I’ve recently taken on the role as a Security Analyst and one of the tools that I am going to be using regularly is what I’ve stated in the question title.
What I’m currently looking to do is to build a query under the event section and apply the appropriate filers so I can see all the successful log in’s and log offs that have occurred on each server. I also need to have failed attempts along with this. I’ve figured out that you can go under events, display log source and run a query on the past 24 hours. This gives me a nice graph and whatnot to see what’s going on with our servers specifically. It also shows me a ton of events outside of what I want.
I can manually go through everything and filter the unwanted event names one by one but it can take forever when a server has roughly… an 1,300,000 event count.
Can anyone make any recommendations? Once I get all I need I can just save the criteria and run the same set of filters as a report in the future. Thanks!