Analyzing Windows event logs is a detailed process. One challenge that is often encountered by responders is the sheer number of logs that they may have to potentially analyze during an incident. In the case of multiple systems, the responder may have to contend with millions of separate event log entries. Cutting them down requires the use of specialized tools and processes, starting with acquisition, moving into triage, and then, finally, focusing on analyzing the key event logs that are pertinent to the incident investigation.
Analyzing Windows event logs
Acquisition
There are several methods that a responder can utilize in the acquisition of the Windows event logs. Ideally, log files should be sent to a SIEM, to allow...