Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
日本語
Entry № 1371

Windows Event Log Analysis

Windows Event Log Analysis とは何ですか?

Windows Event Log AnalysisThe DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.

Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.

  1. 01

    An IR analyst pulls 4624 Type 3 events with workstation names matching the suspect host to reconstruct lateral movement from a compromised endpoint.

  2. 02

    Hayabusa runs Sigma rules against a folder of EVTX exports and surfaces 4688 events showing `whoami /all` and `nltest /dclist` enumeration shortly before privilege escalation.

よくある質問

Windows Event Log Analysis とは何ですか?

The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques. サイバーセキュリティの フォレンジックと IR カテゴリに属します。

Windows Event Log Analysis とはどういう意味ですか?

The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.

Windows Event Log Analysis はどのように機能しますか?

Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.

Windows Event Log Analysis からどのように防御しますか?

Windows Event Log Analysis に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

Windows Event Log Analysis の別名は何ですか?

一般的な別名: EVTX analysis, Security log analysis。

関連用語

関連項目