Windows Event Log Hunting Basics
A practical starter guide for finding suspicious authentication and process activity.
Event logs provide crucial context when investigating endpoint behavior. Even simple hunts can reveal brute-force attempts, lateral movement clues, and persistence techniques.
High-Value Event Areas
- Authentication events with unusual source hosts.
- New process execution from odd parent processes.
- Privilege escalation or group membership changes.
- Service creation and scheduled task anomalies.
Hunt Workflow
- Start with a time window and affected host list.
- Search for known-bad indicators and unusual patterns.
- Correlate events across identity, endpoint, and network logs.
- Document findings with exact timestamps and event context.