RVRichard Vincent
SOC Investigation

Windows Security Log Investigation

Public-facing SOC case study documenting a Windows Security log investigation focused on failed logons, successful authentication, privileged logon events, account activity, MITRE ATT&CK mapping, analyst notes, and security recommendations using Event Viewer.

Back to SOC Portfolio View GitHub Repository
01 Scenario

Scenario / Alert Summary

Multiple authentication-related Windows Security events were reviewed to identify suspicious login behavior. The investigation focused on whether repeated failed logon attempts, successful logons after failures, or privileged account activity suggested brute-force attempts, compromised credentials, or unauthorized access.

02 Objective

Objective

The objective was to determine whether observed authentication events represented normal user activity or suspicious behavior requiring escalation, containment, or additional monitoring.

03 Tools

Tools Used

  • Windows Event Viewer
  • Windows Security Logs
  • Authentication and account activity Event IDs
  • Filtered log review and event correlation
04 Event IDs

Key Event IDs Reviewed

4624 — Successful logon 4625 — Failed logon 4634 — Logoff 4672 — Special privileges assigned 4720 — User account created
05 Timeline

Investigation Timeline

09:10Security logs reviewed in Event Viewer.
09:14Failed logon events identified.
09:20Source account and host context reviewed.
09:26Authentication Event IDs correlated.
09:35Findings and recommendations documented.
06 Findings

Findings

  • Repeated failed logon attempts were observed in the Windows Security log.
  • Successful authentication occurred after multiple failed attempts.
  • Privileged logon events were reviewed for legitimacy.
  • Account activity required validation against expected user behavior.
  • Event timing suggested possible suspicious authentication behavior.
07 Analyst Notes

Analyst Notes

Repeated failed logons may indicate password guessing, brute-force activity, credential stuffing, or user error. A successful logon following repeated failures increases the importance of validating the account owner, source system, logon type, and time of access.

08 MITRE Mapping

MITRE ATT&CK Mapping

  • T1110 - Brute Force: repeated failed authentication attempts may indicate password guessing or brute-force behavior.
  • T1078 - Valid Accounts: successful logon after suspicious failures may indicate misuse of valid credentials.
09 Verdict

Final Verdict

Suspicious Authentication Activity Identified

The log review showed authentication patterns that may indicate unauthorized login attempts or misuse of valid credentials. The evidence did not confirm full compromise by itself, but the behavior warranted additional review and monitoring.

10 Recommendations

Recommendations

  • Review affected user account activity for legitimacy.
  • Enable MFA where possible.
  • Monitor repeated failed logon attempts.
  • Review or enforce account lockout policy.
  • Validate privileged account usage.
  • Preserve and export relevant logs for follow-up investigation.
11 Evidence

Evidence Screenshots to Add

Add screenshots when available. The page is ready for these evidence files.

Filtered Windows Security log showing Event ID 4625 Event ID 4624 successful logon details Event ID 4672 privileged logon details Filtered Event Viewer authentication results
Back to Investigations Contact Richard