![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 51%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
Once we configured these audit policies, there will be event logs recorded such as:
Security: A Kerberos authentication ticket (TGT) was requested.
Security: A logon was attempted using explicit credentials.
Security: An account was successfully logged on.
Security: An account was logged off.
If lots of accounts log on, there will be lots of activities in the event logs. According to our description, all the event logs are associated with certain account. If we have any doubt, we could verity whether this account is real and existed and then contact the account MSOL_xxxxx account to verify whether this account has preformed the actions.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong