Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
SIEM & Log AnalysisWindows Log Analysis

Windows Event Log Structure

25 min
theory
+35 XP

Learning Objectives

  • Understand Windows security event log structure
  • Identify critical event IDs for security monitoring
  • Navigate Event Viewer and log configurations

Windows Security Logging Overview

Windows generates rich security telemetry through its event logging system. Understanding this data source is essential for any SOC analyzing Windows environments.

Windows Event Log Architecture

Windows logs events to channels—logical categories of related events. Security, System, and Application are the classic channels. Modern Windows adds hundreds more for specific features and applications.

Each event has an Event ID identifying the event type, a timestamp, source system, and event-specific data fields. The Security log alone contains hundreds of distinct Event IDs covering authentication, authorization, policy changes, and more.

Events persist in .evtx files. Default retention depends on log size limits—when logs fill, old events are overwritten. For security, extend retention or forward to central collection before local logs rotate.

Critical Security Event IDs

Authentication events track logon activity:

4624 - Successful logon. Includes logon type (console, network, service), source information, and authentication details.

4625 - Failed logon. Shows failed authentication attempts with failure reasons—bad password, unknown user, account locked.

4634/4647 - Logoff events. Track session endings.

4648 - Explicit credential logon. When users provide credentials explicitly, such as runas or mapping network drives with different credentials.

4672 - Special privileges assigned. Admin logins and other privileged sessions generate this event.

Account management events track changes:

4720 - User account created
4722 - User account enabled
4725 - User account disabled
4726 - User account deleted
4728/4732/4756 - Member added to groups
4738 - User account changed

Process tracking events show execution:

4688 - Process creation. With proper configuration, includes command line.
4689 - Process termination.

Configuring Audit Policies

Windows does not log all events by default. Audit policies control what generates Security log entries.

Local Security Policy or Group Policy configure audit settings. Advanced Audit Policy Configuration provides granular control over subcategories.

For security monitoring, enable at minimum: Logon/Logoff auditing, Account Management, Process Creation (with command line), and relevant Object Access categories for sensitive resources.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

What Windows log channels exist?

Format: ********(8 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What is the Windows log viewer command?

Format: ********(8 chars)
Exact match required
📚 KnowledgeQuestion 3

How are events structured?

Format: ********(8 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What format stores individual Windows events?

Format: ***(3 chars)
Exact match required
Answer all questions correctly to unlock the next lesson
Previous
Answer all questions to continue