What You'll Learn
- Understand the structure and storage of Windows Event Logs (EVTX format, channels, providers)
- Identify and interpret critical security Event IDs: 4624, 4625, 4688, 7045, and 1102
- Correlate events across multiple log channels (Security, System, Application, Sysmon) to reconstruct attack sequences
- Use the Wazuh Dashboard to filter, search, and timeline pre-loaded alerts mapped to Windows Event Logs
- Build an Event Log Investigation Matrix documenting which events appeared, their significance, and attack-chain connections
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-wazuh |
| Containers | Wazuh Manager, Wazuh Indexer, Wazuh Dashboard |
| Estimated Time | 65–75 minutes |
| Difficulty | Intermediate |
| Browser Access | Wazuh Dashboard (Web UI) |
| Pre-Loaded Data | 505 alerts across 10 log sources, 4 agents (linux-web-01, WIN-SERVER-01, dns-server-01, fw-edge-01) |
| Deliverable | Event Log Investigation Matrix mapping events to the multi-stage attack timeline |
Why Event Log Analysis Matters. Windows Event Logs are the forensic backbone of any Windows investigation. Every logon, process creation, service installation, and security policy change generates a structured event with a unique ID. Attackers can delete files, kill processes, and wipe registry keys — but the Event Logs often survive (and if they don't, that absence itself is evidence). Mastering Event IDs transforms hundreds of thousands of raw events into a clear attack narrative.
The Scenario
Your incident response team has been tracking a multi-stage attack across the organization's infrastructure. Previous analysis (Labs OS.1 and OS.2) identified a C2 beacon, registry persistence, and a webshell on the Windows server. Now leadership needs the full picture: "Show us the timeline. When did they get in, what did they do, and did they try to cover their tracks?"
Your Wazuh environment has 505 pre-loaded alerts from 4 agents. The Windows server (WIN-SERVER-01) generated alerts that map directly to Windows Event Log entries. Your job is to identify the critical Event IDs, understand what each one means, and stitch them together into a coherent attack timeline.
Part 1: Understanding Windows Event Log Structure
Event Log Channels
Windows organizes events into channels (log files). The most security-relevant ones are:
| Channel | File Location | Contains |
|---|---|---|
| Security | %SystemRoot%\System32\winevt\Logs\Security.evtx | Logon/logoff, privilege use, account management, audit policy changes |
| System | %SystemRoot%\System32\winevt\Logs\System.evtx | Service start/stop, driver loads, system errors |
| Application | %SystemRoot%\System32\winevt\Logs\Application.evtx | Application crashes, IIS logs, custom app events |
| Sysmon | %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx | Process creation, network connections, file creation (if Sysmon is installed) |
Event Log Entry Structure
Every Windows event contains:
| Field | Description | Example |
|---|---|---|
| Event ID | Unique identifier for the event type | 4624 |
| Provider | The source that generated the event | Microsoft-Windows-Security-Auditing |
| Level | Severity (Information, Warning, Error, Critical) | Information |
| TimeCreated | Timestamp of the event | 2026-02-24T14:30:22.123Z |
| Computer | Hostname where the event occurred | WIN-SERVER-01 |
| EventData | Structured data specific to the event type | TargetUserName, LogonType, IpAddress, etc. |
Part 2: The Critical Event IDs
Event ID Reference Card
These five Event IDs are the foundation of Windows security analysis. You will find evidence of each in the lab data:
| Event ID | Channel | Description | Attack Relevance |
|---|---|---|---|
| 4624 | Security | Successful logon | Confirms attacker gained access — check LogonType and source IP |
| 4625 | Security | Failed logon | Brute force indicator — high volume from single IP |
| 7045 | System | New service installed | Persistence via service creation — check binary path |
| 4688 | Security | New process created | Command execution — shows what the attacker ran |
| 1102 | Security | Audit log cleared | Anti-forensics — attacker trying to cover tracks |
LogonType field is critical for Event ID 4624. Type 2 = Interactive (keyboard), Type 3 = Network (SMB/file share), Type 7 = Unlock, Type 10 = Remote Desktop. A Type 3 or Type 10 logon from an external IP is far more suspicious than a Type 2 from the console.
Part 3: Hunting Event IDs in Wazuh
Step 1 — Access the Wazuh Dashboard
Once your lab reaches READY status, click Open Lab to launch the Wazuh Dashboard. Log in with the credentials shown on the lab page. Navigate to Security Events under the Threat Intelligence section.
