Skip to content

Logon on Windows With a User Followed by a Logon on another Application with Another User on the same IP

Alert Purpose

This alert should be trigged at the occurrence of an windows login event followed by an application login event but with a different username from the windows login event.

Data Sources Needed

  • Windows Security Log with Logon audits enabled in GPO.
  • Application logon audits enable.


  1. Rule 1: Identify Windows Success Logon 4624 events: EventID = 4624

  2. Rule 2: Identify Application Success Login events EventID = “application event id number“ AND SrcIP = Rule No. 1 SrcIP AND UserName = Rule No. 1 UserName

Alert Object

Test Events