Windows General Log Recommendations
1
Boot Events
Shutdown Initiate Failed
1074
Warning
User32
User32
2
Application Crashes
BSOD
1001
Error
System
Microsoft-Windows-WER-SystemErrorReporting
3
Boot Events
Windows Shutdown
13
Information
System
Microsoft-Windows-Kernel-General
4
Boot Events
Windows Startup
12
Information
System
Microsoft-Windows-Kernel-General
5
Clearing Event Logs
Event Log was Cleared
104
Information
System
Microsoft-Windows-Eventlog
6
Group Policy Errors
Generic Internal Error
1126
Error
System
Microsoft-Windows-GroupPolicy
7
Group Policy Errors
Group Policy Application Failed due to Connectivity
1129
Error
System
Microsoft-Windows-GroupPolicy
8
Group Policy Errors
Internal Error
1125
Error
System
Microsoft-Windows-GroupPolicy
9
Kernel Driver Signing
Failed Kernel Driver Loading
219
Warning
System
Microsoft-Windows-Kernel-PnP
10
Software and Service Installation
New Kernel Filter Driver
6
Information
System
Microsoft-Windows-FilterManager
11
Software and Service Installation
New Windows Service
7045
Information
System
Microsoft-Windows-FilterManager
12
Software and Service Installation
Service Start Failure
7000
Error
System
Service Control Manager
13
Software and Service Installation
Windows Update Installed
19
Information
System
Microsoft-Windows-WindowsUpdateClient
14
System Integrity
System Time Changed
1
Information
System
Microsoft-Windows-Kernel-General
15
System or Service Failures
Windows Service Fails or Crashes
7022, 7023, 7024, 7026, 7031, 7032, 7034
Error
System
Service Control Manager
16
Software and Service Installation
Update Packages Installed
2
Information
Setup
Microsoft-Windows-Servicing
17
Windows Update Errors
Hotpatching Failed
1009
Information
Setup
Microsoft-Windows-Servicing
18
Account Usage
Account Lockouts
4740
Information
Security
Microsoft-Windows-Security-Auditing
19
Account Usage
Account Login with Explicit Credentials
4648
Information
Security
Microsoft-Windows-Security-Auditing
20
Account Usage
Account Name Changed
4781
Information
Security
Microsoft-Windows-Security-Auditing
21
Account Usage
Account removed from Local Sec. Grp.
4733
Information
Security
Microsoft-Windows-Security-Auditing
22
Account Usage
Credential Authentication
4776
Information
Security
Microsoft-Windows-Security-Auditing
23
Account Usage
Credentials backed up
5376
Information
Security
Microsoft-Windows-Security-Auditing
24
Account Usage
Credentials restored
5377
Information
Security
Microsoft-Windows-Security-Auditing
25
Account Usage
Failed User Account Login
4625
Information
Security
Microsoft-Windows-Security-Auditing
26
Account Usage
Logoff Event
4634
Information
Security
Microsoft-Windows-Security-Auditing
27
Account Usage
Logon with Special Privs
4672
Information
Security
Microsoft-Windows-Security-Auditing
28
Account Usage
New User Account Created
4720
Information
Security
Microsoft-Windows-Security-Auditing
29
Account Usage
New User Account Enabled
4722
Information
Security
Microsoft-Windows-Security-Auditing
30
Account Usage
Password Hash Accessed
4782
Information
Security
Microsoft-Windows-Security-Auditing
31
Account Usage
Password Policy Checking API called
4793
Information
Security
Microsoft-Windows-Security-Auditing
32
Account Usage
Security-enabled Group Created
4731
Information
Security
Microsoft-Windows-Security-Auditing
33
Account Usage
Security-Enabled group Modification
4735
Information
Security
Microsoft-Windows-Security-Auditing
34
Account Usage
SID History add attempted on Account
4766
Information
Security
Microsoft-Windows-Security-Auditing
35
Account Usage
SID History added to Account
4765
Information
Security
Microsoft-Windows-Security-Auditing
36
Account Usage
Successful User Account Login
4624
Information
Security
Microsoft-Windows-Security-Auditing
37
Account Usage
User Account Deleted
4726
Information
Security
Microsoft-Windows-Security-Auditing
38
Account Usage
User Account Disabled
4725
Information
Security
Microsoft-Windows-Security-Auditing
39
Account Usage
User Account Unlocked
4767
Information
Security
Microsoft-Windows-Security-Auditing
40
Account Usage
User Added to Privileged Group
4728, 4732, 4756
Information
Security
Microsoft-Windows-Security-Auditing
41
Account Usage
User Right Assigned
4704
Information
Security
