Security.evtx

C:\Windows\System32\winevt\Logs\Security.evtx

If there is a holy grail of incident response, it is the Security event log. It records the fundamental triad of Windows authentication - who logged in, who was denied and who touched restricted objects. Every significant security event on the machine flows through here, and attackers know it, often targeting this log first to cover their tracks.

Log Channel Security - written by the Windows Security Auditing subsystem (LSA)

Trace Type Authentication Privilege Use Execution Object Access

Req. Audit Policy Yes Most high-value IDs (4688, 4663, 4698) are silent by default - Advanced Audit Policy must be enabled via Group Policy or auditpol.exe.

User Specific No System-wide. Records events for all accounts including SYSTEM, service accounts and network logons.

General

The Security log is managed by the Local Security Authority (LSA) and written by the Windows Audit system. Stored in the binary EVTX format, it requires administrative privileges to read directly. The log is only as useful as the audit policy behind it - on a default Windows install, many critical Event IDs are silent. Each record contains a UTC timestamp, the Event ID, the generating process and rich XML-formatted data fields specific to that event type. The maximum log size defaults to 20 MB and older events are overwritten once that ceiling is reached, making log forwarding critical in any production environment.

Traces

The most forensically significant Event IDs in the Security log are:

Event ID	Description
1102	Audit log cleared. An attacker anti-forensics action - the presence of this event is itself an IOC, and it still identifies the account that performed the clearing.
4624	Successful logon. The Logon Type field is critical: Type 2 is interactive, Type 3 is network, Type 10 is RemoteInteractive (RDP) and Type 5 is a service startup.
4625	Failed logon. The primary indicator of brute-force and password spray attacks. Correlate the Sub Status code to determine whether the account exists but the password is wrong.
4663	An attempt was made to access an object. Used for file and registry object auditing when SACL-based auditing is configured.
4672	Special privileges assigned to new logon. Fires when an account with administrative rights logs in - a reliable marker for privileged session tracking.
4688	Process creation. With advanced auditing enabled this includes the full command line - the single most valuable execution trace in the log.
4698 / 4702	Scheduled task created or updated. A key persistence indicator - correlate with Security Event 4688 to identify the creating process.

Forensic Value

Reconstruct the initial access vector: Correlating 4625 (failed) followed by 4624 (success) maps a brute-force attack to compromise. Cross-reference these with System EventLogs for service-level side effects.
Detect lateral movement: A 4624 Type 3 logon from an internal workstation to a domain controller is a textbook lateral movement pattern.
Prove execution without EDR: A 4688 event with a full command line can confirm malware execution. The New Process Name and Command Line fields are the smoking gun.
Identify anti-forensics: Event ID 1102 means someone cleared the log. The account that performed the clearing is still identified.
Track privilege escalation: Sequences of 4672 and 4624 events tied to unexpected accounts reveal token manipulation and Pass-the-Hash attacks.

For more Info check out these Articles: System EventLogs