Step 2 — Filter for WIN-SERVER-01
In the search bar, enter:
agent.name: WIN-SERVER-01
This filters to only the Windows server's alerts. Record the total count — this is your investigation scope.
Step 3 — Hunt for Event ID 4625 (Failed Logons)
Refine your query:
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 4625
For each failed logon event, examine:
- data.win.eventdata.targetUserName: Which account was targeted?
- data.win.eventdata.ipAddress: Where did the attempt come from?
- data.win.eventdata.logonType: What type of logon was attempted?
- data.win.eventdata.failureReason: Why did it fail?
Document in your matrix:
EVENT ID 4625 — FAILED LOGON
─────────────────────────────
Total Count: [number]
Target Accounts: [list of usernames]
Source IPs: [list of IPs]
Logon Types: [types observed]
Time Range: [first] to [last]
Pattern: [brute force / credential stuffing / targeted]
Significance: [what this tells you about the attack]
Step 4 — Hunt for Event ID 4624 (Successful Logons)
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 4624
This is the critical question: Did the brute force succeed? Examine each successful logon:
- TargetUserName: Which account logged in?
- IpAddress: Is the source IP one of the brute force IPs from Step 3?
- LogonType: Type 3 (network) or Type 10 (RDP) from an attacker IP is confirmation of compromise
- TimeCreated: Does the successful logon come AFTER the failed attempts?
Document your findings. If you find a successful logon from the same IP that was brute-forcing, you've confirmed initial access.
Step 5 — Hunt for Event ID 4688 (Process Creation)
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 4688
Process creation events show exactly what commands the attacker executed after gaining access. Look for:
- NewProcessName: The executable that was launched
- CommandLine: The full command with arguments (if command-line auditing is enabled)
- ParentProcessName: What launched the process
- SubjectUserName: Which account ran the command
Sort chronologically and look for the attack sequence:
- Reconnaissance commands (
whoami,ipconfig,net user,systeminfo) - Privilege escalation attempts
- Persistence installation (creating services, modifying registry)
- Lateral movement (
net use,psexec,wmic) - Data access or exfiltration
Step 6 — Hunt for Event ID 7045 (Service Installation)
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 7045
Every time a new Windows service is installed, Event ID 7045 fires. Cross-reference the service details with your Lab OS.2 findings:
- ServiceName: Does it match the suspicious service you found?
- ImagePath: Does the binary path point to a user-writable directory?
- ServiceType: User mode or kernel mode?
- StartType: Auto start (persistence) or demand start (manual)?
Step 7 — Hunt for Event ID 1102 (Log Cleared)
agent.name: WIN-SERVER-01 AND data.win.system.eventID: 1102
Event ID 1102 is generated when the Security event log is cleared — a classic anti-forensics technique. If present:
- When was the log cleared? (relative to other attack events)
- Who cleared it? (SubjectUserName and SubjectDomainName)
- What's missing? (events between the last pre-clear event and the 1102 entry)
The absence of 1102 is also meaningful. If you DON'T find an Event ID 1102, it means the attacker either didn't try to clear logs, or cleared them in a way that also removed the 1102 entry itself (e.g., using wevtutil with specific flags). Either way, document your finding.
Part 4: Cross-Channel Correlation
Step 8 — Build the Timeline
The real power of Event Log analysis comes from correlating events across channels. Create a chronological timeline combining all your findings:
ATTACK TIMELINE (from Event Logs)
═════════════════════════════════
[Timestamp 1] — Event 4625 (Security)
Failed logon: [user] from [IP], Type [X]
→ RECONNAISSANCE / INITIAL ACCESS ATTEMPT
[Timestamp 2] — Event 4625 (Security)
[Repeated failures...]
