I was wondering if someone could help me better understand the following alert.
I have an alert that a user has accessed a restricted machine.In the logs I have the following information: “service”: “c:\windows\system32\lsass.exe”, “eventCode”: 4648 and at the same time I have another log with the following information: “logon_type”: “NETWORK”, “result”: “SUCCESS”, “service”: “advapi”, “eventCode”: 4624.
After this alert I confirmed with the user and he did not try to access and has no access to this machine. Could someone help to better understand this alert.
Thank you very much.