RDP NLA and ID 4624 Logon Type3

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

If NLA(Network Level Authentication) is enabled for RDP connection, event ID 4624 logon type 3 will be recorded in the security log.

Is there a way to determine the event ID 4624 logon type 3 recorded by NLA?
----------

Configure RDP in a test environment (Windows 10). Enable NLA in RDP settings.

f:id:hideakii:20190407190929p:plain

Connect to Windows 10 with MSTSC.EXE. Certification is required by NLA.

f:id:hideakii:20190407191713p:plain

Event ID 4624 Logon Type 3 is recorded in the security log when I enter the correct authentication information.

f:id:hideakii:20190407192424p:plain

Event ID 4624 Logon Type 10 was recorded as the RDP connection was successful.
My question is, can I link this event to the NLA event ID 4624 Logon Type 3 record?

Unfortunately, Logon ID can not connect two events.

f:id:hideakii:20190407193211p:plain

Let's check the event log related to RDP.
ID 1149 is recorded at a very similar time to "ID 4624 logonType 3".

f:id:hideakii:20190407200155p:plain

Arrange three events in time order. Although the timestamps do not match exactly, I can confirm that they are very close values.

2019-04-07T10:17:12.733209800Z ID 4624 Logon Type 3
2019-04-07T10:17:12.742504600Z ID 1149 Remote Desktop Services: User authentication succeeded:
2019-04-07T10:17:14.815911800Z ID 4624 Logon Type 10

Is there any information that links ID 1149 other than time stamp? I tried to compare the Correlation values, but this is not the same.

ID 4624 Logon Type 3：

Correlation
[ ActivityID] {31290b36-ed74-0000-4d0c-293174edd401}

ID 1149

Correlation
[ ActivityID] {f4208d55-a62e-41d8-a71b-58a083da0000}

Let's include the log of "Microsoft-Windows-TerminalServices-LocalSessionManager".

2019-04-07T10:17:12.733209800Z ID 4624 Logon Type 3
2019-04-07T10:17:12.742504600Z ID 1149 Remote Desktop Services: User authentication succeeded:
2019-04-07T10:17:14.815911800Z ID 4624 Logon Type 10
2019-04-07T10:17:14.859104600Z ID 41 Begin session arbitration:
2019-04-07T10:17:18.317919800Z ID 42 End session arbitration:
2019-04-07T10:17:20.549253300Z ID 21 Remote Desktop Services: Session logon succeeded:

When I sign out of RDP, Event ID 4634 logon type 3 is recorded. You can associate the ID 4624 with the Logon ID value(0x1E98FF).

f:id:hideakii:20190407203529p:plain

Let's arrange the log of "Microsoft-Windows-TerminalServices-LocalSessionManager" and ID 4634 in order of time.

2019-04-07T11:29:28.977682900Z ID 4647 User initiated logoff:
2019-04-07T11:29:29.028431800Z ID 23 Remote Desktop Services: Session logoff succeeded:
2019-04-07T11:29:29.396625500Z ID 40 Session 2 has been disconnected, reason code 12
2019-04-07T11:29:29.474687900Z ID 4634 An account was logged off.
2019-04-07T11:29:29.486780000Z ID 24 Remote Desktop Services: Session has been disconnected:

Is it a good idea to link ID 24 and ID 4634 with a timestamp and search for ID 4624 by Logon ID?