MC-10 · Mini-course

Sysmon, Windows Security Log, KQL queries and attack detection through logs. Key Event IDs for SOC.

12 lessons3 topicsIntermediateSysmon + KQL

Start Learning ← All Courses

PowerShell — Event Log query

PS> Get-WinEvent -FilterHashtable @{

LogName='Security'; Id=4625

} | Group-Object -Property

Message | Sort Count -Desc

Count Name

847 DESKTOP-CORP from 192.168.1.105

234 FILESERVER from 10.0.0.23

PS> █

Why this matters right now

Windows Logs — the key evidence in investigations

197 daysaverage time of undetected breach

45%of attacks leave traces only in Event Logs

3xSysmon reduces detection time

4624/4625the most important security Event IDs

After the course you will be able to

Not abstract knowledge — concrete skills for detection and investigations

Configure Sysmon with rules for maximum visibility

Identify key Event IDs for attack detection

Detect Pass-the-Hash and Lateral Movement through logs

Write KQL queries in Microsoft Sentinel

Build hypotheses for Threat Hunting based on MITRE ATT&CK

Enable advanced PowerShell logging

Conduct retrospective incident investigation through logs

Compile an incident report based on Windows artifacts

Real attacks in the course

Every lesson is built on real incidents — not made-up examples

APT2016

APT29 Cozy Bear — detected through Event Logs

Attacks on the DNC were detected through anomalies in Windows Event Logs — atypical authentication patterns and unusual processes in Sysmon Event 1.

Topic 03 · Hunting in logs

Malware2017

WannaCry — Event 7045 as a precursor

Installation of the malicious WannaCry service generated Event ID 7045. Organizations with proper alerts on this Event ID managed to stop the spread.

Topic 02 · Key events

SOC win2023

Brute force uncovered in 2 minutes

A SOC analyst noticed a spike in Event 4625 (failed logins) through a Sentinel alert. The attack with 847 attempts was blocked within 2 minutes of starting.

Topic 02 · Event 4624/4625

Course Program

3 topics · 12 lessons: Sysmon, Event IDs and Threat Hunting with KQL

Windows Event Log structure (EVTX)

Log channels: Security, System, Application

Configuring Advanced Audit Policy

Collecting logs with Sysmon

Where this course leads

Windows Event Log Analysis — the foundation for Threat Hunters and DFIR specialists

$2,500 — $5,000/mo

SOC Analyst L2/L3

Analyze complex incidents through Windows Event Logs, investigate APT activity, conduct retrospective analysis.

SysmonEvent IDsKQLSentinel

Track:FC-07 → MC-10 → MC-11

$3,500 — $8,000/mo

Threat Hunter

Proactively hunt threats in Windows logs using MITRE ATT&CK hypotheses. Find what automated systems missed.

Threat HuntingMITRE ATT&CKKQLSysmon

Track:FC-07 → MC-10 → MC-09

$4,000 — $9,000/mo

DFIR Specialist

Investigate incidents, reconstruct attack timelines from Windows artifacts, prepare evidence for legal cases.

Windows ForensicsTimeline AnalysisEvent LogsDFIR

Track:FC-07 → MC-10 → MC-11 → MC-12

Who this course is for

SOC Analysts L1/L2

Want to level up — from simple alerts to deep analysis of Windows artifacts.

Threat Hunters

Need Event Log skills for building hypotheses and proactive threat hunting in infrastructure.

DFIR Specialists

Investigating incidents and want to systematize your work with Windows Event Logs.

Read Windows logs
like a professional
today

12 lessons, Sysmon, KQL and real Threat Hunting. Detect attacks before they cause damage.

Start Learning ← All Courses

MC-10● Mini-course

Windows Event Log Analysis

Level: intermediate

12 lessons

video + practice

3 topics

by topic

Intermediate

difficulty level

Sysmon + KQL

main tools

Sysmon setup and configuration

Key Event IDs 4624-4688

KQL in Microsoft Sentinel

Pass-the-Hash and Lateral Movement detection