question

will99-2901 avatar image
0 Votes"
will99-2901 asked YuhanDeng-MSFT commented

Event ID 4672 special logon with random name & text username

I have SIEM setup and I noticed that one of the windows server is both source and destination ip
and it generated these ID 4672, ID 4735 however the username for the events were random number and letters something like this A938342-9F39281...etc

Could someone please explain to me why is the username like that ?


windows-server-hyper-v
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I would like to check if the reply could be of help? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback.

Best Regards,

Danny

0 Votes 0 ·

Hi,

I would like to check if the reply could be of help? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback.

Best Regards,

Danny

0 Votes 0 ·

1 Answer

YuhanDeng-MSFT avatar image
0 Votes"
YuhanDeng-MSFT answered

Hi Will,
For event id 4672 you can refer to this:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672

For event id 4735 you can refer to this:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735

Based on my understanding, source and destination IP address can be the same. It simply represents a connection between client and server on the same host.

Thanks for your time.
Best regards,
Danny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.