Event Viewer Filtering

Hello there,

I am going through the THP course and am on the module where we look through Event IDs. There are some labs, like Lab 15, that use Event Viewer to find certain events in the Windows Security log.

My question is, is there an efficient way to use Event Viewer? Do we use the filter option on the right hand side menu alone? Do we have to manually go through each entry thereafter? I am fine with this, but I would just like to make sure that this is the only way to do this for now? Are there any recommendations to help better go through the logs?

This is before we dive into ELK and I know that will help, but I would like to learn more about Event Viewer before moving on to it.

Thanks for your help!

P.S. I see that you are the course instructor @sparpulev-8dc005c0c8, so I hope you don’t mind me tagging you :slightly_smiling_face:

Hi Rene,

Filtering in Windows Event Viewer can be a bit cumbersome since its search criteria can be a bit limited. As you pointed out when you get to ELK things will get much easier as your search can be much more granular. My only above and beyond advice is to begin learning about the additional data in a Windows Event. For example, a 4624 event is a successful login, but the additional fields can tell you the type of login used. You can the filter to sort for those via a keyword source. You can also learn the related logs.

Good Luck!

Blue Team Instructor

1 Like

Hey Jason,

This makes good sense. And thank you for your advice, I will give it my best and reach out if I have any more questions.

Until then, take care!