We have captured Windows events, but have no idea how to identify the event to alert when a user with administrator rights logs on. Not sure the following event is appropriate and how to write the search...
576 - Specified privileges were added to a user's access token. (This event is generated when the user logs on.)
577 - A user attempted to perform a privileged system service operation.
578 - Privileges were used on an already open handle to a protected object.
4672 - Special privileges assigned to new logon
4673 - A privileged service was called
4674 - An operation was attempted on a privileged object
... View more