CyberBlue Academy — Blue Team & SOC Training

What You'll Learn

Describe the Windows Event Log architecture: channels, providers, event structure, and where .evtx files are stored
Identify the 15 most critical Windows Event IDs for security monitoring and explain what each one captures
Map Sysmon event types (1-26) to the visibility gaps they fill in native Windows logging
Explain why default Windows logging is insufficient for security and what configurations are needed
Correlate Event IDs across multiple log channels to reconstruct multi-stage attacks

Why Event Logs Matter

Every action on a Windows system — a user logging in, a process starting, a file being accessed, a service being installed — can generate an event log entry. For SOC analysts, event logs are the primary evidence source. When Wazuh fires an alert, it is because a specific Event ID matched a detection rule. When you investigate a suspected compromise, event logs tell you what happened, when, and by whom.

The problem: Windows default logging is inadequate for security. Out of the box, Windows logs some events but misses critical ones. Understanding what is logged, what is not, and how to close the gaps is essential knowledge before you write a single detection rule.

Event Log Architecture

Windows uses a structured event logging system introduced in Windows Vista (and carried through to Windows 11 and Server 2022).

Components

Component	Role	Example
Event Providers	Applications and OS components that generate events	Security subsystem, Sysmon, PowerShell engine
Event Channels	Named log streams that collect related events	Security, System, Application, Microsoft-Windows-Sysmon/Operational
Event Log Service	The Windows service that manages channels and writes events to disk	`svchost.exe -k LocalServiceNetworkRestricted`
.evtx Files	Binary log files stored on disk	`C:\Windows\System32\winevt\Logs\Security.evtx`
Event Viewer	GUI tool for browsing logs	`eventvwr.msc`

Event Structure

Every event log entry contains these fields:

<Event>
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" />
    <EventID>4625</EventID>
    <Level>0</Level>
    <Task>12544</Task>
    <TimeCreated SystemTime="2026-02-15T14:23:47.123Z" />
    <Computer>WORKSTATION-01</Computer>
  </System>
  <EventData>
    <Data Name="TargetUserName">admin</Data>
    <Data Name="LogonType">10</Data>
    <Data Name="IpAddress">185.220.101.42</Data>
    <Data Name="SubStatus">0xC000006A</Data>
  </EventData>
</Event>

Field	What It Tells You
EventID	The type of event (4625 = failed logon)
Provider	Which component generated the event
TimeCreated	Exact timestamp in UTC
Computer	Which machine generated the event
EventData	The event-specific payload — usernames, IPs, process names, etc.

The Critical Event IDs

These are the Event IDs you will encounter most often in SIEM alerts, threat hunting, and forensic investigations. They span three major log channels: Security, System, and Sysmon.

Security Log — Authentication & Access

Event ID	Event	Why It Matters	SIEM Rule Example
4624	Successful Logon	Shows who logged in, from where, and how (logon type)	"Logon Type 10 (RDP) from external IP"
4625	Failed Logon	Brute force detection, credential stuffing	"5+ failed logons in 5 minutes from same source"
4634 / 4647	Logoff	Session duration analysis	Combined with 4624 for login session tracking
4648	Explicit Credentials	Runas, pass-the-hash, lateral movement	"Explicit creds used to access remote share"
4672	Special Privileges Assigned	Admin logon detection	"Non-admin user received admin privileges"
4688	Process Creation	What programs were executed (basic — no command line by default!)	"cmd.exe spawned by winword.exe"
4720	User Account Created	Attacker creating backdoor accounts	"New local admin account created off-hours"
4732	Member Added to Security Group	Privilege escalation via group membership	"User added to Administrators group"

⚠

Event ID 4688 (Process Creation) does NOT include the command line by default. You must enable "Audit Process Creation" and "Include command line in process creation events" via Group Policy. Without this, you see that powershell.exe ran, but not what it executed. This is one of the biggest default logging gaps on Windows. Sysmon Event ID 1 fills this gap automatically.

Security Log — Logon Types

When you see Event ID 4624 or 4625, the Logon Type field tells you how the authentication happened:

Logon Type	Method	Security Significance
2	Interactive (console)	User physically at the keyboard
3	Network (SMB, mapped drives)	Accessing shared resources — common in lateral movement
4	Batch (scheduled tasks)	Task scheduler running a job
5	Service	Service starting under a service account
7	Unlock	Workstation unlocked
10	RemoteInteractive (RDP)	Remote Desktop — high-priority if from unexpected sources
11	CachedInteractive	Domain creds used offline — laptop not on network

System Log — Service & Driver Events

Event ID	Event	Why It Matters
7034	Service Crashed	Repeated crashes may indicate exploitation or instability
7036	Service State Change	Service started or stopped — persistence mechanisms
7040	Service Start Type Changed	Changed from Manual to Automatic — persistence indicator
7045	New Service Installed	Attackers install services for persistence (T1543.003)

🚨

Event ID 7045 (New Service Installed) is one of the most reliable persistence indicators. Legitimate software installs services during installation, which typically happens in business hours with admin consent. A new service installed at 2:00 AM from a temporary directory is almost always malicious. Always correlate 7045 with the service binary path — does it point to a known software location or a suspicious path?

