Advanced Windows Event Log Analysis and Threat Hunting with Yamato Security Tools

This training will be a two day very intensive bootcamp on how to configure and analyze Windows event logs to detect Windows and Active Directory attacks.
It will start off with the fundamentals and progress into advanced attacks.
With only two days, we will not have time to explain all of the Windows and AD attacks out there, but students will have a solid foundation of where to begin, how to investigate, and how to research new attacks on their own.
After the training, the instructor will provide 3 months access to an online CTF where students can practice and re-enforce the skills they have learned through an APT emulation as well as check their answers with a walkthrough.
The trainees will also have 3 months time to ask any questions after the training over slack.
The training is provided by Zach Mathis, one of the leading world experts on Windows event log analysis and project leader for Yamato Security and will mainly be using the open source Yamato Security tools for our analysis.
The tools have a high reputation and are used for professional DFIR work by major security vendors and government CERTs around the world.
As these tools partly rely on Sigma detection rules, students will also learn how to read and also create Sigma rules for DFIR and threat hunting purposes.
This course will provide essential skills for forensics investigators, incident responders, SOC analysts, threat hunters and detection engineers.
Training Outline
-
Title
Advanced Windows Event Log Analysis and Threat Hunting with Yamato Security Tools
-
Trainer
Zach Mathis
-
Language
Japanese
-
Date
2025-11-16 9:00 - 18:30
2025-11-17 9:00 - 18:30 -
Venue
Bellesalle Shinjuku Minamiguchi 4F Room3
-
Capacity
34 students (*Minimum students count is 5)
-
Remarks
- Include 2day Conference ticket(November 18th to 19th, 2025) for training attendee
Training Application
Training Detail
- Learn how to detect attacks against Windows and Active Directory
- Basic IT knowledge. Preferably at least one year of experience working in security.
What skills will participants learn at your training?
- Trainees will understand the fundamentals of Windows event audit logs from logging to detecting the latest attacks.Only 2 days is not enough to become a master at everything but this will be the most efficient class where trainees will be able understand the limitations and usefulness of Windows event logs and be able to detect and respond to the latest Windows and Active Directory attacks.
What students should bring
- A minimum of 8 GB RAM is required
What students will be provided with
Access to the training materials as well as 3 months access to an online CTF to further practice the skills you learned as well as a private slack channel to ask questions after the training.
Trainer

Zach Mathis
田中ザック
Graduated from Purdue University with dual degrees in Computer Science and East Asian studies, Zach is a trailblazing security professional in Japan. Founding a security team and delivering various services from pen-testing to DFIR since 2006, he’s a rare non-Japanese specialist in Japan, leading major corporate security for two decades. A popular speaker since 2007 and founder of the Yamato Security community, he's contributed to top security guides and competitions. When not teaching or working in the field, he creates free DFIR tools such as Hayabusa, Takajo, WELA and Suzaku. His bilingual proficiency bridges cultural gaps, making him a unique force in cybersecurity education.
Born in Indiana, USA.
Self-studying IT, security and Japanese since junior high school (1990-).
While in high school, he was awarded top prizes from Intel, the US Air Force and the US Navy for his research on password cracking, making a name for himself in the field of security.
Graduated from Purdue University in 2005 with a major in Southeast Asian Studies and Computer Science, and joined Kobe Digital Labs (KDL) in 2006.
At KDL, he launched security-related services such as web diagnostics, smartphone diagnostics, penetration testing, email training, forensic investigations, and incident response.
He established a security team (Proactive Defense) within the company and is also committed to training the next generation.
From 2007 to 2010, he worked as a TA and researcher for all courses at Carnegie Mellon University Japan (CMUJ), a prestigious institution in the security field.
Since 2008, he has given talks at various events, including famous security conferences overseas, and since 2014, he has participated in the management of the domestic security contest "SECCON".
Since 2012, he has hosted the hands-on security study group "Yamato Security," which has been popular among many security engineers, and is committed to training security personnel.
Since 2017, he has been localizing SANS' most popular course 504 (Incident Response and Introduction to Hackers) into Japanese and serving as a lecturer.
In Japan, he has served as a lecturer for CMUJ, SANS, JNSA, KIIS, IPA, Kagoshima Prefecture Cyber Security Council, Kobe 078, private training for critical infrastructure, and industry-government-academia collaboration courses, and has produced many security professionals. His activities are not limited to Japan, and he has experience as a security lecturer in countries such as the United States, the Philippines, Thailand, Laos, Cambodia, and Myanmar, and he plans to give lectures around the world in Kuwait, Hong Kong, India, Australia, and other countries in the future. He is prepared for unforeseen circumstances and strives to do his best to teach security technology in any environment.
He currently holds numerous certifications, including GCFA (Forensic Investigation Analyst), GCIA (Intrusion Detection Analyst), GWAS (Web Application Security), GCIH (Incident Handler), GCED (Enterprise Defender), GCWN (Windows Security Administrator), GPEN (Penetration Tester), GMON (Security Monitoring), and GREM (Malware Analysis), and is researching security on new technologies every day.
He also posts daily security news, advice, and the latest technology information on Twitter @yamatosecurity.