Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.
The time of login events for distinct users on individual systems
|Technique||Tactic||Level of Coverage|
|Remote Desktop Protocol||Lateral Movement||Moderate|
|Valid Accounts||Defense Evasion||Moderate|
Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.