Microsoft-Windows-Security-Auditing
42
Application Whitelisting
Process Created
4688
Information
Security
Microsoft-Windows-Security-Auditing
43
Application Whitelisting
Process Terminated
4689
Information
Security
Microsoft-Windows-Security-Auditing
44
Certificate Services
CA Services Request
4886
Information
Security
Microsoft-Windows-Security-Auditing
45
Certificate Services
Certificate Manager Settings Changed
4890
Information
Security
Microsoft-Windows-Security-Auditing
46
Certificate Services
Certificate Request Attributes Changed
4874
Information
Security
Microsoft-Windows-Security-Auditing
47
Certificate Services
Certificate Request Extension Changed
4873
Information
Security
Microsoft-Windows-Security-Auditing
48
Certificate Services
Certificate Revoked
4870
Information
Security
Microsoft-Windows-Security-Auditing
49
Certificate Services
Certificate Services approved request
4887
Information
Security
Microsoft-Windows-Security-Auditing
50
Certificate Services
Certificate Services Audit Filter Changed
4885
Information
Security
Microsoft-Windows-Security-Auditing
51
Certificate Services
Certificate Services Configuration Changed
4891
Information
Security
Microsoft-Windows-Security-Auditing
52
Certificate Services
Certificate Services denied request
4888
Information
Security
Microsoft-Windows-Security-Auditing
53
Certificate Services
Certificate Services Loaded Template
4898
Information
Security
Microsoft-Windows-Security-Auditing
54
Certificate Services
Certificate Services Permissions Changed
4882
Information
Security
Microsoft-Windows-Security-Auditing
55
Certificate Services
Certificate Services Property Changed
4892
Information
Security
Microsoft-Windows-Security-Auditing
56
Certificate Services
Certificate Services Started
4880
Information
Security
Microsoft-Windows-Security-Auditing
57
Certificate Services
Certificate Services Stopped
4881
Information
Security
Microsoft-Windows-Security-Auditing
58
Certificate Services
Certificate Services Template Security Updated
4900
Information
Security
Microsoft-Windows-Security-Auditing
59
Certificate Services
Certificate Services Template Updated
4899
Information
Security
Microsoft-Windows-Security-Auditing
60
Certificate Services
Entries Removed from Certificate Database
4896
Information
Security
Microsoft-Windows-Security-Auditing
61
Clearing Event Logs
Event Log Service Shutdown
1100
Information
Security
Microsoft-Windows-EventLog
62
Clearing Event Logs
Event Log was Cleared
1102
Information
Security
Microsoft-Windows-Eventlog
63
DNS/Directory Services
Directory service created
5137
Information
Security
Microsoft-Windows-Security-Auditing
64
DNS/Directory Services
Directory service deleted
5141
Information
Security
Microsoft-Windows-Security-Auditing
65
DNS/Directory Services
Directory service modified
5136
Information
Security
Microsoft-Windows-Security-Auditing
66
DNS/Directory Services
Directory service moved
5139
Information
Security
Microsoft-Windows-Security-Auditing
67
DNS/Directory Services
Directory service recovered
5138
Information
Security
Microsoft-Windows-Security-Auditing
68
Kernel Driver Signing
Detected an invalid image hash of a file
5038
Information
Security
Microsoft-Windows-Security-Auditing
69
Kernel Driver Signing
Detected an invalid page hash of an image file
6281
Information
Security
Microsoft-Windows-Security-Auditing
70
Network Policy
Encrypted Data Recovery Policy Changed
4714
Information
Security
Microsoft-Windows-Security-Auditing
71
Network Policy
Kerberos Policy Changed
4713
Information
Security
Microsoft-Windows-Security-Auditing
72
Network Policy
Kerberos Service Ticket Req. Failed
4769
Information
Security
Microsoft-Windows-Security-Auditing
73
Network Policy
Network Policy Server Denied Access
6273
Information
Security
Microsoft-Windows-Security-Auditing
74
Network Policy
Network Policy Server Discarded Accounting Request
6275
Information
Security
Microsoft-Windows-Security-Auditing
75
Network Policy
Network Policy Server Discarded Request
6274
Information
Security
Microsoft-Windows-Security-Auditing
76
Network Policy
Network Policy Server Granted Access
6272
Information
Security
Microsoft-Windows-Security-Auditing
77
Network Policy
Network Policy Server Granted Full Access
6278
