I'm reviewing the Authentications logs on our network, would it be safe to assume if Kerberos is listed as the protocol used that the user was physically sitting at their desk when logging in? I notice in some of the log entries Kerberos isn't listed, it's just blank. Trying to get a better understanding of the logon/logoff i.e. 528, 540 evt ID's.
If you go to your event log, you'll see that it is normal to have 50 to 100 logon/logoff events in one day's time easily, however I know these are not all on the user, some of these events are a result of the network. How does one tell, actual user from system/network event?