Given event logs, what should a network/domain admin be looking for?
A decrease in the number of total events
If you have 1000 entries on Tuesday and then 100 on Wednesday, it means that the local event log was probably deleted (since number of events was reset to zero). This shows that someone (local, remote, or a script) had motivation to delete the logs.
Failed logon attempts. One or two may be acceptable in a 5 minutes period, but if the failed logon count exceeds 10 per hour, then someone may be attempting to brute force a logon
All warnings should be resolved
Repeated warnings become false positives and will get ignored.
Warnings may signify a possible attack vector. It may not be causing problems now, but it could in the future
More than one standard deviation from the average number of events. [This requires establishing a large baseline (many weeks).]
per day, per machine
per week, per machine
per day, per network
per week, per network