drop evtx csv · detect evidence that log records were overwritten due to size constraints · identify intentionally triggered overwrite attacks · surface evidence of forced log rotation destroying historical records · runs locally
record id wrap gap · flood rate >10x baseline · 4663/4688/4625 flooding · 1100/1104 log full
drop security or system evtx csv · optional eventlog .reg export