Analyzing Windows Event Logs

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

In this lab, we’ll use filters to review Windows events and export events to text files for later analysis.

NOTE: Once the lab is ready, please wait 2 additional minutes before attempting to remote desktop to the Windows machine. Prior to that, the provided credentials will not work. This is because the Windows machine runs several preparation scripts once it starts.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Export all successful logon events to a text file named `logons.txt` on the server’s Desktop.
  1. Open Event Viewer and expand Windows Logs.
    • Under Windows Logs, click on the Security which will populate the security events
    • In the Actions area, select Filter Current Log.
    • In the All Event IDs field, enter the Event ID 4624, then click OK.
    • In the Actions area, click on Save Filtered Log File As.
    • Select Desktop for the location, for the file name type logons.txt, and select Text for the Save as type.
    • Click the Save button.
Export all events from the security log to a file named `security.txt` on the server’s Desktop.
  1. In the Action area, click Clear Filter to remove the filter from the previous section.
    • Right click on Security under Windows Logs and select Save All Events As.
    • Select Desktop for the location, for the file name type security.txt, and select Text for the Save as type.
    • Click the Save button.

Additional Resources

As part of the incident response team, you are responding to a server breach. The team leader would like you to export all of the successful logon events on the server to a text file named logons.txt and save the file on the server's desktop.

Then you need to export the entire security log to a text file named security.txt and save it on the desktop as well.

These files will be analyzed for clues as to how the breach occurred.

Connecting to the lab:

  1. Use RDP (Remote Desktop) to connect to the public IP address of the instance on port 3389.
  2. Log in with the username and password generated by the lab.

NOTE: Once the lab is ready, please wait 2 additional minutes before attempting to remote desktop to the Windows machine. Prior to that, the provided credentials will not work. This is because the Windows machine runs several preparation scripts once it starts.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?