Information
Security
Microsoft-Windows-Security-Auditing
78
Network Policy
Network Policy Server Granted Probationary Access
6277
Information
Security
Microsoft-Windows-Security-Auditing
79
Network Policy
Network Policy Server Locked Account
6279
Information
Security
Microsoft-Windows-Security-Auditing
80
Network Policy
Network Policy Server Quarantined User
6276
Information
Security
Microsoft-Windows-Security-Auditing
81
Network Policy
Network Policy Server Unlocked Account
6280
Information
Security
Microsoft-Windows-Security-Auditing
82
Network Policy
Network share accessed
5140
Information
Security
Microsoft-Windows-Security-Auditing
83
Network Policy
Network Share Checked
5145
Information
Security
Microsoft-Windows-Security-Auditing
84
Network Policy
Network Share Created
5142
Information
Security
Microsoft-Windows-Security-Auditing
85
Network Policy
Network Share Deleted
5144
Information
Security
Microsoft-Windows-Security-Auditing
86
Network Policy
New Trust for Domain
4706
Information
Security
Microsoft-Windows-Security-Auditing
87
Network Policy
Role Separation Enabled
4897
Information
Security
Microsoft-Windows-Security-Auditing
88
Network Policy
System Audit Policy Changed
4719
Information
Security
Microsoft-Windows-Security-Auditing
89
Network Policy
Trusted Domain Information Modified
4716
Information
Security
Microsoft-Windows-Security-Auditing
90
Network Policy
TS Session Disconnect
4779
Information
Security
Microsoft-Windows-Security-Auditing
91
Network Policy
TS Session Reconnect
4778
Information
Security
Microsoft-Windows-Security-Auditing
92
Network Policy
Wireless 802.1X Auth
5632
Information
Security
Microsoft-Windows-Security-Auditing
93
System Integrity
Registry Modification
4657
Information
Security
Microsoft-Windows-Security-Auditing
94
Network Policy
RADIUS User assigned IP
20250
Success
RemoteAccess
Microsoft-Windows-MPRMSG
95
Network Policy
RADIUS User Authenticated
20274
Success
RemoteAccess
Microsoft-Windows-MPRMSG
96
Network Policy
RADIUS User Disconnected
20275
Success
RemoteAccess
Microsoft-Windows-MPRMSG
97
PowerShell Activities
Get-MessageTrackingLog cmdlet
800
Information
Powershell
Microsoft-Windows-Powershell
98
PowerShell Activities
Remote Connection
169
Information
Powershell
Microsoft-Windows-Powershell
99
Mobile Device Activities
Disconnect from Wireless connection
8003
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
100
Mobile Device Activities
Starting a Wireless connection
8000, 8011
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
101
Mobile Device Activities
Successfully connected to a Wireless connection
8001
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
102
Mobile Device Activities
Wireless Association Status
11000, 11001
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
103
Mobile Device Activities
Wireless Association Status
11002
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
104
Mobile Device Activities
Wireless Authentication Started and Failed
12011, 12012
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
105
Mobile Device Activities
Wireless Authentication Started and Failed
12013
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
106
Mobile Device Activities
Wireless Connection Failed
8002
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
107
Mobile Device Activities
Wireless Security Started, Stopped, Successful, or Failed
11004, 11005
Information
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
108
Mobile Device Activities
Wireless Security Started, Stopped, Successful, or Failed
11010, 11006
Error
Microsoft-Windows-WLAN-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig
109
Windows Update Errors
Windows Update Failed
20, 24, 25, 31, 34, 35
Error
Microsoft-Windows-WindowsUpdateClient/Operational
Microsoft-Windows-WindowsUpdateClient
110
Windows Firewall
Firewall Failed to load Group Policy
2009
Error
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
111
Windows Firewall
Firewall Rule Add
2004
Information
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
112
Windows Firewall
Firewall Rule Change
2005
Information
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
113
Windows Firewall
Firewall Rules Deleted
2006, 2033
Information
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
