Security.evtx — the Windows Security event log
Security.evtx is the channel that records authentication, privilege use and account management on a Windows host. It is the single most important log in almost every incident response investigation, and you can open it here in your browser without Event Viewer or a Windows machine.
What is Security.evtx?
Security.evtx lives in C:\Windows\System32\winevt\Logs alongside System.evtx and Application.evtx. It holds the Security channel: logon and logoff events, privilege assignments, process creation (with command-line auditing enabled), account and group changes, and Kerberos ticket activity emitted by the local Security Reference Monitor.
Because it captures who authenticated, from where, and what they did, Security.evtx is where lateral movement, privilege escalation and persistence usually leave their first trace. It is also a prime anti-forensics target — event 1102 records that the log itself was cleared.
Key Security.evtx Event IDs
How to open a Security.evtx file
Drop Security.evtx onto the parser above (or load it together with System.evtx and the Sysmon channel for cross-log triage). Parsing runs locally via a Rust/WebAssembly parser — the log never leaves your browser. Filter by Event ID, inspect each record's raw XML, and export to CSV, JSON or XML.