Query da utilizzare:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID='4624') or (EventID='4634')] and EventData[Data [@Name='TargetUserName'] = 'MarioRossi'] and EventData[Data [@Name='TargetDomainName'] = 'ACME']]</Select>
</Query>
</QueryList>
Avrai vari risultati, per avere dettagli maggiori verifica il campo LogonType.
Significato dei valori di LogonType:
- Logon Type 2 – Interactive
- Logon Type 3 – Network
- Logon Type 4 – Batch
- Logon Type 5 – Service
- Logon Type 7 – Unlock
- Logon Type 8 – NetworkCleartext
- Logon Type 9 – NewCredentials
- Logon Type 10 – RemoteInteractive
- Logon Type 11 – CachedInteractive