Windows General Log Recommendations
1 | Boot Events | Shutdown Initiate Failed | 1074 | Warning | User32 | User32 |
2 | Application Crashes | BSOD | 1001 | Error | System | Microsoft-Windows-WER-SystemErrorReporting |
3 | Boot Events | Windows Shutdown | 13 | Information | System | Microsoft-Windows-Kernel-General |
4 | Boot Events | Windows Startup | 12 | Information | System | Microsoft-Windows-Kernel-General |
5 | Clearing Event Logs | Event Log was Cleared | 104 | Information | System | Microsoft-Windows-Eventlog |
6 | Group Policy Errors | Generic Internal Error | 1126 | Error | System | Microsoft-Windows-GroupPolicy |
7 | Group Policy Errors | Group Policy Application Failed due to Connectivity | 1129 | Error | System | Microsoft-Windows-GroupPolicy |
8 | Group Policy Errors | Internal Error | 1125 | Error | System | Microsoft-Windows-GroupPolicy |
9 | Kernel Driver Signing | Failed Kernel Driver Loading | 219 | Warning | System | Microsoft-Windows-Kernel-PnP |
10 | Software and Service Installation | New Kernel Filter Driver | 6 | Information | System | Microsoft-Windows-FilterManager |
11 | Software and Service Installation | New Windows Service | 7045 | Information | System | Microsoft-Windows-FilterManager |
12 | Software and Service Installation | Service Start Failure | 7000 | Error | System | Service Control Manager |
13 | Software and Service Installation | Windows Update Installed | 19 | Information | System | Microsoft-Windows-WindowsUpdateClient |
14 | System Integrity | System Time Changed | 1 | Information | System | Microsoft-Windows-Kernel-General |
15 | System or Service Failures | Windows Service Fails or Crashes | 7022, 7023, 7024, 7026, 7031, 7032, 7034 | Error | System | Service Control Manager |
16 | Software and Service Installation | Update Packages Installed | 2 | Information | Setup | Microsoft-Windows-Servicing |
17 | Windows Update Errors | Hotpatching Failed | 1009 | Information | Setup | Microsoft-Windows-Servicing |
18 | Account Usage | Account Lockouts | 4740 | Information | Security | Microsoft-Windows-Security-Auditing |
19 | Account Usage | Account Login with Explicit Credentials | 4648 | Information | Security | Microsoft-Windows-Security-Auditing |
20 | Account Usage | Account Name Changed | 4781 | Information | Security | Microsoft-Windows-Security-Auditing |
21 | Account Usage | Account removed from Local Sec. Grp. | 4733 | Information | Security | Microsoft-Windows-Security-Auditing |
22 | Account Usage | Credential Authentication | 4776 | Information | Security | Microsoft-Windows-Security-Auditing |
23 | Account Usage | Credentials backed up | 5376 | Information | Security | Microsoft-Windows-Security-Auditing |
24 | Account Usage | Credentials restored | 5377 | Information | Security | Microsoft-Windows-Security-Auditing |
25 | Account Usage | Failed User Account Login | 4625 | Information | Security | Microsoft-Windows-Security-Auditing |
26 | Account Usage | Logoff Event | 4634 | Information | Security | Microsoft-Windows-Security-Auditing |
27 | Account Usage | Logon with Special Privs | 4672 | Information | Security | Microsoft-Windows-Security-Auditing |
28 | Account Usage | New User Account Created | 4720 | Information | Security | Microsoft-Windows-Security-Auditing |
29 | Account Usage | New User Account Enabled | 4722 | Information | Security | Microsoft-Windows-Security-Auditing |
30 | Account Usage | Password Hash Accessed | 4782 | Information | Security | Microsoft-Windows-Security-Auditing |
31 | Account Usage | Password Policy Checking API called | 4793 | Information | Security | Microsoft-Windows-Security-Auditing |
32 | Account Usage | Security-enabled Group Created | 4731 | Information | Security | Microsoft-Windows-Security-Auditing |
33 | Account Usage | Security-Enabled group Modification | 4735 | Information | Security | Microsoft-Windows-Security-Auditing |
34 | Account Usage | SID History add attempted on Account | 4766 | Information | Security | Microsoft-Windows-Security-Auditing |
35 | Account Usage | SID History added to Account | 4765 | Information | Security | Microsoft-Windows-Security-Auditing |
36 | Account Usage | Successful User Account Login | 4624 | Information | Security | Microsoft-Windows-Security-Auditing |
37 | Account Usage | User Account Deleted | 4726 | Information | Security | Microsoft-Windows-Security-Auditing |
