Monitoring privileged accounts with Windows Security Log
Hackers have determined a number of ways to harvest privileged account credentials and use them to infiltrate networks. This makes monitoring privileged account usage critical to reducing your organisation’s cyber risk. The good news is that Windows provides event ID 4672, which is logged whenever an account signs in with admin user rights. Event ID 4672 contains valuable information, such as user name, computer name and privileges, and logon session ID. Administrative users will always have one or more of the rights that trigger event 4672.