In this project, students will learn the basics of analyzing Windows Event Logs to detect and investigate security incidents. Windows Event Logs are a valuable source of information about system activities, user actions, and potential security issues. By the end of this project, students will be able to access and interpret event logs, identify security-related events, and use event log analysis to support incident response.
- Basic understanding of Windows operating system and administration
- Familiarity with Windows Event Viewer
- A Windows machine (Windows 10 or later)
- Windows 10 or later
- Access to Event Viewer
- Log Parser Studio (for advanced log analysis)
Steps:
- Open Event Viewer by pressing
Win + R
, typingeventvwr
, and pressingEnter
. - In the Event Viewer console, expand "Windows Logs" and select "System".
- Review the list of system events to understand the types of logs generated by the operating system.
Expected Output:
- Access to the System event logs, with an understanding of the different types of events recorded.
Steps:
- In the Event Viewer console, expand "Windows Logs" and select "Security".
- Review the list of security events, focusing on events related to logon attempts, account management, and policy changes.
- Identify key event IDs that are commonly associated with security incidents (e.g., 4624 for successful logon, 4625 for failed logon).
Expected Output:
- Understanding of the types of events recorded in the Security logs, including logon attempts and account management events.
Steps:
- In Event Viewer, use the "Filter Current Log" option in the right-hand pane.
- Filter Security logs to show only events with a specific Event ID (e.g., 4625 for failed logon attempts).
- Use the "Find" option to search for events related to a specific user or computer.
Expected Output:
- A filtered view of event logs showing specific security events, demonstrating how to narrow down log data to relevant incidents.
Steps:
- Select a security event (e.g., a failed logon attempt) and review the event details.
- Note key information such as the date and time, user account involved, source IP address, and any error codes.
- Correlate multiple events to understand the sequence of actions (e.g., multiple failed logon attempts followed by a successful logon).
Expected Output:
- Detailed analysis of specific security events, including key information and correlations between related events.
Steps:
- Download and install Log Parser Studio.
- Open Log Parser Studio and import a sample event log file.
- Use built-in queries to analyze log data, such as identifying the top sources of failed logon attempts:
SELECT TOP 10 EXTRACT_TOKEN(TextData, 0, ' ') AS EventID, COUNT(*) AS EventCount FROM '[LOGFILEPATH]' WHERE EventID = 4625 GROUP BY EventID ORDER BY EventCount DESC
- Customize and run additional queries to extract specific information from the logs.
Expected Output:
- Advanced analysis of event logs using Log Parser Studio, with queries that extract and summarize key information from security events.
By completing these exercises, students will gain hands-on experience in accessing, filtering, and analyzing Windows Event Logs to detect and investigate security incidents. These skills are essential for effective incident response and system security monitoring.