This is the original account that started a process or connection using new credentials. In this case Administrator was logged on to the local computer.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session just initiated. Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634.
Account Whose Credentials Were Used:
These are the new credentials. In this case Administrator then logged on as firstname.lastname@example.org.
This is the server (in this case a Sharepoint server) Administrator logged on to as email@example.com. This section may be blank or indicate the local computer when starting another process on local computer.
This is the process that initiates the connection or new process. In this case it makes sense that it's Internet Explorer since we're accessing a Sharepoint site. The Process Name identifies the program executable that processed the logon. This is one of the trusted logon processes identified by 4611. Process ID is the process ID specified when the executable started as logged in 4688.
This is blank in many cases but in the case of Remote Desktop logons network address is filled in with the IP address of the client workstation. Source port, while filled in, is not useful since most protocol source ports are random.
Keep me up-to-date on the Windows Security Log.
*We will NOT share this