4626 User/Device claims information
Records the claims (user and device attributes used in attribute-based access control) tied to a new logon. It is a supporting event that only carries meaning in environments using Dynamic Access Control.
Overview
The subcategory is Audit User/Device Claims. On a new account logon, it records the user/device claims granted to that session. It does not generate for users or devices that have no claims. Normally a 4626 follows right after 4624, carrying the same Subject, Logon Type, and New Logon information. It is generated on the logon target (the destination computer).
How it is triggered
- When an account or device that has claims performs a new logon.
- For computer account logons, device claims appear in the
User Claimsfield. - If the claims do not fit in one event, they are split across several in a
1 of Nform.
Security review points
- This information is normally reported by the NULL SID subject, so report any case where
Subject\Security IDis not the NULL SID. - To track logons by accounts holding specific claims (for example, someone with a given department claim accessing a particular server), inspect the
User Claims/Device Claimsfields. If you run attribute-based access control, monitor for claim deviations (such as attributes that should not be present).
Notes for log review
- If you do not need claim monitoring and just want to see whether a logon happened, it is simpler to use 4624 than 4626.
- In environments not using Dynamic Access Control it rarely occurs. If it appears, read it on the assumption the environment uses claims.
Key fields
| Field | Meaning |
|---|---|
New Logon\Account Name | The account the claims apply to |
User Claims | The list of user (or device) claims |
Device Claims | The list of device claims; usually - for user accounts |
Glossary
- Claim — an attribute of a user or device, such as “department = IT,” used by Dynamic Access Control to decide access.