure. The user attempted to log on with a type that is not allowed. | -| 535 | Logon failure. The password for the specified account has expired. | -| 536 | Logon failure. The Net Logon service is not active. | -| 537 | Logon failure. The logon attempt failed for other reasons. | -| 538 | The logoff process was completed for a user. | -| 539 | Logon failure. The account was locked out at the time the logon attempt was made. | -| 540 | A user successfully logged on to a network. | -| 541 | Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. | -| 542 | A data channel was terminated. | -| 543 | Main mode was terminated. | -| 544 | Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. | -| 545 | Main mode authentication failed because of a Kerberos failure or a password that is not valid. | -| 546 | IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. | -| 547 | A failure occurred during an IKE handshake. | -| 548 | Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client. | -| 549 | Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests. | -| 550 | Notification message that could indicate a possible denial-of-service attack. | -| 551 | A user initiated the logoff process. | -| 552 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. | -| 682 | A user has reconnected to a disconnected terminal server session. | -| 683 | A user disconnected a terminal server session without logging off. | +| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. | +| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. | +| 4634 | The logoff process was completed for a user. | +| 4647 | A user initiated the logoff process. | +| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. | +| 4779 | A user disconnected a terminal server session without logging off. | When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type. From 5d1075ddb39180193b63d7f198a72ce80e48f655 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 5 Oct 2020 22:09:12 +0500 Subject: [PATCH 2/2] Update windows/security/threat-protection/auditing/basic-audit-logon-events.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../threat-protection/auditing/basic-audit-logon-events.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index e03cf0d1ce..66c1906086 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -42,7 +42,7 @@ You can configure this security setting by opening the appropriate policy under | 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. | | 4634 | The logoff process was completed for a user. | | 4647 | A user initiated the logoff process. | -| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. | +| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. | | 4779 | A user disconnected a terminal server session without logging off. |