38 | Account Usage | User Account Disabled | 4725 | Information | Security | Microsoft-Windows-Security-Auditing |
39 | Account Usage | User Account Unlocked | 4767 | Information | Security | Microsoft-Windows-Security-Auditing |
40 | Account Usage | User Added to Privileged Group | 4728, 4732, 4756 | Information | Security | Microsoft-Windows-Security-Auditing |
41 | Account Usage | User Right Assigned | 4704 | Information | Security | Microsoft-Windows-Security-Auditing |
42 | Application Whitelisting | Process Created | 4688 | Information | Security | Microsoft-Windows-Security-Auditing |
43 | Application Whitelisting | Process Terminated | 4689 | Information | Security | Microsoft-Windows-Security-Auditing |
44 | Certificate Services | CA Services Request | 4886 | Information | Security | Microsoft-Windows-Security-Auditing |
45 | Certificate Services | Certificate Manager Settings Changed | 4890 | Information | Security | Microsoft-Windows-Security-Auditing |
46 | Certificate Services | Certificate Request Attributes Changed | 4874 | Information | Security | Microsoft-Windows-Security-Auditing |
47 | Certificate Services | Certificate Request Extension Changed | 4873 | Information | Security | Microsoft-Windows-Security-Auditing |
48 | Certificate Services | Certificate Revoked | 4870 | Information | Security | Microsoft-Windows-Security-Auditing |
49 | Certificate Services | Certificate Services approved request | 4887 | Information | Security | Microsoft-Windows-Security-Auditing |
50 | Certificate Services | Certificate Services Audit Filter Changed | 4885 | Information | Security | Microsoft-Windows-Security-Auditing |
51 | Certificate Services | Certificate Services Configuration Changed | 4891 | Information | Security | Microsoft-Windows-Security-Auditing |
52 | Certificate Services | Certificate Services denied request | 4888 | Information | Security | Microsoft-Windows-Security-Auditing |
53 | Certificate Services | Certificate Services Loaded Template | 4898 | Information | Security | Microsoft-Windows-Security-Auditing |
54 | Certificate Services | Certificate Services Permissions Changed | 4882 | Information | Security | Microsoft-Windows-Security-Auditing |
55 | Certificate Services | Certificate Services Property Changed | 4892 | Information | Security | Microsoft-Windows-Security-Auditing |
56 | Certificate Services | Certificate Services Started | 4880 | Information | Security | Microsoft-Windows-Security-Auditing |
57 | Certificate Services | Certificate Services Stopped | 4881 | Information | Security | Microsoft-Windows-Security-Auditing |
58 | Certificate Services | Certificate Services Template Security Updated | 4900 | Information | Security | Microsoft-Windows-Security-Auditing |
59 | Certificate Services | Certificate Services Template Updated | 4899 | Information | Security | Microsoft-Windows-Security-Auditing |
60 | Certificate Services | Entries Removed from Certificate Database | 4896 | Information | Security | Microsoft-Windows-Security-Auditing |
61 | Clearing Event Logs | Event Log Service Shutdown | 1100 | Information | Security | Microsoft-Windows-EventLog |
62 | Clearing Event Logs | Event Log was Cleared | 1102 | Information | Security | Microsoft-Windows-Eventlog |
63 | DNS/Directory Services | Directory service created | 5137 | Information | Security | Microsoft-Windows-Security-Auditing |
64 | DNS/Directory Services | Directory service deleted | 5141 | Information | Security | Microsoft-Windows-Security-Auditing |
65 | DNS/Directory Services | Directory service modified | 5136 | Information | Security | Microsoft-Windows-Security-Auditing |
66 | DNS/Directory Services | Directory service moved | 5139 | Information | Security | Microsoft-Windows-Security-Auditing |
67 | DNS/Directory Services | Directory service recovered | 5138 | Information | Security | Microsoft-Windows-Security-Auditing |
68 | Kernel Driver Signing | Detected an invalid image hash of a file | 5038 | Information | Security | Microsoft-Windows-Security-Auditing |
69 | Kernel Driver Signing | Detected an invalid page hash of an image file | 6281 | Information | Security | Microsoft-Windows-Security-Auditing |
70 | Network Policy | Encrypted Data Recovery Policy Changed | 4714 | Information | Security | Microsoft-Windows-Security-Auditing |
