Use a tool like Event Log Explorer (https://eventlogxp.com/)
For each tab, make sure to set the time to UTC, to avoid screwing up the time difference. Always do this. In Event Log Explorer this is under View -> Time Correction -> Display UTC time
Ctrl+L will give you a filter that lets you filter for relevant event IDs or free-text searching. You can even make color-coding templates to make relevant events stand out.
Don’t try to make sense of every event, you’ll fail. Look for targeted specifics.
Notable event IDs to look for:
- 4776 – Account logon with local authentication
- 4624 – Account logon with domain authentication
- Logon Type 10 is RDP
- 4778 – RDP reconnects
- 5140 – Shares mounting
- 7045 – Service installation
Do text-searches for terms like psexec, mimikatz, powershell etc.