Запрос для проверки:
On Windows Server 2008, 2012, and 2016:
SELECT * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA ‘WIN32_NTLogEvent’ AND (TargetInstance.SourceName=’Security’ or TargetInstance.LogFile=’Security’) AND (TargetInstance.EventIdentifier = 672 OR TargetInstance.EventIdentifier = 673 OR TargetInstance.EventIdentifier = 674 OR TargetInstance.EventIdentifier = 4624 OR TargetInstance.EventIdentifier = 4768 OR TargetInstance.EventIdentifier = 4769 OR TargetInstance.EventIdentifier = 4770)