Windows Event Viewer

Microsoft

Built-in Windows console for browsing the local event logs.

Logging & SIEM Built-in OS GUI Practiced in lab Windows

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Windows Event Viewer (eventvwr.msc) is the GUI to inspect the local Windows event logs. A CySA+ analyst must be fluent with the most important channels:

Security — authentication (4624 success, 4625 failure, 4672 special privileges, 4688 process creation).
System — service start/stop, drivers, OS components.
Application — app crashes, .NET errors.
Microsoft-Windows-Sysmon/Operational — when Sysmon is installed, this becomes the richest endpoint telemetry source on the box.
Microsoft-Windows-PowerShell/Operational + ScriptBlockLogging.

XPath queries in Custom Views are essential for fast triage: *[System[EventID=4625]].

Use cases

First-pass Windows host triage during an incident
Building custom views per use case (logon failures, service installs)
Correlating Sysmon EID 1 (process create) with EID 3 (network)

Example

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]
    </Select>
  </Query>
</QueryList>