71 | Network Policy | Kerberos Policy Changed | 4713 | Information | Security | Microsoft-Windows-Security-Auditing |
72 | Network Policy | Kerberos Service Ticket Req. Failed | 4769 | Information | Security | Microsoft-Windows-Security-Auditing |
73 | Network Policy | Network Policy Server Denied Access | 6273 | Information | Security | Microsoft-Windows-Security-Auditing |
74 | Network Policy | Network Policy Server Discarded Accounting Request | 6275 | Information | Security | Microsoft-Windows-Security-Auditing |
75 | Network Policy | Network Policy Server Discarded Request | 6274 | Information | Security | Microsoft-Windows-Security-Auditing |
76 | Network Policy | Network Policy Server Granted Access | 6272 | Information | Security | Microsoft-Windows-Security-Auditing |
77 | Network Policy | Network Policy Server Granted Full Access | 6278 | Information | Security | Microsoft-Windows-Security-Auditing |
78 | Network Policy | Network Policy Server Granted Probationary Access | 6277 | Information | Security | Microsoft-Windows-Security-Auditing |
79 | Network Policy | Network Policy Server Locked Account | 6279 | Information | Security | Microsoft-Windows-Security-Auditing |
80 | Network Policy | Network Policy Server Quarantined User | 6276 | Information | Security | Microsoft-Windows-Security-Auditing |
81 | Network Policy | Network Policy Server Unlocked Account | 6280 | Information | Security | Microsoft-Windows-Security-Auditing |
82 | Network Policy | Network share accessed | 5140 | Information | Security | Microsoft-Windows-Security-Auditing |
83 | Network Policy | Network Share Checked | 5145 | Information | Security | Microsoft-Windows-Security-Auditing |
84 | Network Policy | Network Share Created | 5142 | Information | Security | Microsoft-Windows-Security-Auditing |
85 | Network Policy | Network Share Deleted | 5144 | Information | Security | Microsoft-Windows-Security-Auditing |
86 | Network Policy | New Trust for Domain | 4706 | Information | Security | Microsoft-Windows-Security-Auditing |
87 | Network Policy | Role Separation Enabled | 4897 | Information | Security | Microsoft-Windows-Security-Auditing |
88 | Network Policy | System Audit Policy Changed | 4719 | Information | Security | Microsoft-Windows-Security-Auditing |
89 | Network Policy | Trusted Domain Information Modified | 4716 | Information | Security | Microsoft-Windows-Security-Auditing |
90 | Network Policy | TS Session Disconnect | 4779 | Information | Security | Microsoft-Windows-Security-Auditing |
91 | Network Policy | TS Session Reconnect | 4778 | Information | Security | Microsoft-Windows-Security-Auditing |
92 | Network Policy | Wireless 802.1X Auth | 5632 | Information | Security | Microsoft-Windows-Security-Auditing |
93 | System Integrity | Registry Modification | 4657 | Information | Security | Microsoft-Windows-Security-Auditing |
94 | Network Policy | RADIUS User assigned IP | 20250 | Success | RemoteAccess | Microsoft-Windows-MPRMSG |
95 | Network Policy | RADIUS User Authenticated | 20274 | Success | RemoteAccess | Microsoft-Windows-MPRMSG |
96 | Network Policy | RADIUS User Disconnected | 20275 | Success | RemoteAccess | Microsoft-Windows-MPRMSG |
97 | PowerShell Activities | Get-MessageTrackingLog cmdlet | 800 | Information | Powershell | Microsoft-Windows-Powershell |
98 | PowerShell Activities | Remote Connection | 169 | Information | Powershell | Microsoft-Windows-Powershell |
99 | Mobile Device Activities | Disconnect from Wireless connection | 8003 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
100 | Mobile Device Activities | Starting a Wireless connection | 8000, 8011 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
101 | Mobile Device Activities | Successfully connected to a Wireless connection | 8001 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
102 | Mobile Device Activities | Wireless Association Status | 11000, 11001 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
103 | Mobile Device Activities | Wireless Association Status | 11002 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
104 | Mobile Device Activities | Wireless Authentication Started and Failed | 12011, 12012 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
105 | Mobile Device Activities | Wireless Authentication Started and Failed | 12013 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
106 | Mobile Device Activities | Wireless Connection Failed | 8002 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