→ BRUTE FORCE IN PROGRESS
[Timestamp 3] — Event 4624 (Security)
Successful logon: [user] from [IP], Type [X]
→ INITIAL ACCESS ACHIEVED
[Timestamp 4] — Event 4688 (Security)
Process created: [command]
→ POST-EXPLOITATION / RECONNAISSANCE
[Timestamp 5] — Event 7045 (System)
Service installed: [service name], path: [binary path]
→ PERSISTENCE ESTABLISHED
[Timestamp 6] — Event 4688 (Security)
Process created: [suspicious command]
→ LATERAL MOVEMENT / DATA ACCESS
[Timestamp 7] — Event 1102 (Security) [if present]
Security log cleared by [user]
→ ANTI-FORENSICS / DEFENSE EVASION
Step 9 — Identify Gaps
Examine your timeline for gaps — periods where you'd expect activity but have no events. These gaps might indicate:
- Log clearing that removed specific events
- Activity that occurred in channels you haven't checked
- Attacker use of techniques that don't generate standard events (e.g., in-memory execution)
Part 5: Build Your Event Log Investigation Matrix
Compile your complete analysis into a structured matrix:
EVENT LOG INVESTIGATION MATRIX
══════════════════════════════
Environment: CyberBlue Lab (Wazuh)
Analyst: [your name]
Date: [today's date]
Scope: WIN-SERVER-01 events in pre-loaded dataset
EVENT ID | COUNT | CHANNEL | SIGNIFICANCE | ATTACK PHASE
─────────┼───────┼──────────┼───────────────────────┼─────────────
4625 | [n] | Security | Failed logon attempts | Initial Access
4624 | [n] | Security | Successful logon | Initial Access
4688 | [n] | Security | Process creation | Execution
7045 | [n] | System | Service installed | Persistence
1102 | [n] | Security | Log cleared | Defense Evasion
KEY CORRELATIONS
────────────────
1. 4625 → 4624: Brute force succeeded (same IP, user: [user])
2. 4624 → 4688: Post-access command execution (recon, then persistence)
3. 4688 → 7045: Service created by attacker process
4. 7045 ↔ OS.2 findings: Service matches registry/file persistence
5. 1102 timing: [Cleared before/after/not present]
INVESTIGATION GAPS
──────────────────
- [List any time gaps, missing expected events, or unexplained activity]
RECOMMENDATIONS
───────────────
1. Enable command-line auditing (if not already active)
2. Forward all Event Log channels to Wazuh (not just Security)
3. Set up Wazuh rules for the specific Event IDs in this matrix
4. Consider Sysmon deployment for enhanced process tracking
5. Implement log backup to prevent anti-forensics via log clearing
Deliverable Checklist
Before completing the lab, ensure you have:
- Event ID 4625 Analysis — Failed logon events documented with source IPs, target accounts, and brute force pattern
- Event ID 4624 Analysis — Successful logons examined for attacker access confirmation
- Event ID 4688 Analysis — Process creation events showing post-exploitation commands
- Event ID 7045 Analysis — Service installation events cross-referenced with Lab OS.2 findings
- Event ID 1102 Check — Log clearing evidence documented (presence or absence)
- Attack Timeline — Chronological reconstruction connecting all Event IDs
- Event Log Investigation Matrix — Complete matrix with counts, significance, and correlations
Key Takeaways
- Five Event IDs (4624, 4625, 4688, 7045, 1102) form the foundation of almost every Windows security investigation
- Event ID 4625 volume from a single IP is the most reliable brute force indicator — followed by a 4624 from the same IP confirms success
- Event ID 4688 with command-line auditing provides a complete record of attacker commands post-compromise
- Cross-channel correlation (Security + System) reveals the full attack story that no single log channel shows alone
- Event ID 1102 (log cleared) is both evidence of anti-forensics and a prioritization signal — if attackers cleared logs, they had something worth hiding
What's Next
In Lab OS.4 — Memory Triage, you'll take endpoint investigation to the next level by analyzing memory artifacts. While Event Logs show what happened, memory analysis reveals what's currently running — including injected code, unpacked malware, and encryption keys that never touch disk.
Lab Challenge: Event Log Deep Dive
10 questions · 70% to pass
Run the query 'agent.name: WIN-SERVER-01 AND data.win.system.eventID: 4625' in Wazuh. What does Event ID 4625 indicate?
You find Event ID 4624 events for the Administrator account from IP 91.234.99.87 with LogonType 3. What does LogonType 3 represent?
When correlating Event IDs 4625 and 4624 from the same source IP, what sequence confirms a successful brute force attack?
Search for Event ID 7045 events on WIN-SERVER-01. What information does this event provide about persistence?
What is the significance of Event ID 1102 in the context of incident response?
Event ID 4688 records process creation. Which field within the event data reveals exactly what command the attacker typed?
You build a timeline and notice a 45-minute gap between the 4624 (successful logon) and the 7045 (service installation). What could explain this gap?
Which Windows Event Log channel records Event ID 7045 (service installation)?
In your investigation matrix, you have counts for each Event ID. If you found 47 Event ID 4625 events and 2 Event ID 4624 events from the same external IP, what is the most accurate characterization?
After completing your Event Log Investigation Matrix, your team asks which single configuration change would most improve future investigations on this server. What do you recommend?
0/10 answered