When the credentials are submitted for a user account logon request, audit events are generated by the operating system which is determined by the Audit Credential Validation. The events occur as follow: As in an enterprise environment, domain accounts are used more often than local accounts so most of the user logon requests are in the Domain Environment for which Domain Controllers have the authorization. So, the event volume is high on Domain Controllers and low on member servers and workstations.