Auditing Windows Logon and Logoff events is a fundamental requirement for meeting regulatory frameworks like SOC 2, ISO 27001, HIPAA, and PCI DSS. By tracking these events, organizations can construct a clear timeline of user activity, identify compromised accounts, and catch unauthorized access attempts early. 1. The Core Distinction: Authentication vs. Session
To audit effectively, you must understand the difference between the two primary Windows auditing categories:
Account Logon Events: Tracks credential validation on the system that owns the account (e.g., a Domain Controller). It checks if the ID badge is valid.
Logon/Logoff Events: Tracks session creation and destruction on the local machine being accessed. It logs the actual entry and exit through the office door. 2. Critical Windows Event IDs to Monitor
The Windows Security log generates specific Event IDs that compliance auditors look for. Focus your SIEM filters or event reviews on these critical IDs:
Audit other logon/logoff events | ADAudit Plus – ManageEngine
Leave a Reply