How to report Kerberos-Logon activities from trusted Domain?
I tired a couple of approaches but did not catch Events from User-Logons from a trusted Domain.
Typically it is Event ID 4624:
Typically it is Event ID 4624:
=================================================================
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
New Logon:
Security ID: <TrustedDomain>\<Username>
Account Name: <Username>
Account Domain: <FQDN>
...
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
=================================================================
All other User activities with "Local Logon's" in the Domain are captured well.
What do I need to Monitor in Custom Reports to get these Events 4624?
Thanks!
Thanks!