In specific with windows logs are three type system, security, and application
Application log
Each application will have their logs, which will be triggered when it contains errors or warning will be sent to SOC for review.
Security log
Suspicious User activities for account success and failure logins will be logged and process creation, termination for each and every file accessed by user account logged will be logged into this category.
System log
Logs which footprinting the process of kernel boot, driver updates or failure, windows update and more interesting things will be logged into system log category.
Since security is our concern, we will discuss security logs, look below the figure for better understanding, In this screenshot analyst is analyzing a log for windows event sources.
As I told earlier Siem is built for visibility so, whatever security issues happening with end users should be triggered to Security operation center.
In the above picture, an analyst has clear visibility of end user activities.In this, we can see the event id is 4720.
When a new user account is created for domain accounts or local SAM accounts.Event logs will be established with event id 4720 with respect to new user account creation.