This chapter covers Windows Event Log analysis, a core skill for Security+ SY0-701 under Domain 4.0 (Security Operations), Objective 4.9: 'Explain the importance of log management and analysis.' Mastering event log analysis is crucial for detecting security incidents, performing forensic investigations, and ensuring compliance. You will learn the structure of Windows logs, key Event IDs, analysis techniques, and how to defend against log tampering.
Jump to a section
Imagine a large office building with a state-of-the-art security camera system. Every door, hallway, and server room has cameras recording 24/7. The security team can review footage to see who entered, when, and what they did. However, the system records everything—thousands of hours of video daily. If a theft occurs, the team must know exactly which camera to check, what time to look at, and what specific behavior to search for (e.g., someone entering a restricted room at 2 AM). Without proper indexing (timestamps) and search tools, finding the relevant clip is like finding a needle in a haystack. Additionally, if an attacker disables the camera or erases footage, the investigation is blind. In Windows Event Log analysis, the logs are the cameras, Event IDs are the timestamps and locations, and log management tools (like Event Viewer or PowerShell) are the search and playback controls. Attackers often clear logs (erase footage) to hide their tracks, so defenders must forward logs to a central system (SIEM) that attackers cannot easily tamper with. This analogy helps understand why event logs are critical for forensic investigation and why log integrity is paramount.
What is Windows Event Log Analysis?
Windows Event Logs are the primary source of forensic data on Windows systems. Every action—user logon, process creation, service start, registry modification—can generate an event. The Security log is especially important because it records security-relevant events like logon attempts, privilege use, and audit policy changes. SY0-701 expects you to know how to interpret these logs to detect malicious activity.
How Windows Event Logging Works Mechanically
Windows uses the Event Tracing for Windows (ETW) framework to generate logs. When an auditable action occurs (e.g., a user logs on), the Security Reference Monitor (SRM) checks the audit policy. If auditing is enabled for that action, an event is written to the Security log. Each event contains: - Event ID: A numeric identifier (e.g., 4624 for successful logon). - Level: Information, Warning, Error, Critical. - Task Category: e.g., Logon, Account Management. - Keywords: e.g., Audit Success, Audit Failure. - Source: The provider that generated the event (e.g., Microsoft-Windows-Security-Auditing). - User: The account that performed the action. - Computer: The hostname. - Description: Detailed information in XML format.
The default log locations are: - Application: C:\Windows\System32\winevt\Logs\Application.evtx - Security: C:\Windows\System32\winevt\Logs\Security.evtx - System: C:\Windows\System32\winevt\Logs\System.evtx - Setup: C:\Windows\System32\winevt\Logs\Setup.evtx - Forwarded Events: Used when logs are collected from other systems.
Key Event IDs for Security+ (SY0-701)
Memorize these Event IDs—they appear on the exam:
4624: Successful logon. Key fields: Logon Type (2=Interactive, 3=Network, 10=RemoteInteractive), Account Name, Source Network Address.
4625: Failed logon. Indicates brute-force attempts.
4634: Logoff.
4648: Logon with explicit credentials (e.g., RunAs).
4672: Special privileges assigned to new logon (admin logon).
4688: A new process has been created. Key field: CommandLine (if enabled). Critical for detecting malware execution.
4689: A process has exited.
4698: A scheduled task was created. Attackers use tasks for persistence.
4700: A scheduled task was enabled.
4702: A scheduled task was updated.
4719: System audit policy was changed.
4720: A user account was created.
4722: A user account was enabled.
4724: Attempt to reset an account's password.
4728: A member was added to a security-enabled global group.
4732: A member was added to a security-enabled local group.
4756: A member was added to a security-enabled universal group.
4771: Kerberos pre-authentication failed.
4776: The domain controller attempted to validate credentials for an account. Used to detect credential stuffing.
4798: A user's local group membership was enumerated.
4799: A security-enabled local group membership was enumerated.
5140: A network share object was accessed.
