Windows Event Log Analysis

MC-10 · Mini-course

Sysmon, Windows Security Log, KQL queries and attack detection through logs. Key Event IDs for SOC.

12 lessons3 modulesIntermediateSysmon + KQL

Start Learning ← All Courses

PowerShell — Event Log query

PS> Get-WinEvent -FilterHashtable @{

LogName='Security'; Id=4625

} | Group-Object -Property

Message | Sort Count -Desc

Count Name

847 DESKTOP-CORP from 192.168.1.105

234 FILESERVER from 10.0.0.23

PS> █

+120 XP

Why this matters right now

Windows Logs — the key evidence in investigations

197 daysaverage time of undetected breach

45%of attacks leave traces only in Event Logs

3xSysmon reduces detection time

4624/4625the most important security Event IDs

After the course you will be able to

Not abstract knowledge — concrete skills for detection and investigations

📋Configure Sysmon with rules for maximum visibility

🔍Identify key Event IDs for attack detection

💻Detect Pass-the-Hash and Lateral Movement through logs

📊Write KQL queries in Microsoft Sentinel

🎯Build hypotheses for Threat Hunting based on MITRE ATT&CK

⚡Enable advanced PowerShell logging

🕵️Conduct retrospective incident investigation through logs

📝Compile an incident report based on Windows artifacts

Real attacks in the course

Every lesson is built on real incidents — not made-up examples

APT2016

APT29 Cozy Bear — detected through Event Logs

Attacks on the DNC were detected through anomalies in Windows Event Logs — atypical authentication patterns and unusual processes in Sysmon Event 1.

Module 03 · Hunting in logs

Malware2017

WannaCry — Event 7045 as a precursor

Installation of the malicious WannaCry service generated Event ID 7045. Organizations with proper alerts on this Event ID managed to stop the spread.

Module 02 · Key events

SOC win2023

Brute force uncovered in 2 minutes

A SOC analyst noticed a spike in Event 4625 (failed logins) through a Sentinel alert. The attack with 847 attempts was blocked within 2 minutes of starting.

Module 02 · Event 4624/4625

Course Program

3 modules · 12 lessons: Sysmon, Event IDs and Threat Hunting with KQL

Where this course leads

Windows Event Log Analysis — the foundation for Threat Hunters and DFIR specialists

$2,500 — $5,000/mo

SOC Analyst L2/L3

Analyze complex incidents through Windows Event Logs, investigate APT activity, conduct retrospective analysis.

SysmonEvent IDsKQLSentinel

Track:FC-07 → MC-10 → MC-11

$3,500 — $8,000/mo

Threat Hunter

Proactively hunt threats in Windows logs using MITRE ATT&CK hypotheses. Find what automated systems missed.

Threat HuntingMITRE ATT&CKKQLSysmon

Track:FC-07 → MC-10 → MC-09

$4,000 — $9,000/mo

DFIR Specialist

Investigate incidents, reconstruct attack timelines from Windows artifacts, prepare evidence for legal cases.

Windows ForensicsTimeline AnalysisEvent LogsDFIR

Track:FC-07 → MC-10 → MC-11 → MC-12

Who this course is for

🔵

SOC Analysts L1/L2

Want to level up — from simple alerts to deep analysis of Windows artifacts.

🕵️

Threat Hunters

Need Event Log skills for building hypotheses and proactive threat hunting in infrastructure.

🔍

DFIR Specialists

Investigating incidents and want to systematize your work with Windows Event Logs.

Read Windows logs
like a professional
today

12 lessons, Sysmon, KQL and real Threat Hunting. Detect attacks before they cause damage.

Start Learning ← All Courses

MC-10● Mini-course

Level: intermediate

12 lessons

video + practice

3 modules

by topic

Intermediate

difficulty level

Sysmon + KQL

main tools

Sysmon setup and configuration

Key Event IDs 4624-4688

KQL in Microsoft Sentinel

Pass-the-Hash and Lateral Movement detection