As you might know, Windows Event Log is not properly logged by default setting. Once you meet a computer incident, if you want to get valuable information from Windows, you need to adjust configuration. Here is a script I used.
auditpol /set /category:"Account Logon" /success:enable /failure:enable auditpol /set /category:"Account Management" /success:enable /failure:enable auditpol /set /category:"Detailed Tracking" /success:enable /failure:enable auditpol /set /category:"DS Access" /success:enable /failure:enable auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable auditpol /set /category:"Object Access" /success:enable /failure:disable auditpol /set /category:"Policy Change" /success:enable /failure:enable auditpol /set /category:"Privilege Use" /success:enable /failure:enable auditpol /set /category:"System" /success:enable /failure:enable auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
I disabled the failure of Object Access and regarding filtering platform, because these generates a lot of logs unnecessarily. Of course, if you afford to store these kind of logs, you can enable them.
Practical Security 
Pingback: Forensically Sound Windows | Practical Security