Configuring logging on Windows systems, and aggregating those logs into a SIEM, is a critical step toward ensuring that your environment is able to support effective incident response using Incident response tools.
Events can be logged in the Security, System and Application event logs.
| Log Name | Event Log where the event is stored. Useful when processing numerous logs pulled from the same system. |
|---|---|
| Source | The service, Microsoft component or application that generated the event. |
| Event ID | A code assigned to each type of audited activity. |
| Level | The severity assigned to the event in question. |
| User | The user account involved in triggering the activity or the user context that the source was running as when it logged the event. |
| OpCode | Assigned by the source generating the log. |
| Logged | The local system date and time when the event was logged. |
| Task Category | Assigned by the source generating the log. |
| Keywords | Assigned by the source and used to group or sort events. |
| Computer | The computer on which the event was logged. This is useful when examining logs collected from multiple systems, but should not be considered to be the device that caused an event (remote workstation). |
| Description | A text block where additional information specific to the event being logged is recorded. |
Types of Windows Event Log Analysis – Guide
- Account Management Events
- Account Logon and Logon Events
- Common Event ID 4768 result codes
- Logon event type code descriptions
- Common logon failure status codes
- Access to Shared Objects
- Scheduled Task Logging
- Object Access Auditing
- Audit Policy Changes
- Auditing Windows Services
- Wireless LAN Auditing
- Process Tracking
- Additional Program Execution Logging
- Auditing PowerShell Use
Go thru the complete incident response guide with the following link.
Links: