No logs, no problem: Leveraging User Access Logging on Windows Server systems

Not to be confused with Office 365’s Unified Audit Log, the User Access Logging (UAL) database is included with Server editions of Microsoft Windows starting with Windows Server 2012. Designed to provide system administrators with insight into service usage on Windows servers, it contains valuable forensic data which remains largely untapped by DFIR professionals. Among other things, the UAL database maintains a record of the types of services accessed on a server; the username associated with the access; and the source IP address from which the access occurred. With default settings, the UAL database retains this information for two years. The database is stored in the Extensible Storage Engine (ESE) format, and can be parsed offline or accessed from a live system via PowerShell cmdlets.