On the left navigation pane, click Investigate and click the Auth Events tab. Search for events.

On the right of any event row, click the to display additional event information.

When results are grouped using the Group by dropdown menu and you click the > for a group of authentication event results, the Event Details panel includes GROUP DETAILS, LAST EVENT DETAILS, PROCESS, and DEVICE sections. The GROUP DETAILS section summarizes the following:

• Group by criteria
• Number of events in the group
• Times of the first and last events in the group
• Additional information that is common between the events in the group

The LAST EVENT DETAILS section includes information about the most recent event in the group.

When you click the > for a single authentication event result, the Event Details panel includes EVENT DETAILS, PROCESS, and DEVICE sections.

The Event Details panel on the Auth Events page introduces a multi-attribute Investigate feature that lets you pivot to other results that have the same values for those attributes. The pivot options include:

• Username & device
• Device & remote IP (available for remote authentication events)
• Username & Windows event ID

In this example, selecting the Username & device option in the Investigate dropdown menu takes you to a search for results that have the same Username and Device values:

Single-attribute pivots are supported. Some values in the Event Details panel are hyperlinked to enable pivoting based on those values. In this example, 4624 is hyperlinked in the Windows event ID field. Clicking 4624 will take you to a search for all results that have windows_event_id:4624 in the Auth Events tab.