User Logoff Event
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
Sigma rule (View on GitHub)
1title: User Logoff Event
2id: 0badd08f-c6a3-4630-90d3-6875cca440be
3status: test
4description: Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
5references:
6 - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
7 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634
8 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647
9author: frack113
10date: 2022/10/14
11tags:
12 - attack.impact
13 - attack.t1531
14logsource:
15 service: security
16 product: windows
17detection:
18 selection:
19 EventID:
20 - 4634
21 - 4647
22 condition: selection
23falsepositives:
24 - Unknown
25level: informational
References
-
Documentation and scripts to properly enable Windows event logs. - Yamato-Security/EnableWindowsLogSettings
Read More -
Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
Read More -
Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
Read More
Related rules
- Group Has Been Deleted Via Groupdel
- User Has Been Deleted Via Userdel
- Azure Kubernetes Service Account Modified or Deleted
- AWS ElastiCache Security Group Modified or Deleted
- Google Cloud Service Account Disabled or Deleted