Oct 23, 2022

Windows Event Log Analysis

Configuring logging on Windows systems, and aggregating those logs into a SIEM, is a critical step toward ensuring that your environment is able to support effective incident response using Incident response tools.

Events can be logged in the Security, System and Application event logs. 

Log NameEvent Log where the event is stored. Useful when processing numerous logs pulled from the same system.
SourceThe service, Microsoft component or application that generated the event.
Event IDA code assigned to each type of audited activity.
LevelThe severity assigned to the event in question.
User
The user account involved in triggering the activity or the user context that the source was running as when it logged the event.
OpCodeAssigned by the source generating the log.
LoggedThe local system date and time when the event was logged.
Task CategoryAssigned by the source generating the log.
KeywordsAssigned by the source and used to group or sort events.
ComputerThe computer on which the event was logged. This is useful when examining logs collected from multiple systems, but should not be considered to be the device that caused an event (remote workstation).
DescriptionA text block where additional information specific to the event being logged is recorded.

 

Types of Windows Event Log Analysis – Guide

  •     Account Management Events
  •     Account Logon and Logon Events
  •     Common Event ID 4768 result codes
  •     Logon event type code descriptions
  •     Common logon failure status codes
  •     Access to Shared Objects
  •     Scheduled Task Logging
  •     Object Access Auditing
  •     Audit Policy Changes
  •     Auditing Windows Services
  •     Wireless LAN Auditing
  •     Process Tracking
  •     Additional Program Execution Logging
  •     Auditing PowerShell Use


Go thru the complete incident response guide with the following link.


Links: