Eliminating the noise: How to create surgical custom filters in Windows Event Viewer.
A standard Windows server can generate thousands of log entries per hour. For a security analyst, 99% of this is "noise"—background system chatter that obscures actual threats. To be a Security+ Guru, you must know how to use Custom Views to create a "Security Dashboard" that only shows the smoking guns.
1. Creating a Custom View
Instead of clicking through "Security" or "System" every time, you can create a persistent filter that pulls from all logs simultaneously.
- Open
eventvwr.mscand right-click Custom Views > Create Custom View... - Logged: Select "Last 24 Hours" (to keep the view fast).
- Event Level: Check Critical, Warning, and Error.
- By Log: Select Windows Logs > Security.
2. The "Must-Have" Security Filters
When the exam or a real-world incident asks you to investigate an account lockout or a potential breach, use these specific **Event ID** filters:
| View Name | Event IDs to Filter | Why it matters |
|---|---|---|
| Auth Failures | 4625 |
Detects Brute Force and Password Spraying. |
| Privilege Escalation | 4672, 4720, 4732 |
Detects when a user is given Admin rights or a new Admin is created. |
| Clearing Logs | 1102 |
Detects when an attacker tries to "wipe their tracks" by clearing logs. |
| Object Access | 4663 |
Detects when someone tries to open a file they don't have permission for. |
3. Going "Pro" with XML Queries
Sometimes the standard checkboxes aren't enough. In the "XML" tab of the filter window, you can write powerful queries. For example, to find a specific username (e.g., 'Administrator') across all logs:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='TargetUserName']='Administrator']]</Select>
</Query>
</QueryList>
Community Discussion (0)
Leave a Comment
No approved comments yet. Be the first to start the conversation!