Skip to content

Commit 8647582

Browse files
TonyPhippsTonyPhipps
committedNov 29, 2023
updates
1 parent 3b9b409 commit 8647582

File tree

2 files changed

+14
-26
lines changed

2 files changed

+14
-26
lines changed
 

‎Identification.md

+1-21
Original file line numberDiff line numberDiff line change
@@ -3,25 +3,5 @@
33
- What is the oldest event recorded? Is it at least as old as policy requires?
44
- Which Event IDs can be filtered out, having no value to the investigation?
55
- Hopefully you can come to investigate the event log with some key times/activities in mind to act as threads to pull. Focus on those areas of the timeline and spread out.
6-
7-
#### Security
8-
Note any of these Event IDs
9-
- 1102 events present (log cleared)
10-
11-
#### System
12-
Note any of these Event IDs
13-
```
14-
12,13,27,33,42,105,107,1074,7045
15-
```
16-
17-
- 12 (The operating system started at system time xxxx)
18-
- 13 (The operating system is shutting down at system time xxxx)
19-
- 27 (Network link is disconnected)
20-
- 33 (Network link has been established)
21-
- 41 (The system has rebooted without cleanly shutting down first)
22-
- 42 (The system is entering sleep.)
23-
- 105 (Power source change.) Could be a laptop plugging/unplugging power supply.
24-
- 107 (The system has resumed from sleep.)
25-
- 1074 (Power off intiated OR initiated the restart of computer)
26-
- 7045 (A service was installed in the system.)
6+
- Filter according to [Notable-Event-IDs](Notable-Event-IDs.md)
277

‎Notable-Event-IDs.md

+13-5
Original file line numberDiff line numberDiff line change
@@ -211,19 +211,27 @@ Quick-use filter-OUT string
211211
## System Events
212212
| EventID | Description | Filter |
213213
| :-----: | :---------------------------------------------------------------------------------------------- | ---------------------- |
214-
| 104 | Event Log was Cleared |
214+
| 12 | The operating system started at system time xxxx | |
215+
| 13 | The operating system is shutting down at system time xxxx | |
216+
| 27 | Network link is disconnected | !source=Kernel-Boot |
217+
| 33 | Network link has been established | !source=Kernel-Boot |
218+
| 41 | The system has rebooted without cleanly shutting down first | |
219+
| 42 | The system is entering sleep | |
220+
| 104 | Event Log was Cleared | |
221+
| 105 | Power source change | |
222+
| 107 | The system has resumed from sleep | |
215223
| 219 | Failed Kernel Driver Loading | Level 3 |
216-
| 1001 | System Crash |
224+
| 1001 | System Crash | |
217225
| 7022 | Service hung on starting | Level 0, 1, 2, 3, or 4 |
218226
| 7023 | Service terminated with error | Level 0, 1, 2, 3, or 4 |
219227
| 7024 | Service terminated with the following service-specific error | Level 0, 1, 2, 3, or 4 |
220228
| 7026 | The boot-start or system-start driver(s) [did not/failed to] load | Level 0, 1, 2, 3, or 4 |
221-
| 7030 | Service Creation Errors |
229+
| 7030 | Service Creation Errors | |
222230
| 7031 | Service terminated unexpectedly | Level 0, 1, 2, 3, or 4 |
223231
| 7032 | Service tried to take a corrective action (1) after the unexpected termination of the % service | Level 0, 1, 2, 3, or 4 |
224232
| 7034 | service terminated unexpectedly | Level 0, 1, 2, 3, or 4 |
225-
| 7035 | The [Service Name] service was successfully sent a [start/stop] control |
226-
| 7036 | The [Service Name] service entered the [Status] state |
233+
| 7035 | The [Service Name] service was successfully sent a [start/stop] control | |
234+
| 7036 | The [Service Name] service entered the [Status] state | |
227235
| 7040 | The service state has changed | Level 0, 1, 2, 3, or 4 |
228236
| 7045 | A service was installed in the system | Level 0, 1, 2, 3, or 4 |
229237

0 commit comments

Comments
 (0)
Please sign in to comment.