5145: A network share object was accessed (detailed).
5156: The Windows Filtering Platform has allowed a connection.
5157: The Windows Filtering Platform has blocked a connection.
7036: Service state change (started/stopped). Attackers may stop security services.
7045: A service was installed in the system. Persistence mechanism.
How Attackers Exploit and Defenders Deploy
Attackers know that logs are their enemy. Common techniques to evade detection:
- Clearing Event Logs: Using wevtutil cl Security or Clear-EventLog -LogName Security. This generates Event ID 1102 (Security log cleared). Defenders should monitor for 1102.
- Disabling Auditing: Changing audit policy via auditpol /set /subcategory:"Logon" /success:disable /failure:disable. Generates 4719.
- Overwriting Logs: By default, Windows overwrites old logs when the log reaches maximum size (20 MB by default). Attackers can fill logs with noise to push out evidence.
- Stopping Event Log Service: Stopping the Windows Event Log service (EventLog) prevents logging. This generates Event ID 7036 (service stopped). Defenders should alert on EventLog service changes.
Defenders deploy:
- Centralized Logging: Forward logs to a SIEM (e.g., Splunk, ELK) using Windows Event Forwarding (WEF) or agents. This preserves evidence even if local logs are cleared.
- Log Size and Retention: Increase log size (e.g., to 1 GB) and set retention policy (archive/overwrite as needed).
- Audit Policy Configuration: Use Advanced Audit Policy (via auditpol or GPO) to enable detailed logging like Process Creation (include command line) and Account Logon.
- Event ID Monitoring: Create alerts for critical Event IDs (e.g., 1102, 4719, 4720, 7045).
Real Command/Tool Examples
To view logs:
Get-WinEvent -LogName Security -MaxEvents 10To filter for specific Event ID:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 10To export logs:
wevtutil epl Security C:\backup\Security.evtxTo clear logs (requires admin):
wevtutil cl SecurityTo check audit policy:
auditpol /get /category:*To enable command line logging in process creation:
auditpol /set /subcategory:"Process Creation" /success:enableThen enable the policy via GPO: Administrative Templates > System > Audit Process Creation > Include command line in process creation events.
Standards and RFCs
While Windows Event Logs are proprietary, they align with common log management standards: - NIST SP 800-92: Guide to Computer Security Log Management. - ISO 27001: Requires logging and monitoring. - PCI DSS: Requirement 10 mandates audit trails.
SY0-701 does not test specific RFCs for event logs, but understanding these standards helps in scenario questions about compliance.
Enable Advanced Audit Policy
First, configure audit policy to capture necessary events. Use Group Policy or `auditpol` to enable detailed logging. For Security+, you need to know how to enable 'Process Creation' with command line, 'Account Logon', and 'Object Access'. Example: `auditpol /set /subcategory:"Process Creation" /success:enable`. This ensures events like 4688 include the full command line, which is critical for detecting malicious PowerShell or script execution. Without this, process creation events show only the executable name, not arguments.
Collect Logs Centrally
Configure Windows Event Forwarding (WEF) or deploy a SIEM agent to send logs to a central collector. This step is vital because if an attacker compromises a system and clears logs locally, the forwarded logs remain intact. In a SOC, analysts view logs from a SIEM dashboard. For the exam, remember that centralized logging is a defense against log tampering. The collector should use a separate secure channel (e.g., WinRM over HTTPS) to prevent interception.
Monitor Critical Event IDs
Set up alerts for high-priority Event IDs. For example, Event ID 1102 (Security log cleared) is a strong indicator of an attacker covering tracks. Event ID 4719 (audit policy change) may indicate an attacker disabling logging. Event ID 4720 (new user created) can signal account creation for persistence. Event ID 7045 (service installed) often indicates malware installation. In a SOC, these alerts trigger investigation. The exam may present a scenario where you must choose which Event ID to investigate for a specific attack.
