The Auth Events tab on the Investigate page displays user authentication events that occur on the Windows endpoints of Carbon Black Cloud Enterprise EDR customers.

Note: The collection of authentication events is disabled by default. Before you can view authentication events on the Investigate page, you must Enable Auth Events Collection in the policy. See Enable Auth Event Collection.

On the left navigation pane, click Investigate and click the Auth Events tab. Search for events. Refer to the in-product Search Guide to view the available search fields for Auth Events. You can filter events by:

Container Container Image Device
Domain Interactive Logon Logon ID
Logon Type Parent Policy
Port Privileges Process
Remote Device Remote IP Remote Location
Remote Logon User ID (Windows Security ID) Username
Windows Event ID
Note: The Windows Event ID filter includes a tooltip feature that becomes visible when you hover over the filter. The tooltip describes the Windows Event ID. For example:

Example tooltip describing a Windows Event ID