Windows Event Logs (EVTX)
| Artifact | Description | Article |
|---|---|---|
| Security.evtx | 12 Event IDs: logons, Kerberos, NTLM, RDP | Read → |
| Terminal Services | RDP session lifecycle (LSM, RDPClient, RCM, RdpCoreTS) | Read → |
| SMB | SMB server and client connections | Read → |
| Prefetch | Evidence of program execution on Windows | Read → |
Linux
| Artifact | Description | Article |
|---|---|---|
| Linux Logs | secure, messages, audit.log, utmp, wtmp, btmp, lastlog | Read → |
Other Sources
| Artifact | Description | Article |
|---|---|---|
| Winlogbeat | Windows log parsing from JSON format | Read → |
| Cortex XDR | Network data and forensic agent collections | Read → |