Skip to content
AIR Knowledge Base

Event Log EVT Records

Overview

Section titled “Overview”

Evidence: Event Log EVT Records
Description: Collect most recent event log records
Category: EventLogs
Platform: windows
Short Name: evtr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

Section titled “Background”

Windows event logs (EVTX/EVT) capture system, security, and application events. This data is essential for detection and incident response.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about event log evt records.

Collection Method

Section titled “Collection Method”

This collector loads an event configuration, locates channel EVTX files, and parses recent events with filters, storing summaries and event data rows.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations to reconstruct timelines, detect attacks, and analyze security-relevant events. Default Windows event collection profiles include critical Kerberos Key Distribution Center (KDC) events (Event ID 42), expanding detection visibility for authentication downgrade or anomaly scenarios often relevant in enterprise breaches.