The Auth Events tab on the Investigate page displays user authentication events that occur on the Windows endpoints of Carbon Black Cloud Enterprise EDR customers.
Note: The collection of authentication events is disabled by default. Before you can view authentication events on the Investigate page, you must
Enable Auth Events Collection in the policy. See
Enable Auth Event Collection.
On the left navigation pane, click Investigate and click the Auth Events tab. Search for events. Refer to the in-product Search Guide to view the available search fields for Auth Events. You can filter events by:
| Container | Container Image | Device |
| Domain | Interactive Logon | Logon ID |
| Logon Type | Parent | Policy |
| Port | Privileges | Process |
| Remote Device | Remote IP | Remote Location |
| Remote Logon | User ID (Windows Security ID) | Username |
| Windows Event ID |
Note: The Windows Event ID filter includes a tooltip feature that becomes visible when you hover over the filter. The tooltip describes the Windows Event ID. For example:
