AIR can collect Windows Event Log records and present them as structured, searchable evidence in the Investigation Hub. This page explains how event log records are collected, parsed, and stored for analysis.
What Gets Collected
Event log records are parsed from Windows EVTX/EVT channels using the event log configuration defined by the platform. The result is structured data (records) rather than raw log files.
If you need the raw EVTX files instead of parsed records, use the Event Log EVTX Files collector.
Loads event log configuration that defines which channels are in scope.
Locates EVTX/EVT channel files on the asset.
Parses recent events using filters to reduce noise and focus on relevant records.
Normalizes the records into structured rows for analysis.
Stores the results in the case database and sends them to the Investigation Hub.
Where Results Appear
Parsed event log records are available in the Investigation Hub under the Event Logs evidence category. This allows investigators to search, filter, and correlate records alongside other collected artifacts.
Why This Matters
Event log records provide system, security, and application signals that are critical for timelines, detection, and incident response. By parsing and normalizing these records, AIR makes them easier to analyze at scale.
