Account Usage can be used to identify what user accounts exist on a system, track incoming/outgoing Remote
Desktop Protocol sessions, and identify Successful/Failed logons. It’s often required to identify what user
accounts were active during the time of a suspected compromise. This information is vital for creating an
investigative timeline.
Authentication Events
Authentication
mechanisms related to NTLM protocols.
Last Login
The last login time for a
specific local user.
Last Password Change
The last time the
password of a specific local user has been changed.
Logon Types
Determine how the means of how
a logon was attempted.
RDP Usage
Track internal and external
Remote Desktop Protocol connections.
Services Events
Review events related to
Windows Services.
Success/Failed Logons
Determine which
accounts have been used for Success/Failed logons.