Enzoic will log every password attempt and compromised password that it comes across. Much like password rejections (which can be found here), compromises found in daily password checks are written to the local logs of the DC that handles the specific user's account. 


In order to find a compromised user event, you will need to know when the compromise was detected (this is generally going to be the same time as the email notification) and which DC handles the compromised user.  


Once you have that information, go to the DC and follow this path: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs. This folder is going to have two main log types: Console logs and Service logs. Look for the EnzoicService_*DATE*.JSON log. 


Here you will find a compromised entry that looks something like this: 


{ "time": "2022-11-01 12:48:32.2804-06:00", "threadId": "12", "level": "INFO", "event": "CompromiseDetectedDelayedRemediationScheduled", "eventData": { "data": {"user":"vvondoom","detectionTimestamp":"2022-11-01T12:48:32.2492641-06:00","detectionMethod":"LocalDictionary","matchTypes":["ExactMatch"],"actionTaken":"ForcePasswordChangeOnLoginDelayed","actionDelayHours":72,"eventKind":"CompromiseDetectedDelayedRemediationScheduled","category":"General","area":"General","details":null} } }


This entry shows the time, the user, the compromise detected, and the remediation steps/ action taken based on the policy that the user is in.