Reading Logs Like an Analyst: What to Look For

You open a SIEM dashboard for the first time. Thousands of events. Cryptic IDs. Walls of text. Where do you even start?

Good news: you don't need to understand every log. You just need to know where to look.

What Are Windows Event Logs?

Windows Event Logs are records of everything happening on a Windows system—logins, process executions, errors, service changes, and more.

They're split into categories:

- Security – Authentication events, access attempts, privilege use

- System – Service starts/stops, driver issues, shutdowns

- Application – Software-specific events and errors

For security work, the Security log is your bread and butter.

Which Event IDs Actually Matter?

You don't need to memorize hundreds of Event IDs. Start with these — and when you're ready to go deeper, this complete reference covers the Event IDs that matter most for detecting real attacks.

Authentication Events:

- 4624 – Successful login (who logged in, from where)

- 4625 – Failed login (wrong password, locked account)

- 4648 – Login with explicit credentials (runas, remote access)

Account Changes:

- 4720 – User account created

- 4722/4725 – Account enabled/disabled

- 4732 – User added to a group

Process Activity:

- 4688 – New process created (what ran, who ran it)

- 4689 – Process terminated

These cover most of what you'll investigate as a new analyst.

What Should You Actually Look For?

When reviewing logs, ask yourself:

Who? – What user account is involved? Is it a normal user, admin, or service account?

What? – What action was taken? Login, file access, process execution?

When? – What time did it happen? Middle of the night? Outside business hours?

Where? – What system? What source IP for remote connections?

Why does it matter? – Is this normal for this user? Does the pattern make sense?

Anomalies are where investigations start. Admin login at 3am from a new IP? That's worth digging into.

Quick Tips for Log Analysis

1. Know what normal looks like – You can't spot weird if you don't know baseline behavior.

2. Filter aggressively – Don't scroll through everything. Use time ranges, Event IDs, and user filters. If you're working in Splunk, these 15 SPL queries will handle most of the filtering you'll ever need.

3. Look for patterns – One failed login is nothing. Fifty failed logins in a minute is a brute force attempt.

4. Follow the timeline – Once you find something suspicious, work backwards and forwards from that point.

5. Don't panic – Most alerts are noise. Stay calm and investigate methodically.

TL;DR – The Quick Version

Windows Event Logs record what happens on a system. Focus on the Security log. Learn key Event IDs: 4624/4625 for logins, 4688 for processes, 4720 for account creation. Ask who, what, when, where, and why. Look for anomalies that don't match normal patterns.

---

FAQs

Do I need to memorize all Event IDs?

Nope. Start with the basics (logins, processes, account changes) and look up others as needed. You'll naturally learn more over time.

Where can I practice log analysis?

Sample datasets like Boss of the SOC (BOTS), home labs with Windows VMs, or platforms like EpicDetect with built-in challenges.

What if I can't tell if something is suspicious?

Ask questions, document what you found, and escalate if unsure. That's literally what Tier 1 analysts do—nobody expects you to know everything.

---

Final thought: Log analysis isn't about reading every line—it's about knowing where to look and what questions to ask. Start small, build your intuition, and the rest follows. If you're mapping out the broader journey, this 90-day SOC analyst roadmap shows where log analysis fits into everything else you need to learn.

How EpicDetect Can Help

Want to learn log analysis the right way? EpicDetect's Atlas has structured learning paths that take you from basics to confident analyst. Work through interactive lessons covering Windows logs, SIEM queries, and investigation techniques. Start your free trial.