The article offers a method for rapid analysis of information security events based on the representation of an incident as a set of events consisting of impacts on files. The method involves using a database of identified impact templates, where initial data is the NTFS volume change log entries - SUsnJrnl. An algorithm for searching and classifying impacts on the files using templates is considered. The proposed method of rapid analysis allows you to determine the order of events within the framework of the incident under investigation, reducing the number of analyzed data arrays to one - SUsnJrnl log.