107 | Mobile Device Activities | Wireless Security Started, Stopped, Successful, or Failed | 11004, 11005 | Information | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
108 | Mobile Device Activities | Wireless Security Started, Stopped, Successful, or Failed | 11010, 11006 | Error | Microsoft-Windows-WLAN-AutoConfig/Operational | Microsoft-Windows-WLAN-AutoConfig |
109 | Windows Update Errors | Windows Update Failed | 20, 24, 25, 31, 34, 35 | Error | Microsoft-Windows-WindowsUpdateClient/Operational | Microsoft-Windows-WindowsUpdateClient |
110 | Windows Firewall | Firewall Failed to load Group Policy | 2009 | Error | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
111 | Windows Firewall | Firewall Rule Add | 2004 | Information | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
112 | Windows Firewall | Firewall Rule Change | 2005 | Information | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
113 | Windows Firewall | Firewall Rules Deleted | 2006, 2033 | Information | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security |
114 | Windows Defender Activities | Action on Malware Failed | 1008 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
115 | Windows Defender Activities | Detected Malware | 1006, 1116 | Warning | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
116 | Windows Defender Activities | Failed to remove item from quarantine | 1010 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
117 | Windows Defender Activities | Failed to update engine | 2003 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
118 | Windows Defender Activities | Failed to update signatures | 2001 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
119 | Windows Defender Activities | File Restored from Quarantine | 1009 | Information | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
120 | Windows Defender Activities | Malware Removal Error | 1118 | Information | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
121 | Windows Defender Activities | Malware Removal Fatal Error | 1119 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
122 | Windows Defender Activities | Malware Removed | 1007, 1117 | Information | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
123 | Windows Defender Activities | Real-Time Protection failed | 3002 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
124 | Windows Defender Activities | Reverting to last known good set of signatures | 2004 | Warning | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
125 | Windows Defender Activities | Scan Failed | 1005 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
126 | Windows Defender Activities | Unexpected Error | 5008 | Error | Microsoft-Windows-Windows Defender/Operational | Microsoft-Windows-Windows Defender |
127 | External Media Detection | New Device Information | 43 | Information | Microsoft-Windows-USB-USBHUB3-Analytic | Microsoft-Windows-USB-USBHUB3 |
128 | Network Policy | Outbound TS Connect Attempt | 1024 | Information | Microsoft-Windows-TerminalServices-RDPClient/Operational | Microsoft-Windows-TerminalServices-ClientActiveXCore |
129 | Task Scheduler Activities | New Task Registered | 106 | Information | Microsoft-Windows-TaskScheduler/Operational | Microsoft-Windows-TaskScheduler |
130 | Task Scheduler Activities | Task Deleted | 141 | Information | Microsoft-Windows-TaskScheduler/Operational | Microsoft-Windows-TaskScheduler |
131 | Task Scheduler Activities | Task Disabled | 142 | Information | Microsoft-Windows-TaskScheduler/Operational | Microsoft-Windows-TaskScheduler |
132 | Task Scheduler Activities | Task Launched | 200 | Information | Microsoft-Windows-TaskScheduler/Operational | Microsoft-Windows-TaskScheduler |
133 | Printing Services | Printing Document | 307 | Information | Microsoft-Windows-PrintService/Operational | Microsoft-Windows-PrintService |
134 | PowerShell Activities | Exception Raised | 4103 | Information | Microsoft-Windows-Powershell/Operational | Microsoft-Windows-Powershell |
135 | PowerShell Activities | Exception Raised | 4104 | Information | Microsoft-Windows-Powershell/Operational | Microsoft-Windows-Powershell |
136 | PowerShell Activities | Exception Raised | 4105 | Information | Microsoft-Windows-Powershell/Operational | Microsoft-Windows-Powershell |