114
Windows Defender Activities
Action on Malware Failed
1008
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
115
Windows Defender Activities
Detected Malware
1006, 1116
Warning
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
116
Windows Defender Activities
Failed to remove item from quarantine
1010
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
117
Windows Defender Activities
Failed to update engine
2003
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
118
Windows Defender Activities
Failed to update signatures
2001
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
119
Windows Defender Activities
File Restored from Quarantine
1009
Information
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
120
Windows Defender Activities
Malware Removal Error
1118
Information
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
121
Windows Defender Activities
Malware Removal Fatal Error
1119
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
122
Windows Defender Activities
Malware Removed
1007, 1117
Information
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
123
Windows Defender Activities
Real-Time Protection failed
3002
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
124
Windows Defender Activities
Reverting to last known good set of signatures
2004
Warning
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
125
Windows Defender Activities
Scan Failed
1005
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
126
Windows Defender Activities
Unexpected Error
5008
Error
Microsoft-Windows-Windows Defender/Operational
Microsoft-Windows-Windows Defender
127
External Media Detection
New Device Information
43
Information
Microsoft-Windows-USB-USBHUB3-Analytic
Microsoft-Windows-USB-USBHUB3
128
Network Policy
Outbound TS Connect Attempt
1024
Information
Microsoft-Windows-TerminalServices-RDPClient/Operational
Microsoft-Windows-TerminalServices-ClientActiveXCore
129
Task Scheduler Activities
New Task Registered
106
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
130
Task Scheduler Activities
Task Deleted
141
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
131
Task Scheduler Activities
Task Disabled
142
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
132
Task Scheduler Activities
Task Launched
200
Information
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
133
Printing Services
Printing Document
307
Information
Microsoft-Windows-PrintService/Operational
Microsoft-Windows-PrintService
134
PowerShell Activities
Exception Raised
4103
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
135
PowerShell Activities
Exception Raised
4104
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
136
PowerShell Activities
Exception Raised
4105
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
137
PowerShell Activities
Exception Raised
4106
Information
Microsoft-Windows-Powershell/Operational
Microsoft-Windows-Powershell
138
Mobile Device Activities
Network Connection and Disconnection Status (Wired and Wireless)
10000, 10001
Information
Microsoft-Windows-NetworkProfile/Operational
Microsoft-Windows-NetworkProfile
139
Account Usage
Group Assigned to new Session
300
Information
Microsoft-Windows-LSA/Operational
LsaSrv
140
External Media Detection
New Mass Storage Installation
400, 410
Information
Microsoft-Windows-Kernel-PnP/Device Configuration
Microsoft-Windows-Kernel-PnP
141
DNS/Directory Services
DNS Request/Response
256, 257
Information
Microsoft-Windows-DNSServer/Analytical
Microsoft-Windows-DNSServer
142
DNS/Directory Services
DNS Query Complete
3008
Information
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DNS-Client
143
DNS/Directory Services
DNS Response Complete
3020
Information
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DNS-Client
144
Kernel Driver Signing
Code Integrity Check
3001, 3002, 3003, 3004, 3010, 3023
Warning, Error
Microsoft-Windows-CodeIntegrity/Operational
Microsoft-Windows-CodeIntegrity
145
Certificate Services
CA Permissions Corrupted or Missing
90
Information
Microsoft-Windows-CertificationAuthority
Microsoft-Windows-CertificationAuthority
146
Microsoft Cryptography API
Cert Trust Chain Build Failed
11
Information
Microsoft-Windows-CAPI2/Operational
Microsoft-Windows-CAPI2
