When looking for user logon/logoff events, I'm seeing duplicate events across all domain controllers. E.G. if we have 4 DCs, each logon/logoff triggers 4 events within a few seconds of each other. This makes sense, but it's hard to produce actionable reports. I'm not keen on the idea of only monitoring the PDC, so is there a simple way to filter nDepth results to reduce or remove duplicate hits from multiple DCs?
I've had some luck exporting and filtering based on the UniqueID, but I can't find a way to filter that at reporting time within nDepth. Is that field exposed to the nDepth tool?