Which Windows artifact is primarily used to record authentication events for security auditing?

Authentication activity is captured in the Security log of Windows Event Viewer. This log is specifically designed for security-related events, including logon attempts (both successful and failed), account management, and other authentication-related actions. It’s the primary source investigators use to audit who accessed a system and when, helping to detect unauthorized access or brute-force attempts. Other logs serve different purposes: the Application log records events from individual applications, the System log logs events related to Windows components and the operating system, and the Setup log tracks installation-related events. Because authentication events are central to security auditing, the Security log is the appropriate place to review them.