Brad Garnett is the team leader in the Cisco Security Incident Response Services division. He works with organizations around the world. Brad writes about the power of logging in incident response.
PowerShell can help a forensic analyst acquiring data of an incident of a field. You can find PowerShell cheat sheet here. The cheat sheet can help you in your work. Unfortunately, we do not know who is the author of the cheat sheet.
There are several blogs on the Internet that tell you about a suitable method for monitoring Windows event log entries through Elasticsearch. It explains how to perform this process, including some documents from the Elastic team. This process requires a lot of effort to do it right.