Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 552 Source: Security

Logon attempt using explicit credentials:
Logged on user:
User Name: <name>
Domain: <domain>
Logon ID: <ID>
Logon GUID: <GUID>
User whose credentials were used:
Target User Name: <name>
Target Domain: <domain>
Target Logon GUID: <GUID>

Target Server Name: <name>
Target Server Info: <name>
Caller Process ID: <ID>
Source Network Address: <address>
Source Port: <port>.
This event can occur when the user credentials have been stored using the "Stored user names and passwords" applet in the control panel. It is possible to store credentials for automatic use (on XP and Server 2003) when connecting to network resources. When in place, any drive mapping or browsing attempt will automatically use any relevant stored credentials, even if the password for those credentials is no longer valid. In my case, it eventually locked out the stored user's account. See the link to "Stored User Names and Passwords" for some info on stored credentials.
This event is also recorded when FrontPage is used to connect to a website with a different account from the one currently logged in.
As per Microsoft: "A user who is logged on tried to create another logon session with a different user's credentials. Typically, this occurs when the user runs the RUNAS command and specifies a different set of credentials". See MSW2KDB for more details.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.