From 7f495acdc647ba7cfbd724e8b7b073ebddbc0c6a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Mar 2026 22:09:41 +0000
Subject: [PATCH] Add Windows security audit event documentation to README

Co-authored-by: HakanL <407941+HakanL@users.noreply.github.com>
---
 README.md | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)

diff --git a/README.md b/README.md
index 4e1f078..e923863 100644
--- a/README.md
+++ b/README.md
@@ -18,3 +18,94 @@ This substantially modifies the client to a service that looks for successful in
 Events are ingested into Seq with useful properties that allow for easy searching.
 
 ```
+[AppName] New login detected on {MachineName} - {TargetDomainName}\{TargetUserName} at {EventTime}
+```
+
+Properties included with each event:
+
+| Property | Description |
+|---|---|
+| EventId | Windows Security Event ID (e.g. 4624) |
+| EventTime | Timestamp of the event |
+| Source | Event provider name |
+| EventLogName | Name of the event log (Security) |
+| EventRecordID | Unique record ID in the event log |
+| SubjectUserName | Account that initiated the logon session |
+| SubjectDomainName | Domain of the account that initiated the session |
+| TargetUserName | Account that was logged on |
+| TargetDomainName | Domain of the account that was logged on |
+| LogonType | Type of logon (2 = Interactive, 10 = RemoteInteractive) |
+| LogonProcessName | The process that performed the logon |
+| AuthenticationPackageName | Authentication package used |
+| WorkstationName | Machine the logon was requested from |
+| IpAddress | IP address of the client machine |
+| IpPort | Port used by the client machine |
+
+## Enabling Windows Security Audit Events
+
+Windows does not enable all the relevant security audit events by default. The following audit policies must be enabled so that the Windows Security event log generates the events that this service monitors.
+
+### Events Monitored
+
+| Event ID | Description |
+|---|---|
+| 4624 | An account was successfully logged on |
+| 4625 | An account failed to log on |
+| 4634 | An account was logged off |
+| 4647 | User initiated logoff |
+
+These events are generated by the **Logon/Logoff** audit policy category.
+
+### Standalone Servers
+
+On a standalone server (not domain-joined), use Local Security Policy or `auditpol.exe` to configure audit policy.
+
+#### Using Local Security Policy (GUI)
+
+1. Open **Local Security Policy** (`secpol.msc`).
+2. Navigate to **Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff**.
+3. Double-click **Audit Logon** and enable **Success** and **Failure**.
+4. Double-click **Audit Logoff** and enable **Success**.
+5. Close Local Security Policy. Changes take effect immediately.
+
+#### Using auditpol.exe (Command Line)
+
+Run the following commands in an elevated command prompt:
+
+```cmd
+auditpol /set /subcategory:"Logon" /success:enable /failure:enable
+auditpol /set /subcategory:"Logoff" /success:enable
+```
+
+To verify the settings:
+
+```cmd
+auditpol /get /subcategory:"Logon"
+auditpol /get /subcategory:"Logoff"
+```
+
+### Domain Servers
+
+On domain-joined servers, use Group Policy to configure audit policy centrally across all servers.
+
+#### Using Group Policy Management Console (GPMC)
+
+1. Open **Group Policy Management** (`gpmc.msc`) on a domain controller or a machine with RSAT installed.
+2. Create a new GPO or edit an existing GPO linked to the Organizational Unit (OU) containing your servers.
+3. Navigate to **Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff**.
+4. Double-click **Audit Logon**, check **Configure the following audit events**, and enable **Success** and **Failure**.
+5. Double-click **Audit Logoff**, check **Configure the following audit events**, and enable **Success**.
+6. Close the Group Policy editor and run `gpupdate /force` on each server, or wait for Group Policy to refresh automatically (typically within 90 minutes).
+
+#### Verifying Policy on Domain Servers
+
+After Group Policy has been applied, verify the effective audit policy on a server using an elevated command prompt:
+
+```cmd
+auditpol /get /subcategory:"Logon"
+auditpol /get /subcategory:"Logoff"
+```
+
+Both subcategories should show the expected **Success** and/or **Failure** settings.
+
+> **Note:** If you are using the legacy basic audit policy (Security Settings > Local Policies > Audit Policy) instead of the advanced audit policy, enable **Audit logon events** for **Success** and **Failure**. However, Microsoft recommends using the Advanced Audit Policy Configuration for more granular control.