Home > SOC Analysis

Event Logs Overview

Windows event logs record everything happening on a Windows system, from user logins to process execution, network activity, security changes, system errors, policy updates, and application behavior. These logs are the primary data source for detecting attacks on Windows machines. A SOC analyst must know what logs exist, where they are stored, what categories they fall into, and what type of telemetry each provides.

Event logs are collected through the Windows Event Log service and can be viewed in Event Viewer or forwarded to SIEM through Winlogbeat, WEF, or agents.

Core Windows Event Log Categories

Windows uses several primary log channels. Each one provides different security telemetry.

Security Log

The most critical log for SOC investigations. It contains:

  • Logon attempts (4624, 4625)

  • Privilege usage (4672)

  • Group membership changes (4728, 4732)

  • Account creation or deletion

  • Policy modifications

  • Kerberos activity

Attackers leave traces here whenever they authenticate, escalate privileges, or modify accounts.

System Log

Contains system-level events such as:

  • Service failures

  • Driver issues

  • Startup/shutdown events

  • Security service changes

If an attacker tries to disable security services or tamper with drivers, this log captures it.

Application Log

Used by Windows applications and services. Useful for:

  • Application errors

  • Unexpected crashes

  • Execution anomalies

Malware often triggers application errors that appear here.

PowerShell Logs

Critical for detecting script-based attacks. Includes:

  • Script block logging (4104)

  • Module logging

  • PowerShell engine activity

PowerShell abuse is extremely common in modern attacks.

Task Scheduler Logs

Shows:

  • Scheduled task creation

  • Task modification

  • Task execution

Attackers frequently use scheduled tasks for persistence.

Sysmon Logs (If Installed)

Sysmon provides rich telemetry:

  • Process creation

  • Network connections

  • Registry changes

  • File activity

  • WMI operations

Sysmon dramatically increases visibility compared to default logs.

Event Log Storage Locations

Windows stores logs in EVTX files.

Default path:

C:\Windows\System32\winevt\Logs\

Examples:

Security.evtx
System.evtx
Application.evtx
PowerShell.evtx
Microsoft-Windows-Sysmon%4Operational.evtx

These EVTX files are what SIEM collectors read.

How Logs Flow Into SIEM

Event logs can be forwarded using:

Winlogbeat → Logstash → SIEM
Windows Event Forwarding (WEF) → Collector → SIEM
Agent-based collection → SIEM
API or direct ingestion

Example Winlogbeat config snippet:

winlogbeat.event_logs:
  - name: Security
  - name: System
  - name: Microsoft-Windows-Sysmon/Operational

This ensures all important logs are sent to SIEM in real time.

Why Windows Event Logs Are Critical

Event logs reveal:

  • Authentication behavior

  • Lateral movement attempts

  • Privilege escalation

  • Account creation

  • Malware execution

  • Registry persistence changes

  • File and process anomalies

  • Internal reconnaissance

  • Remote access attempts

Every attacker interacting with a Windows system generates logs.
Even if the attacker deletes evidence, SIEM or WEF copies usually remain.

Practical Example: What Analysts Look For

Brute Force Attempt

Security log:

4625 - Failed logon (multiple times)

Privilege Escalation

Security log:

4672 - Special privileges assigned

Macro Malware Execution

Sysmon:

winword.exe → powershell.exe

Lateral Movement

Security log:

4624 - Logon Type 3 from new host

Persistence

Task Scheduler:

Task created: \\Malicious\Backdoor

Windows logs tell the story of every attacker action.

Event Log Channels Most SOCs Collect

A SOC normally collects:

  • Security

  • System

  • Application

  • PowerShell

  • Sysmon Operational

  • Task Scheduler

  • DNS Client logs

  • Kerberos logs

  • Windows Defender logs

  • Remote Desktop Services logs

These channels provide full coverage for modern attacker techniques.

Analyst Workflow With Windows Logs

A SOC analyst typically:

  1. Receives an alert involving a user or host

  2. Opens the security log for authentication events

  3. Checks Sysmon for process execution

  4. Looks for PowerShell activity

  5. Reviews network connections

  6. Checks for persistence creation

  7. Correlates multiple logs in SIEM

  8. Builds a timeline

Windows logs provide the raw evidence analysts need.

Intel Dump

  • Windows logs record authentication, system activity, application behavior, PowerShell usage, and process execution.

  • Main log channels include Security, System, Application, PowerShell, Task Scheduler, and Sysmon.

  • Logs are stored in EVTX files under C:\Windows\System32\winevt\Logs\.

  • Logs reach SIEM via Winlogbeat, WEF, or agents.

  • Windows logs expose brute force attempts, privilege escalation, malware execution, lateral movement, and persistence.

  • SOC analysts rely heavily on Security log, Sysmon, and PowerShell logs for investigations.

HOME LEARN COMMUNITY DASHBOARD