Kenneth Fisher checks a box I really like checking:
I get asked this every now and again, along with the companion When was the last time this login was used? It’s a pretty easy question to answer but there are some caveats. First of all you need to have your system set to log both successful and failed logins. You can probably get away with successful only but personally I want to know a failed attempt just like I’d want to know a successful one.
This is a thing that we tend to avoid because of how many events it adds to the Security event log, but is critical in understanding whether that person trying to log in as sa gave up or stopped due to a successful login.
You know, I used to care about log bloat but since I started dumping it into a temp table to view I stopped worrying so much about that. Now it’s all just data that I can query.