Detecting Security Incidents Using Windows Workstation Event Logs

Windows event logs can be an extremely valuable resource to detect security incidents. While many companies collect logs from security devices and critical servers to comply with regulatory requirements, few collect them from their windows workstations; even fewer proactively analyze these logs. Collecting and analyzing workstation logs is critical because it is increasingly at the workstation level where the initial compromise is happening. If we are to get better at detecting these initial compromises then it is imperative that we develop an efficient, common sense approach to collecting and analyzing these events.