147
Microsoft Cryptography API
Private Key Accessed
70
Information
Microsoft-Windows-CAPI2/Operational
Microsoft-Windows-CAPI2
148
Microsoft Cryptography API
X.509 Object
90
Information
Microsoft-Windows-CAPI2/Operational
Microsoft-Windows-CAPI2
149
Application Whitelisting
Application Ran
8020
Information
Microsoft-Windows-AppLocker/Packaged app-Execution
Microsoft-Windows-AppLocker
150
Application Whitelisting
Application Installed
8023
Information
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppLocker
151
Application Whitelisting
AppLocker Warning
8006
Error
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker
152
Application Whitelisting
AppLocker Warning
8007
Warning
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker
153
Application Whitelisting
Script or Installer ran
8005
Information
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker
154
Application Whitelisting
AppLocker Block
8002
Information
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker
155
Application Whitelisting
AppLocker Block
8003
Error
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker
156
Application Whitelisting
AppLocker Block
8004
Warning
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker
157
Software and Service Installation
New Application Installation
903, 904
Information
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience
158
Software and Service Installation
Removed Application
907, 908
Information
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience
159
Software and Service Installation
Summary of Software Activities
800
Information
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience
160
Software and Service Installation
Updated Application
905, 906
Information
Microsoft-Windows-Application-Experience/Program-Inventory
Microsoft-Windows-Application-Experience
161
Account Usage
Create Profile failed
1518
Error
Application
Microsoft-Windows-User Profiles Service
162
Account Usage
Temp Profile Logon
1511
Error
Application
Microsoft-Windows-User Profiles Service
163
Application Crashes
App Crash
1000
Error
Application
Application Error
164
Application Crashes
App Error
1000
Error
Application
Application Error
165
Application Crashes
App Hang
1002
Error
Application
Application Hang
166
Application Crashes
WER
1001
Information
Application
Windows Error Reporting
167
Application Whitelisting
SRP Block
865, 866, 867, 868, 882
Warning
Application
Microsoft-Windows-SoftwareRestrictionPolicies
168
Software and Service Installation
New MSI File Installed
1022, 1033
Information
Application
MsiInstaller
What log events should I collect/send to my SIEM?
Account Management
4740: Account Lockouts
4627: Group Membership Information
4703: A user right was adjusted.
4704: A user right (privilege) was assigned.
4704: A user right (privilege) was removed.
4720: A user account was created.
4722: A user account was enabled.
4723: Attempt was made to change account's password.
4724: An attempt was made to reset an account's password.
4725: A user account was disabled.
4726: A user account was deleted.
4727: A security-enabled global group was created.
4728: A member was added to a security-enabled global group.
4729: A member was removed to a security-enabled global group.
4730: A security-enabled global group was deleted.
4731: A security-enabled local group was created.
4732: A member was added to a security-enabled local group.
4733: A member was removed from a security-enabled local group.
4734: A security-enabled local group was deleted.
4735: Modification of Security-enabled groups
4737: A security-enabled global group was changed.
4738: A user account was changed.
4739: Domain Policy was changed.
4741: A computer account was created.
4742: A computer account was changed.
4743: A computer account was deleted.
4744: A security-disabled local group was created.
4745: A security-disabled local group was changed.
4746: A member was added to a security-disabled local group.
4747: A member was removed from a security-disabled local group.
4748: A security-disabled local group was deleted.
4749: A security-disabled global group was created.
4750: A security-disabled global group was changed.
4751: A member was added to a security-disabled global group.
