Windows Event Records and How They Are Handled
Overview
Section titled “Overview”AIR can collect Windows Event Log records and present them as structured, searchable evidence in the Investigation Hub. This page explains how event log records are collected, parsed, and stored for analysis.
What Gets Collected
Section titled “What Gets Collected”Event log records are parsed from Windows EVTX/EVT channels using the event log configuration defined by the platform. The result is structured data (records) rather than raw log files.
If you need the raw EVTX files instead of parsed records, use the Event Log EVTX Files collector.
- Event Log EVT Records: Event Log EVT Records
- Event Log EVTX Files: Event Log EVTX Files
How AIR Processes Event Log Records
Section titled “How AIR Processes Event Log Records”- Loads event log configuration that defines which channels are in scope.
- Locates EVTX/EVT channel files on the asset.
- Parses recent events using filters to reduce noise and focus on relevant records.
- Normalizes the records into structured rows for analysis.
- Stores the results in the case database and sends them to the Investigation Hub.
Where Results Appear
Section titled “Where Results Appear”Parsed event log records are available in the Investigation Hub under the Event Logs evidence category. This allows investigators to search, filter, and correlate records alongside other collected artifacts.
Why This Matters
Section titled “Why This Matters”Event log records provide system, security, and application signals that are critical for timelines, detection, and incident response. By parsing and normalizing these records, AIR makes them easier to analyze at scale.