Correlate Events Across Systems
Combine logs from multiple sources—domain controllers, workstations, servers—to reconstruct an attack timeline. For example, a failed logon (4625) on a workstation, followed by a successful logon (4624) from the same IP, then a process creation (4688) of `powershell.exe` with an encoded command, and finally a service installation (7045) indicates a likely compromise. Use SIEM correlation rules to connect these events. The exam tests your ability to identify attack patterns from log snippets.
Retain and Archive Logs
Set log retention policies to meet compliance and forensic needs. By default, Windows logs overwrite after reaching size limit (20 MB). Increase size to 1 GB or more and configure archival (e.g., archive when full). Use centralized storage to retain logs for months or years. For Security+, understand that retention periods are often mandated by regulations (e.g., PCI DSS requires 1 year). In a forensic investigation, old logs can reveal long-term persistence mechanisms like scheduled tasks.
Scenario 1: Detecting a Pass-the-Hash Attack
A SOC analyst sees multiple Event ID 4625 (failed logon) from a single source IP against multiple accounts, followed by a successful 4624 with Logon Type 3 (network). Then Event ID 4648 (logon with explicit credentials) appears, indicating the attacker used harvested credentials to authenticate to a server. The analyst uses a SIEM to correlate these events. The correct response is to isolate the compromised account, force password reset, and check for lateral movement. A common mistake is focusing only on failed logons and ignoring the successful 4624, missing the actual compromise.
Scenario 2: Ransomware Execution
An endpoint generates Event ID 4688 with command line powershell.exe -EncodedCommand <base64>. Shortly after, many files are modified (Event ID 4663 for file writes). The analyst identifies the encoded command as a download cradle for ransomware. The analyst should immediately isolate the host from the network, block the PowerShell execution policy via GPO, and check for persistence (Event ID 7045 for service install). A mistake is to ignore the encoded command because it looks benign; always decode and inspect.
Scenario 3: Insider Threat - Data Exfiltration
An employee copies large amounts of data to a USB drive. This generates Event ID 4663 (file access) with access mask indicating Write or Read, and Event ID 4656 (handle to object requested). The analyst sees unusual volume of file reads from a sensitive share (Event ID 5140 for share access). The correct response is to verify with the employee's manager, review HR policies, and possibly disable the account. A common mistake is to assume all file access is normal; baseline user behavior to spot anomalies.
What SY0-701 Tests on This Objective
Objective 4.9 covers log management and analysis, specifically:
Types of logs: Security, System, Application, DNS, Firewall, etc.
Key log elements: timestamp, source IP, user, Event ID, severity.
Log retention and archival requirements.
Centralized logging and SIEM.
Log analysis for incident detection.
Most Common Wrong Answers and Why
Choosing 'Event Viewer' as the only analysis tool: Many candidates think Event Viewer is sufficient, but the exam expects you to know that centralized logging (SIEM) is essential for enterprise environments.
Confusing Event IDs: Mistaking 4624 (success) for 4625 (failure) or vice versa. Remember: 4624 = success, 4625 = failure.
Ignoring log clearing: Candidates may overlook Event ID 1102 as an indicator of compromise, focusing instead on other events.
Assuming all logs are enabled by default: Many audit policies are not enabled by default (e.g., process command line). Candidates must know that advanced audit policy must be configured.
Specific Terms and Acronyms
EVTX: Windows XML Event Log file format.
WEF: Windows Event Forwarding.
SIEM: Security Information and Event Management.
Event ID: Numeric identifier for events (e.g., 4624).
Logon Type: Numeric code for logon method (2=interactive, 3=network, 10=remote interactive).
Common Trick Questions
Question: 'Which log would you check for a failed logon?' Answer: Security log, not System or Application.
Question: 'What Event ID indicates a service was installed?' Answer: 7045, not 7036 (service started/stopped).
Question: 'What is the first sign of log tampering?' Answer: Event ID 1102 (log cleared).
