Windows security event logs is the direct source to investigate security related issue but the problem that may face the incident responders is the amount of security event logs, the security settings on the operating system if it is properly configured to log these events and financial investment to get the tool allows to import and read these logs. If you are looking to investigate windows event audit logs you can check userline.

Userline is a tool that automates process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source, and destination logons as well as session duration.

Userline – Query Logons relations Using Windows Security Events

The tool allows to have the following output modes:

• Standard output
• CSV file
• JSON file
• Neo4J graph
• Graphviz dot file
• Timesketch

Processed events

Logon events

• EVENT _WORKSTATION _UNLOCKED = 4801
• EVENT _SCREENSAVER _DISMISSED = 4803
• EVENT _LOGON = 4624
• EVENT _LOGON _EXPLICIT = 4648
• EVENT _SESSION _RECONNECTED = 4778

Logoff events

• EVENT _WORKSTATION _LOCKED = 4800
• EVENT _SCREENSAVER _INVOKED = 4802
• EVENT _SHUTDOWN = 4609
• EVENT _LOGOFF = 4634
• EVENT _SESSION_DISCONNECTED = 4779
• EVENT _LOGOFF_INITIATED = 4647

You can read more and download this tool over here: https://github.com/thiber-org/