4752: A member was removed from a security-disabled global group.
4753: A security-disabled global group was deleted.
4754: A security-enabled universal group was created.
4755: A security-enabled universal group was changed.
4756: A security-enabled universal group was changed.
4757: A security-enabled universal group was changed.
4758: A security-enabled universal group was created.
4759: A security-disabled universal group was created.
4760: A security-disabled universal group was changed.
4761: A member was added to a security-disabled universal group.
4762: A member was removed from a security-disabled universal group.
4763: A security-disabled universal group was deleted.
4764: A group's type was changed.
4765: SID History was added to an account.
4766: An attempt to add SID History to an account failed.
4767: A user account was unlocked.
4780: The ACL was set on accounts which are members of administrators group.
4781: The name of an account was changed.
4782: The password hash an account was accessed.
4793: The Password Policy Checking API was called.
4794: An attempt was made to set the Directory Services Restore Mode administrator password.
4798: A user's local group membership was enumerated.
4799: A security-enabled local group membership was enumerated.
5376: Credential Manager credentials were backed up.
5377: Credential Manager credentials were restored from a backup.
Active Directory
4662: Directory Service Access Operation Performed On An Object
5136: A directory service object was modified.
5137: A directory service object was created.
5138: A directory service object was undeleted.
5139: A directory service object was moved.
5141: A directory service object was deleted.
4713: Kerberos Policy was changed.
4706: A new trust was created to a domain.
4707: A trust to a domain was removed.
4716: Trusted domain information was modified.
4717: System security access was granted to an account.
4718: System security access was removed from an account.
4739: Domain Policy was changed.
4864: A namespace collision was detected.
4865: A trusted forest information entry was added.
4866: A trusted forest information entry was removed.
4867: A trusted forest information entry was modified.
Application Error and Hang
EventID=1000
EventID=1002
WER Application Crashes Reports
EventID=1001
Applocker
Microsoft-Windows-AppLocker/EXE and DLL
Rules that look for Applocker EXE or Script events
Applocker Packaged app execution
Applocker Packaged app installation
Authentication Events
4624: An account was successfully logged on.
4625: An account failed to log on.
4626: User/Device claims information.
4634: An account was successfully logged off.
4647: User initiated logoff.
4649: A replay attack was detected.
4672: Special privileges assigned to a new logon, administrative logins -sa, -ada, etc.
4675: SIDs were filtered.
4774: An account was mapped for logon.
4775: An account could not be mapped for logon.
4776: The computer attempted to validate the credentials for an account.
4777: The domain controller failed to validate the credentials for an account.
4778: A session was reconnected to a Window Station.
4779: A session was disconnected from a Window Station.
4800 The workstation was locked.
4801 The workstation was unlocked.
4802 The screen saver was invoked.
4803 The screen saver was dismissed.
4964: Special groups have been assigned a new logon.
5378 The requested credentials delegation was disallowed by policy.
**** Suppress [EventData[Data[1]="S-1-5-18"]] to avoid SECURITY_LOCAL_SYSTEM_RID*******
BITS
Microsoft-Windows-Bits-Client/Operational
Certificate Authority
Security
4886: Certificate Services received certificate request
4887: Approved and Certificate issued
4888: Denied request
Code Integrity
Windows Code Integrity Checks (Kernel-mode Driver and User-mode Protected Media Validation)
Level = 2 or 3
and Event ID is
EventID=3001 or
EventID=3002 or
EventID=3003 or
EventID=3004 or
EventID=3010 or
EventID=3023)
Windows Code Integrity Checks (Invalid hashes)
Level=0 or Level=4 and
EventID=5038 or
EventID=6281 or
EventID=6410
DNS Logs
3008: DNS Client events Query Completed
Suppress EventData[Data[@Name="QueryOptions"]="140737488355328"
Suppress EventData[Data[@Name="QueryResults"]=""
150: DNS Server could not load or initialize the plug-in DLL
770: DNS Server plugin DLL has been loaded
541: The setting serverlevelplugindll on scope . has been set to $dll_path
Drivers Logs
Microsoft-Windows-Kernel-PnP
Level=3 and EventID=219
Microsoft-Windows-DriverFrameworks-UserMode/Operational
Detect User-Mode drivers loaded - for potential BadUSB detection.
