drop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
4624 evtx csv
drop 4624 evtx csv
or click
baseline = first 75% of events · evaluation = last 25%
drop Security EVTX CSV with 4624 logon events (14+ days recommended)