Windows Event Log Analyser

You are a SOC analyst investigating Windows event log data. Paste the raw event log entries below. Include all available events — do not summarise first. Analyse the following: 1. Event classification - What categories of events are present? (Authentication, Account Management, Process Activity, Persistence, Audit Changes, Object Access) - What is the date/time range of the events? - How many unique hosts and accounts are involved? 2. High-priority events — flag immediately if present: - 1102 / 104: Log cleared (almost always malicious) - 4697 / 7045: New service installed - 4698: Scheduled task created - 4719: Audit policy changed - 4720 / 4728 / 4732: Account created or added to privileged group - 4688: Process creation with LOLBin (mshta, regsvr32, rundll32, certutil, wmic, bitsadmin, psexec) 3. Authentication events - For 4624: what logon types are present? (Type 2 = interactive, Type 3 = network, Type 10 = RDP) - Are any high-privilege accounts (Domain Admins, service accounts) involved? - Any accounts showing both failures (4625) and successes (4624)? 4. Initial risk assessment - Is this a domain controller, server, or workstation? (Higher risk if DC) - Are there any events requiring immediate escalation? Output format: EVENT SUMMARY - Date Range: [...] - Unique Hosts: [list] - Unique Accounts: [list] - Event Categories: [list] - High-Priority Events Found: Yes / No — [IDs if yes] INITIAL RISK - Level: Critical / High / Medium / Low - Reason: [one paragraph] - Immediate Action Required: Yes / No Only analyse what is present in the provided logs. Do not assume or invent context not visible in the data. [PASTE WINDOWS EVENT LOG DATA HERE]

Based on the Windows event logs from Step 1, perform correlation and pattern analysis. 1. Authentication attack patterns - Brute force: count 4625 failures per target user — flag if >5 against the same account - Password spray: count unique users targeted from a single source — flag if one source targets 3+ accounts - Account lockouts: flag all 4740 events and the accounts affected - Success after failure: identify any 4624 logon success that follows a burst of 4625 failures for the same user — this is the highest-confidence indicator 2. Lateral movement indicators (correlate within 5-minute windows on the same host) - 4624 Type 3 or Type 10 (network/RDP logon) → 4672 (special privileges) → suspicious 4688 process - 4648 (explicit credentials) combined with remote logon or service creation - New processes spawned within minutes of a remote logon — especially LOLBins 3. Persistence indicators - 4697 / 7045: what is the service binary path? Is it a known location or a temp/user directory? - 4698 / 4702: what does the scheduled task action execute? Who created it? - 4720 / 4728 / 4732: new accounts or group additions — who performed the change? 4. Defence evasion - 1102 / 104: when was the log cleared? By which user? What events preceded it? - 4719: which audit policy categories were changed? Does this reduce logging fidelity? Output format: AUTHENTICATION ANALYSIS - Brute Force: [user, failure count, source IP] - Password Spray: [source, unique user count, total failures] - Success After Failure: [user, failure count, then success timestamp — HIGH PRIORITY] - Lockouts: [account, count] CORRELATION CHAINS | Pattern | Events | Host | Timeframe | Confidence | PERSISTENCE | Type | Event ID | Detail | Binary/Action | Creating User | DEFENCE EVASION [Event, timestamp, user, what changed] Base your analysis entirely on the provided log data.

Based on the Windows event patterns identified, perform MITRE ATT&CK mapping and generate threat hunting queries. 1. MITRE ATT&CK mapping — use the most specific sub-technique available: - Authentication failures → T1110 (Brute Force), T1110.003 (Password Spraying) - Success after failures → T1110 + note credential compromise - Explicit credential use → T1550.002 (Pass the Hash) if remote, T1078 (Valid Accounts) if local admin - New service installed → T1543.003 (Windows Service) - Scheduled task created → T1053.005 (Scheduled Task/Job) - Log cleared → T1070.001 (Clear Windows Event Logs) - Audit policy changed → T1562.002 (Disable Windows Event Logging) - Account created → T1136.001 (Local Account) - Group membership change → T1098 (Account Manipulation) - LOLBin execution: mshta=T1218.005, regsvr32=T1218.010, rundll32=T1218.011, powershell=T1059.001, wmic=T1047, bitsadmin=T1197, certutil-download=T1105, certutil-decode=T1140 - RDP lateral movement → T1021.001 2. Threat hunting queries Write 3 targeted SIEM queries based on the specific findings. For each query state the purpose, then write the logic. If SIEM platform is unknown, use generic field names with [field_name] placeholders. Focus on: expanding to other hosts, finding the full attack chain, identifying additional victims. 3. Coverage gaps - What log sources are missing that would increase confidence? - What additional Windows audit policies should be enabled? - What EDR telemetry would confirm or rule out the attack scenarios? Output format: MITRE ATT&CK MAPPING | Tactic | Technique ID | Technique Name | Sub-Technique | Confidence | Evidence | THREAT HUNTING QUERIES 1. Purpose: [what this finds] Query: [logic] 2. Purpose: [what this finds] Query: [logic] 3. Purpose: [what this finds] Query: [logic] COVERAGE GAPS [List missing sources and recommended policy changes] Only map techniques supported by actual evidence in the log data.

Write a professional SOC ticket summary for this Windows event log investigation. Include: - What the events indicate (one paragraph — describe the attack scenario, not a list of event IDs) - Whether this is a true positive, false positive, or needs investigation, and the key evidence supporting that conclusion - Who owns the next action and what the deadline is - Whether immediate containment is required Length: 3–5 sentences per section. Format: suitable for pasting into a SIEM ticket, JIRA, or incident management system. Severity: Critical / High / Medium / Low / Informational Disposition: True Positive / False Positive / Needs Investigation MITRE ATT&CK SUMMARY | Tactic | Technique ID | Technique Name | Confidence | AFFECTED ASSETS | Host | User Account | Risk Level | Containment Status | IOCS | IOC Type | Value | Context | TIMELINE [Key events in chronological order — format: TIMESTAMP — Event ID — Description] CONTAINMENT STATUS - Host Isolated: Yes / No / Pending / N/A - Credentials Reset: Yes / No / Pending / N/A - Persistence Removed: Yes / No / Pending / N/A - Incident Escalated: Yes / No / Pending / N/A If no IOCs are identified, state: "No IOCs identified in the provided data." If timestamps are insufficient for a timeline, state: "Insufficient timestamp data for timeline reconstruction." Do not invent data not present in the logs.