Anomaly Detection with Windows Event Logs

State: Assigned to Layla Husselman
Published: 2023-09-13


Anomaly detection based on log data has become an important research field in recent years. Particularly valuable are discrete event logs, which contain chronologically ordered event information and therefore allow to perform time-series analysis and event aggregation, which are critical to spot anomalies in a system [1]. Oftentimes, event sequences are far more expressive than analyzing events in isolation.

The Windows Event Log (WEL), if properly configured, contains a range of information about application-, security- and system-specific activities [2]. Especially the Windows Security Log stores valuable insights about login/logout activity, policy changes, privilege use and more [3].

The main objectives of this project are as follows:

  1. A comprehensive analysis of the windows event log environment, which includes determining what types of attacks can/cannot be detected from the information available in the WEL. Further, prioritize attacks based on their risk and prevalence (see MITRE ATT&CK [4] for a comprehensive overview of adversary tactics).
  2. Implementation of a suite of analytics (potentially in Splunk) that can accurately detect selected anomalies/threats. May involve performing attacks on your own to generate sample logs or downloading existing WEL datasets that simulate attack scenarios.
  3. [Optional] Monitoring Dashboard: Creation of a dashboard which summarizes the results of the analytics suite in a user-friendly manner (potentially a Splunk dashboard).


Helpful sources:





[1] X. Wang, L. Yang, D. Li, L. Ma, Y. He, J. Xiao, J. Liu and Y. Yang, "MADDC: Multi-Scale Anomaly Detection, Diagnosis and Correction for Discrete Event Logs," Proceedings of the 38th Annual Computer Security Applications Conference, pp. 769-784, 2022.

[2] K. Steverson, C. Carlin, J. Mullin and M. Ahiskali, "Cyber Intrusion Detection using Natural Language Processing on Windows Event Logs," IEEE International Conference on Military Communication and Information Systems (ICMCIS), pp. 1-7, 2021.

[3] "Ultimate IT Security," 2023. [Online]. Available: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx. [Accessed 7 September 2023].


[4] T. M. Corporation, "MITRE ATT&CK," 2023. [Online]. Available: https://attack.mitre.org/. [Accessed 7 September 2023].


30% Analysis & Design, 60% Implementation, 10% Documentation
Prior experience with pen-testing, attack analysis, and Splunk is a plus.

Supervisors: Thomas Grübl

back to the main page