> Software > Protect > Identity > Active Directory > Auditing for Active Directory > Getting started

Filtering and investigating events

The Auditing view provides a centralized timeline of all Active Directory activity captured across your environment. Because AD generates a high volume of events, filtering and investigation tools are essential for quickly isolating meaningful changes.

This section explains how to narrow down results and investigate activity efficiently.

Working with the events table

The events table displays all captured activity in a consistent format, regardless of source.

Each event answers the same core questions:

  • Who performed the action (Actor)

  • What changed (Change type)

  • Where it occurred (Target object, Domain)

  • When it happened (Detected time)

  • Values before and after the change

This standardized structure allows you to quickly scan and compare events without needing to interpret raw AD logs.

Using filters

Filters allow you to reduce noise and focus on relevant activity.

Event category

Use this filter to control which types of activity are displayed:

  • Change Events: Object and attribute changes (for example, group membership updates, user modifications)

  • Logon Events: Authentication activity (for example, logon successes and failures)

Logon events are high volume and are excluded by default. In most investigations, start with Change Events and add logon activity only when building a detailed timeline.

Severity

Filter events based on importance:

  • Critical: High-risk activity such as privilege escalation or suspicious authentication

  • Unclassified: All other events

Use this filter to quickly identify activity that may require immediate attention.

Time range

Narrow results to a specific window:

  • Last hour

  • Last 24 hours

  • Custom range

Start with a tight time window when investigating a known incident, then expand as needed.

Actor

Filter by user or system account to see all actions performed by a specific identity.

This is useful when:

  • Investigating suspicious user behavior

  • Validating administrative changes

  • Tracing activity across multiple objects

Target object

Filter by object name (user, group, computer, GPO, etc.) to see all activity affecting that object.

Investigating events

Once you’ve filtered results, selecting an event provides detailed context.

Each event includes:

  • A clear description of the action

  • The affected object

  • The actor and originating system (when available)

  • Before and after values for changes

Use this information to:

  • Understand exactly what changed

  • Determine whether the action was expected

  • Identify potential security risks

Investigation tips

  • Start narrow, then expand: Begin with a specific filter (user, object, or time window), then broaden the scope if needed.

  • Focus on changes first: Change events are typically higher value than logon activity for initial investigation.

  • Use logon events to build timelines: Add authentication data when you need to understand how access was obtained.

  • Prioritize critical events: Use severity filtering to quickly identify high-risk activity.

Common investigation scenarios

The following examples show how to use filters to answer common questions during investigations.

Who added a user to a privileged group?

  1. Set Event Category = Change Events.

  2. Filter Target Object = Domain Admins (or other privileged group).

  3. Look for membership changes.

Result: Identify the actor, time of change, and affected account.

What changes did a specific user make?

  1. Set Actor = specific user.

  2. Keep Event Category = Change Events.

Optional: Add a time range to narrow results

Result: See all modifications performed by that user across the environment.

What happened before and after a suspicious logon?

  1. Set Actor = user of interest.

  2. Enable Logon Events.

  3. Set a time window around the activity.

Result: Build a timeline of authentication activity and related changes.

What changed on a specific object?

  1. Set Target Object = object name.

  2. Keep Change Events enabled.

Result: View all modifications, including before/after values.

What are the highest-risk changes in my environment?

  1. Set Severity = Critical

  2. Keep Event Category = Change Events

Optional: Add a time filter (for example, last 24 hours)

Result: Quickly identify changes that may require immediate action.

×

Loading...