Userline – Query Logons relations Using Windows Security Events
Windows security event logs is the direct source to investigate security related issue but the problem that may face the incident responders is the amount of security event logs, the security settings on the operating system if it is properly configured to log these events and financial investment to get the tool allows to import and read these logs. If you are looking to investigate windows event audit logs you can check userline.
Userline is a tool that automates process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source, and destination logons as well as session duration.

Userline – Query Logons relations Using Windows Security Events
The tool allows to have the following output modes:
- Standard output
- CSV file
- JSON file
- Neo4J graph
- Graphviz dot file
- Timesketch
Processed events
Logon events
- EVENT _WORKSTATION _UNLOCKED = 4801
- EVENT _SCREENSAVER _DISMISSED = 4803
- EVENT _LOGON = 4624
- EVENT _LOGON _EXPLICIT = 4648
- EVENT _SESSION _RECONNECTED = 4778
Logoff events
- EVENT _WORKSTATION _LOCKED = 4800
- EVENT _SCREENSAVER _INVOKED = 4802
- EVENT _SHUTDOWN = 4609
- EVENT _LOGOFF = 4634
- EVENT _SESSION_DISCONNECTED = 4779
- EVENT _LOGOFF_INITIATED = 4647
You can read more and download this tool over here: https://github.com/thiber-org/