LetsDefend Academy

Online practicing and training platform for blue team members









Introduction to Event Log

Event Log

During an investigation, Event Logs are tracked because they have a comprehensive form of activities. The "Event Viewer" tool can be used to simply examine the logs.

It is often possible to obtain the following evidence with event log analysis:
-Service start, stop
-RDP activity
-Changing user privileges
-Failed login activities

These actions are among the most basic actions seen in any cyber attack. Therefore, event log analysis is really important to find the root cause of the cyber attack.

In Windows systems, there are three main event log titles as Application, System and Security.

Application

It provides log records related to the applications in the system. For example, you can find errors received by an antivirus application running on the system.

Another example is the log generated by edgeupdate:

System


It is the area where the logs created by the basic components of the operating system are located. For example, logs for a driver loads and unloads operations can be found here.

Security


Records regarding authentication and security are kept here. This is the part we will focus on most during the training.