All topics ›
SOC Analyst ›
Log Analysis
Log Analysis · SOC Analyst What's the difference between Windows Security event 4624 vs 4625 vs 4634?
Critical events for SOC analysts: 4624 — successful login (logon type 2=interactive, 3=network, 10=remote interactive/RDP, 4=batch, 5=service). 4625 — failed login. 4634 — logoff. 4647 — user-initiated logoff (interactive). Investigation patterns: 4625 + 4624 from same source = brute-force success. Logon type 10 from external IP = potential RDP attack. Service account 4624 with logon type 3 from unusual source = potential lateral movement. Mastering these event IDs is non-negotiable for any Windows-heavy SOC role.
Want the full explanation? This is the atomic answer suitable for
quick interview prep. For the structured deep-dive — including code samples,
strong-answer vs weak-answer notes, common follow-up questions, and how this fits
the larger soc analyst topic — see the full Q&A on Networkers Home:
→ SOC Analyst Interview Hub — Full Q&A with deep context
→ SOC Analyst Interview Hub — Full Q&A with deep context
How Networkers Home prepares students for this kind of question
This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.
→ View the complete soc analyst interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation
Related Log Analysis questions
Log Analysis
Q. User reports their account is being locked out repeatedly. How do you investigate?
Multi-source investigation: (1) Active Directory — query event 4740 (account lockout) for source workstation/IP; (2) Filter logs from that workstation — what's authenticating? Could be: cached credentials on phone/Outloo…
Read full answer →