Good morning. I’d like to ask you to explain this. It’s very important to me. I pay in nods.
Find the user account that logged in.
Find the login date
Find the IP of the account used to log in.
Event Log windows:
https://fileshark.pl/pobierz/51809290/4e0da/security-evtx
Windows event logs can be a complex area - but it largely depends on what you are looking for and, importantly, what you actually capture. Not all logs are created equal.
When you say “log management software”, do you mean something to read logs or something to store/analyse them.
For the former: Eric Zimmerman's tools is a great place to start with EvtxExplorer. You can also try LogMD (Free — IMF Security) to check the log configurations.
For storage/analysis - Look at ELK.
As for the questions, I’d start with Event ID 4624 in the security event log. More detail on it is here: Windows Security Log Event ID 4624 - An account was successfully logged on
If your logging is set up properly, it will have all that information.
Note, some of the data might be a bit misleading. The IP address isn’t always the IP of the remote machine (especially if you forward logon requests). Sometimes the user account isn’t captured correctly etc. The date/time can trick you if you don’t synchronise it across devices (and watch out for timezone offsets).
Thank you for such a quick answer.
I filtered out the logs.
https://fileshark.pl/pobierz/51824790/2df0a/filtered-evtx
I found two interesting logs
https://fileshark.pl/pobierz/51824791/e41d2/ip-adress-evtx
Can I count on more tips ? Unfortunately, I have zero experience of working with logs
I can certainly try to help but it depends what you want to know.
I might not be the most useful person here as I’ve no idea how to get either file to download without paying for an account, and I’ve no intention of paying for an account.
I have uploaded files to another hosting
original file;
Filtered;
I need this information 
;
Find the user account that logged in.
Find the login date
Find the IP of the account used to log in.
Thank you for trying to help
Ok - I’ve requested access.
I forgot about access
already working
Got it now.
Is there anything you want to pivot on because there are 475 logon events.
I think I can see the user account which logged on, and dates/IPs but I don’t know if its the account you are interested in.
For example:
New Logon:
Security ID: S-1-5-21-1327243971-766763558-3563500504-1109
Account Name: paradeuser
Account Domain: BLACKPARADE
Logon ID: 0x208F4
Logon GUID: {00000000-0000-0000-0000-000000000000}
but there are quite a few dates.
On 18 March 2019, there is this event (logon type 10 - RDP)
New Logon:
Security ID: S-1-5-21-1327243971-766763558-3563500504-1103
Account Name: paradeadmin
Account Domain: BLACKPARADE
Logon ID: 0x86DC5
Logon GUID: {00000000-0000-0000-0000-000000000000}
Network Information:
Workstation Name: HACKERU7-PC
Source Network Address: 192.168.1.109
Source Port: 57566
So if that is the activity of interest - you have the username, date and IP address.
Thank you very much, you are a god. Have a nice day.