I will be working with a team to generate fresh logs in the Lab. When I get the logs I will definitely know what I should search and find.
I hope to have more on this tomorrow. Until then try the search below in nDepth.
( ProviderSID = "Microsoft-Windows-Security-Auditing 4625" )
RT