Evidence: Event Log EVT Records
Description: Collect most recent event log records
Category: EventLogs
Platform: windows
Short Name: evtr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Windows event logs (EVTX/EVT) capture system, security, and application events. This data is essential for detection and incident response.
Data Collected
This collector gathers structured data about event log evt records.
Collection Method
This collector loads an event configuration, locates channel EVTX files, and parses recent events with filters, storing summaries and event data rows.
Forensic Value
This evidence is crucial for forensic investigations to reconstruct timelines, detect attacks, and analyze security-relevant events.