EventID=2004
EventLog Diagnostics
1100: The event logging service has shut down.
1104: The security log is now full.
1105: Event log automatic backup.
1108: The event logging service encountered an error while processing an incoming event published from %1
Explicit Login Credentials
Microsoft-Windows-Security-Auditing
Level=4 or Level=0 and EventID=4648 and ProcessName != 'C:\Windows\System32\taskhost.exe'
Firewall Events
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
4944: The following policy was active when the Windows Firewall started.
4945: A rule was listed when the Windows Firewall started.
4946: A change has been made to Windows Firewall exception list. A rule was added.
4947: A change has been made to Windows Firewall exception list. A rule was modified.
4948: A change has been made to Windows Firewall exception list. A rule was deleted.
4949: Windows Firewall settings were restored to the default values.
4950: A Windows Firewall setting has changed.
4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953: A rule has been ignored by Windows Firewall because it could not parse the rule.
4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956: Windows Firewall has changed the active profile.
4957: Windows Firewall did not apply the following rule
4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Security Log
5024: The Windows Firewall Service has started successfully.
5025: The Windows Firewall Service has been stopped.
5027: The Windows Firewall Service was unable to retrieve the security policy from local storage. The service will continue enforcing the current policy.
5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030: The Windows Firewall Service failed to start.
5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033: The Windows Firewall Driver has started successfully.
5034: The Windows Firewall Driver was stopped.
5035: The Windows Firewall Driver failed to start.
5037: The Windows Firewall Driver detected critical runtime error. Terminating.
External Devices Log
Security
6416: A new external device was recognized by the System.
6419: A request was made to disable a device.
6420: A device was disabled.
6421: A request was made to enable a device.
6422: A device was enabled..
6423: The installation of this device is forbidden by system policy.
6424: The installation of this device was allowed after having previously been forbidden by policy.
Microsoft-Windows-USB-USBHUB3-Analytic
Level=4 and EventID=43
EventData[Data[@Name='fid_DeviceDescription']="USB Mass Storage Device
Microsoft-Windows-Kernel-PnP/Configuration
400, 410: New Mass Storage Device Installation
Level=4 and
EventID=400 or EventID=410
and EventData[Data[@Name='DriverName']=usbstor.inf
GPO logs
Microsoft-Windows-GroupPolicy
Level 2 and
1085: Application of Group Policy failures
1125: Group Policy Service
1127: Group Policy Service
1129: Group Policy Preprocessing Networking
Security
6144: Security policy in the group policy objects has been applied successfully.
6145: One or more errors occurred while processing security policy in the group policy object.
Kerberos
Security
4768 - A Kerberos authentication ticket (TGT) was requested
4769 - A Kerberos service ticket was requested
4770 - A Kerberos service ticket was renewed
4771 - A Kerberos pre-authentication failed.
4772 - A Kerberos authentication ticket request failed.
4773 - A Kerberos service ticket request failed.
LOG Deletion
Security
1102: Security Log File Cleared
System
104: Log File Cleared
Object Manipulation
Security
4715: The audit policy (SACL) on an object was changed.
4817: Auditing settings on object were changed.
4656: A handle to an object was requested.
4658: The handle to an object was closed.
4660: An object was deleted.
4663: An attempt was made to access an object.
4670: Permissions on an object were changed.
Operating System
System
41: The system has rebooted without cleanly shutting down first
1001: Application crashes, hangs, and generic reports
4621: Administrator recovered system from CrashOnAuditFail.
6008: The previous system shutdown was unexpected.
1074: Shutdown initiate requests, with user, process and reason (if supplied)
12: System startup (12 - includes OS/SP/Version) and shutdown
16962: A remote call to the SAM database has been denied
16965: Remote calls to the SAM database have been denied in the past 900 seconds throttling window
16968: The following client would have been normally been denied access to the SAM database
16969: Remote calls to the SAM database are being restricted using the default security descriptor
16965: is enabled via a registry key
Security
4719: System audit policy was changed.
