# Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/21: Session logon succeeded
This event, logged to the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational channel, is logged when an RDP connection is successfully authenticated.
> [!IMPORTANT]
> This event is logged on the **destination** endpoint.
### Behavioral Indications
- [x] Behavioral - Lateral Movement (TA0008)
### Analysis Value
- [x] Account - Username
- [x] Network Activity - Evidence of Network Activity
- [x] Network Activity - Source Identification
## Operating System Availability
- [x] Windows 11
- [x] Windows 10
- [x] Windows 8
- [x] Windows 7
- [x] Windows Vista
- [x] Windows Server 2019
- [x] Windows Server 2016
- [x] Windows Server 2012 R2
- [x] Windows Server 2012
- [x] Windows Server 2008 R2
- [x] Windows Server 2008
## Artifact Location(s)
- `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
## Artifact Interpretation
### Account - Username
This event logs only the username and domain that the RDP connection was attempting to establish a session for. It is located in the XML path `UserData\EventXML\User`.
### Network Activity - Evidence of Network Activity
The presence of this event indicates that an RDP connection was established and authenticated to the system on which this event was logged.
### Network Activity - Source Identification
This artifact can provide the **source** IP address of an RDP session. This information will be in the XML path `UserData\EventXML\Address` of the event.
### SessionID Correlation
This event logs a Session ID, available in the XML path `UserData\EventXML\SessionID`. This may be used to correlate activity between other events logged in this channel.
### ActivityID Correlation
This event logs an ActivityID, available in the XML path `System\Correlation ActivityID`. This may be used to correlate activity between other events logged that are related to this activity, such as:
- [Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational/1149](/network/terminal-services-remote-1149.md) to determine when the connection was established
### Determining Timeline of RDP Activity
Together with [Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/24: Session logon succeeded](/network/terminal-services-local-24.md), by correlating the `SessionID` field of both events, one can determine the start and end time of an RDP session.
## Example
```
-
-
21
0
4
0
0
0x1000000000000000
1520
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
HLPC01
-
-
HLPC01\john.doe
4
192.168.180.57
```
This example was produced on Windows 10, Version 10.0.19044 Build 19044