| Logon Type | Description | Check-Indicators |
| Logon Type 2-(T2) Interactive | A user logged on from console to this computer. | Suspicious Type 2 multiple audit failure may indicate password guess or elevation using console or keyboard. |
| Logon Type 3-(T3) Network | A user or computer logged on to this computer from the network. | Suspicious Type 3 multiple audit failure and later audit success may indicate anonymous logon by malware or attacker through a network. |
| Logon Type 8-(T8) Network Clear Text | The user’s password was passed to the authentication package in its un-hashed form with audit success. | Type 8 audit success indicate inadequately policy configuration which allows plaintext or clear text as login credentials thus easily to be sniffed. |
| Logon Type 10-(T10) Remote Interactive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | As type 3, but user tried to login from remote computer. |