4817: A trusted logon process has been registered with the Local Security Authority.
4902: The Per-user audit policy table was created.
4906: The CrashOnAuditFail value has changed.
4908: Special Groups Logon table modified.
4912: Per User Audit Policy was changed.
4904: An attempt was made to register a security event source..
4905: An attempt was made to unregister a security event source.
4610: An authentication package has been loaded by the Local Security Authority.
4611: A trusted logon process has been registered with the Local Security Authority.
4614: A notification package has been loaded by the Security Account Manager.
4622: A security package has been loaded by the Local Security Authority.
4697: A service was installed in the system.
4817: Auditing settings on object were changed.
4826 Boot Configuration Data loaded.
4608: Windows is starting up
Microsoft-Windows-SMBServer/Audit
3000: Client attempted to use SMBv1
Privilege Use
Security
4673: A privileged service was called..
4674: An operation was attempted on a privileged object..
4985: The state of a transaction has changed.
Process execution
Security
4688: Process Created
4699: Process Terminated
Registry
Security
4657: Registry modified events for Operations
and EventData[Data[@Name=OperationType]] =
1904: New Registry Value created OR
1905: Existing Registry Value modified OR
1906: Registry Value Deleted
Services
System
Level 0 OR 1 OR 2 OR 3 OR 4
7022: The service hung on starting
7023: The service terminated with the following error
7023: The service terminated with the following error
7024: The service terminated with service-specific error
7026: The following boot-start or system-start driver(s) failed to load
7031: The service terminated unexpectedly. It has done this x time(s).
7040: Service Start Type Changed
7045: Service Installed
Network Shares
Security
5140: Network share object access
5142: Network Share create
5144: Network Share Delete
5145: A network share object was checked to see whether client can be granted desired access
5168: SPN check for SMB/SMB2 failed.
Microsoft-Windows-SMBClient/Operational
Event ID: 30622 OR
Event ID: 30624
Microsoft-Windows-SMBClient/Security
Microsoft-Windows-SMBServer/Security
System Time Modification
Security
4616: System Time Changed
Task Scheduler
Microsoft-Windows-TaskScheduler/Operational
EventID=106 or
EventID=129 or
EventID=141 or
EventID=142 or
EventID=200 or
EventID=201
Security
4698: A scheduled task was created
4699: A scheduled task was deleted
4700: A scheduled task was enabled
4701: A scheduled task was disabled
4702: A scheduled task was updated
PowerShell
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
Windows PowerShell
Print Jobs
Microsoft-Windows-PrintService/Operational
Level=4 and EventID=307
Terminal Services
All TSG Admin Events
Microsoft-Windows-TerminalServices-Gateway/Admin
Microsoft-Windows-TerminalServices-Gateway/Operational
All TSG Client USB Device Events
Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
All TSG Client USB Device Events
Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
All TSG Client USB PNP Events
Microsoft-Windows-TerminalServices-PnPDevices/Admin
All TSG Client USB PNP Events
Microsoft-Windows-TerminalServices-PnPDevices/Operational
All TSG Printer Events
Microsoft-Windows-TerminalServices-Printers/Admin
All TSG Printer Events
Microsoft-Windows-TerminalServices-Printers/Operational
All TSG Server USB Device Events
Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
All TSG Server USB Device Events
Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
WMI
Microsoft-Windows-WMI-Activity/Operational
Microsoft-Windows-TPM-WMI
513: TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.
514: Failed to backup TPM Owner Authorization information to Active Directory Domain Services.
Windows Defender
Microsoft-Windows-Windows Defender/Operational
Event ID: 1006 OR 1007 OR 1008 OR 1009
Event ID: 1116 OR 1117 OR 1118 OR 1119
Wireless
Security
5632: Request made to authenticate to Wireless network.
5633: A request was made to authenticate to a wired network.
Last updated