Decision Rule for Eliminating Wrong Answers
When given a scenario, identify the attack type first (e.g., brute force, privilege escalation). Then map to the relevant Event ID(s). Eliminate answers that:
Refer to the wrong log type (e.g., System log for security events).
Use incorrect Event IDs (e.g., 4624 for failed logon).
Suggest manual review without centralized logging (not scalable).
Ignore the importance of log retention or forwarding.
Event ID 4624 = successful logon; 4625 = failed logon.
Event ID 1102 indicates the Security log was cleared (tampering).
Event ID 4688 (process creation) can include command line if enabled via auditpol.
Event ID 7045 indicates a new service was installed (persistence).
Event ID 4719 indicates audit policy change (possible defense evasion).
Centralized logging via WEF or SIEM protects against log tampering.
Default Security log size is 20 MB; increase for forensic readiness.
These come up on the exam all the time. Here's how to tell them apart.
Windows Event Log (EVTX)
Native to Windows, no extra installation
Limited granularity without advanced audit policy
Event IDs cover broad categories (logon, process, etc.)
Can be cleared or overwritten locally
Stored in .evtx files in C:\Windows\System32\winevt\Logs
Sysmon Logs
Requires installation of Sysinternals Sysmon
Provides detailed process, network, and file system events
Event IDs are Sysmon-specific (e.g., 1 for process creation, 3 for network connection)
Logs to the same Windows Event Log but with richer data
Often used in conjunction with SIEM for advanced threat detection
Mistake
Event Viewer shows all available logs.
Correct
Event Viewer only shows logs that are enabled and within size limits. Many advanced audit policies are disabled by default, and logs may be overwritten if size limit is reached.
Mistake
Clearing the Security log removes all evidence.
Correct
Clearing the log generates Event ID 1102, which itself is evidence of tampering. Additionally, forwarded logs or backups may preserve the original data.
Mistake
Event ID 4625 always means a brute-force attack.
Correct
4625 can occur due to legitimate mistakes (e.g., user typing wrong password). Correlation with volume and source IP is needed to confirm brute force.
Mistake
The System log contains security events.
Correct
Security events are in the Security log. The System log contains driver, service, and hardware events.
Mistake
All Windows systems log process command lines by default.
Correct
Process creation events (4688) do not include command line by default. You must enable 'Include command line in process creation events' via GPO or auditpol.
Event ID 4624 is a successful logon event. It is important for tracking who accessed a system and when. Key fields include Logon Type (2=interactive, 3=network, 10=remote interactive), Account Name, and Source Network Address. For Security+, you should be able to identify 4624 in a log snippet and understand that multiple 4624s from the same IP across accounts may indicate lateral movement.
Look for multiple Event ID 4625 (failed logon) events in a short time from the same source IP against different usernames. A successful 4624 after many 4625s indicates a successful brute force. You can use PowerShell to count events: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Group-Object IpAddress`.
4720 is a user account created, while 4722 is a user account enabled. Both are account management events. 4720 indicates new account creation (potential persistence), while 4722 indicates an existing disabled account was re-enabled (possible compromise).
Use `auditpol /set /subcategory:"Process Creation" /success:enable` and then enable the GPO setting 'Include command line in process creation events' under Administrative Templates > System > Audit Process Creation. After this, Event ID 4688 will include the full command line.
Event ID 1102 means the Security log was cleared. This is a strong indicator of an attacker covering tracks. Immediately preserve any remaining logs, check for other signs of compromise (e.g., new accounts, services), and investigate the account that performed the clear (usually SYSTEM or an admin). Ensure logs are being forwarded to a central system.
They are stored in C:\Windows\System32\winevt\Logs with .evtx extension. The Security log is Security.evtx, System log is System.evtx, etc.
Use `wevtutil epl Security C:\backup\Security.evtx` to export the Security log to a file. Alternatively, use PowerShell: `Get-WinEvent -LogName Security | Export-Csv C:\backup\Security.csv`.
You've just covered Windows Event Log Analysis — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?