I have had a break-in attempt. Someone has tried to access an account which has been disabled. In the event log, it shows that RAS had denied access because the account is disabled. Is there any way to find out which account was used? In the message it does not show. Is it included in the binary portion somehow?

Thanks in advance,
Charles