drop logon evtx or auth logs · per-user statistical baseline · session anomalies · runs locally
logon data
drop evtx csv or auth.log
or click
4624/4634/4647 evtx csv or linux auth.log · first 75% baseline · last 25% evaluation
drop evtx csv (4624/4634) or auth.log exports