Event Logs

Overview

Evidence: Event Logs Description: Collect Event Logs Category: System Platform: Windows Short Name: eventlog Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Event Logs provide comprehensive records of system events, security events, and application activities. These logs are essential for understanding system behavior, detecting security incidents, and reconstructing timelines of events on Windows systems.

Data Collected

This collector gathers structured data about event records.

Event Records Data

Field

Description

Example

ID

Primary key (auto-increment)

Channel

Event log channel

Security

ProviderName

Event provider name

Microsoft-Windows-Security-Auditing

EventID

Event ID

4624

Description

Event description

An account was successfully logged on

TotalCount

Total event count

150

Collection Method

This collector parses the necessary data from the event_logs table.

This collector collects files from the following locations:

C:\Windows\System32\winevt\Logs\

Usage

This evidence is crucial for forensic investigations as it provides comprehensive Windows system activity records. It helps investigators detect system-level attacks, analyze security events, and reconstruct system incidents. The data can reveal authentication failures, privilege escalations, and unauthorized system modifications. Analysts can use this information to identify system compromises, trace malicious activities, and assess Windows security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousEnvironment Variables NextEventTranscript DB

Last updated 50 minutes ago

Was this helpful?