Sysmon — Closing the Gaps

Sysmon (System Monitor) is a free Microsoft tool that dramatically enhances Windows logging. It adds event types that native Windows does not provide. You covered Sysmon briefly in Module 2 (Lesson 2.6). Here is the complete reference for the event types you will use most:

Sysmon Event ID	Event	What Native Windows Misses
1	Process Create	Full command line, hashes, parent process — fills the 4688 gap
3	Network Connection	Which process made which network connection (4688 doesn't capture this)
7	Image Loaded (DLL)	DLL sideloading detection — no native equivalent
8	Create Remote Thread	Process injection detection (T1055) — no native equivalent
10	Process Access	Detects tools accessing LSASS memory (credential theft) — no native equivalent
11	File Create	New file creation with full path — critical for dropped payloads
12/13/14	Registry Events	Registry key/value create, set, rename — persistence detection
15	File Create Stream Hash	ADS creation detection — no native equivalent
22	DNS Query	Per-process DNS resolution — no native equivalent
23	File Delete	File deletion logging with optional archiving

Comparison of native Windows logging vs Sysmon-enhanced logging — showing the visibility gaps that Sysmon fills across process, network, file, and registry monitoring

ℹ

Sysmon is not a luxury — it is a necessity. Without Sysmon, you cannot detect DLL sideloading (Event 7), process injection (Event 8), credential theft via LSASS access (Event 10), or per-process DNS queries (Event 22). These are the techniques used by APT groups and ransomware operators daily. In your lab environment, Sysmon is pre-installed on all Windows endpoints. In production, deploying and configuring Sysmon (with a proper config like SwiftOnSecurity's or Olaf Hartong's) should be one of your first actions.

Log Gaps and Misconfigurations

Even with Sysmon, there are common mistakes that create blind spots:

Gap	Impact	Fix
Audit Policy not configured	Security log only captures basic events	Enable Advanced Audit Policy via GPO
4688 without command line	Process creation events lack the most important field	Enable "Include command line in process creation events"
PowerShell logging disabled	Cannot see PowerShell commands executed	Enable Module Logging, Script Block Logging (4104), Transcription
Log size too small	Events overwrite before analysts can investigate	Increase Security log to 1GB+; forward to SIEM in real-time
Sysmon not deployed	Missing critical event types (1, 3, 7, 8, 10, 22)	Deploy Sysmon with a security-focused configuration
No log forwarding	If attacker clears local logs, all evidence is lost	Forward events to Wazuh/SIEM immediately upon generation

💡

Attackers clear logs. Event ID 1102 (Security log was cleared) and Sysmon Event ID 1 showing wevtutil.exe cl Security are strong indicators of an adversary covering their tracks (T1070.001). This is why forwarding logs to a central SIEM in real-time is critical — the attacker can clear local logs, but the SIEM copy is already stored.

Correlating Events Across Channels

Real attacks generate events across multiple log channels. A brute-force-to-compromise attack chain might look like this:

14:20:00  Security 4625  Failed logon (admin, Type 10, from 185.220.101.42) [×12]
14:20:47  Security 4624  Successful logon (admin, Type 10, from 185.220.101.42)
14:20:48  Security 4672  Special privileges assigned to admin
14:21:03  Sysmon   1     powershell.exe spawned by explorer.exe (encoded command)
14:21:04  Sysmon   3     powershell.exe → 203.0.113.50:443 (C2 connection)
14:21:15  Sysmon   11    C:\Users\admin\AppData\Local\Temp\update.exe created
14:21:16  Sysmon   1     update.exe started by powershell.exe
14:21:17  System   7045  New service 'WindowsUpdateHelper' installed (binary: update.exe)
14:21:18  Sysmon   12    HKLM\...\Run\WindowsUpdate created → update.exe

This 78-second sequence spans Security, Sysmon, and System logs. An analyst who only monitors one channel misses pieces of the story. Wazuh collects all three and correlates them by timestamp.

Key Takeaways

Windows Event Logs flow from providers through channels to .evtx files on disk — forwarded in real-time to your SIEM
The most critical Security Event IDs are: 4624 (logon), 4625 (failed logon), 4688 (process create), 4720 (account created), 4732 (group membership), 7045 (service installed)
Logon Types in 4624/4625 reveal how authentication happened — Type 3 (network) and Type 10 (RDP) are high-priority for lateral movement
Default Windows logging is insufficient: 4688 lacks command lines, PowerShell logging is disabled, Sysmon is not installed
Sysmon fills critical gaps: process command lines (1), network connections (3), DLL loads (7), process injection (8), LSASS access (10), DNS queries (22)
Attackers clear logs (1102) — centralized SIEM forwarding ensures evidence survives
Real attacks generate events across multiple channels — correlation is how you reconstruct the full attack chain

What's Next

Lesson 3.4 examines Windows authentication and credential storage — how NTLM and Kerberos work, where credentials are cached, how attackers steal them, and the Event IDs that signal credential compromise.

Knowledge Check: Windows Event Log Architecture

10 questions · 70% to pass

What critical information does Event ID 4688 (Process Creation) lack in its default Windows configuration?

An analyst sees 12 Event ID 4625 entries followed by one Event ID 4624 from the same source IP, all within 47 seconds. What attack is this?

What does Logon Type 10 in Event ID 4624 indicate?

Which Sysmon Event ID detects tools accessing LSASS memory, such as Mimikatz performing credential dumping?

Event ID 7045 shows a new service installed at 2:00 AM with binary path C:\Users\Public\svc.exe. Why is this suspicious?

Why is log forwarding to a centralized SIEM critical for security?

Which Sysmon Event ID would detect a malicious DLL being loaded by a legitimate process (DLL sideloading)?

In the multi-stage attack example, what does Sysmon Event ID 3 reveal that no native Windows log captures?

Event ID 1102 appears in the Security log. What does this indicate?

In Lab 3.3, you analyze a brute-force attack chain in Wazuh. Why do you need events from BOTH the Security log and Sysmon to see the full picture?

0/10 answered

Windows File System & RegistryPrevious Windows Authentication & Credential StorageNext