137 | PowerShell Activities | Exception Raised | 4106 | Information | Microsoft-Windows-Powershell/Operational | Microsoft-Windows-Powershell |
138 | Mobile Device Activities | Network Connection and Disconnection Status (Wired and Wireless) | 10000, 10001 | Information | Microsoft-Windows-NetworkProfile/Operational | Microsoft-Windows-NetworkProfile |
139 | Account Usage | Group Assigned to new Session | 300 | Information | Microsoft-Windows-LSA/Operational | LsaSrv |
140 | External Media Detection | New Mass Storage Installation | 400, 410 | Information | Microsoft-Windows-Kernel-PnP/Device Configuration | Microsoft-Windows-Kernel-PnP |
141 | DNS/Directory Services | DNS Request/Response | 256, 257 | Information | Microsoft-Windows-DNSServer/Analytical | Microsoft-Windows-DNSServer |
142 | DNS/Directory Services | DNS Query Complete | 3008 | Information | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client |
143 | DNS/Directory Services | DNS Response Complete | 3020 | Information | Microsoft-Windows-DNS-Client/Operational | Microsoft-Windows-DNS-Client |
144 | Kernel Driver Signing | Code Integrity Check | 3001, 3002, 3003, 3004, 3010, 3023 | Warning, Error | Microsoft-Windows-CodeIntegrity/Operational | Microsoft-Windows-CodeIntegrity |
145 | Certificate Services | CA Permissions Corrupted or Missing | 90 | Information | Microsoft-Windows-CertificationAuthority | Microsoft-Windows-CertificationAuthority |
146 | Microsoft Cryptography API | Cert Trust Chain Build Failed | 11 | Information | Microsoft-Windows-CAPI2/Operational | Microsoft-Windows-CAPI2 |
147 | Microsoft Cryptography API | Private Key Accessed | 70 | Information | Microsoft-Windows-CAPI2/Operational | Microsoft-Windows-CAPI2 |
148 | Microsoft Cryptography API | X.509 Object | 90 | Information | Microsoft-Windows-CAPI2/Operational | Microsoft-Windows-CAPI2 |
149 | Application Whitelisting | Application Ran | 8020 | Information | Microsoft-Windows-AppLocker/Packaged app-Execution | Microsoft-Windows-AppLocker |
150 | Application Whitelisting | Application Installed | 8023 | Information | Microsoft-Windows-AppLocker/Packaged app-Deployment | Microsoft-Windows-AppLocker |
151 | Application Whitelisting | AppLocker Warning | 8006 | Error | Microsoft-Windows-AppLocker/MSI and Script | Microsoft-Windows-AppLocker |
152 | Application Whitelisting | AppLocker Warning | 8007 | Warning | Microsoft-Windows-AppLocker/MSI and Script | Microsoft-Windows-AppLocker |
153 | Application Whitelisting | Script or Installer ran | 8005 | Information | Microsoft-Windows-AppLocker/MSI and Script | Microsoft-Windows-AppLocker |
154 | Application Whitelisting | AppLocker Block | 8002 | Information | Microsoft-Windows-AppLocker/EXE and DLL | Microsoft-Windows-AppLocker |
155 | Application Whitelisting | AppLocker Block | 8003 | Error | Microsoft-Windows-AppLocker/EXE and DLL | Microsoft-Windows-AppLocker |
156 | Application Whitelisting | AppLocker Block | 8004 | Warning | Microsoft-Windows-AppLocker/EXE and DLL | Microsoft-Windows-AppLocker |
157 | Software and Service Installation | New Application Installation | 903, 904 | Information | Microsoft-Windows-Application-Experience/Program-Inventory | Microsoft-Windows-Application-Experience |
158 | Software and Service Installation | Removed Application | 907, 908 | Information | Microsoft-Windows-Application-Experience/Program-Inventory | Microsoft-Windows-Application-Experience |
159 | Software and Service Installation | Summary of Software Activities | 800 | Information | Microsoft-Windows-Application-Experience/Program-Inventory | Microsoft-Windows-Application-Experience |
160 | Software and Service Installation | Updated Application | 905, 906 | Information | Microsoft-Windows-Application-Experience/Program-Inventory | Microsoft-Windows-Application-Experience |
161 | Account Usage | Create Profile failed | 1518 | Error | Application | Microsoft-Windows-User Profiles Service |
162 | Account Usage | Temp Profile Logon | 1511 | Error | Application | Microsoft-Windows-User Profiles Service |
163 | Application Crashes | App Crash | 1000 | Error | Application | Application Error |
164 | Application Crashes | App Error | 1000 | Error | Application | Application Error |
165 | Application Crashes | App Hang | 1002 | Error | Application | Application Hang |
166 | Application Crashes | WER | 1001 | Information | Application | Windows Error Reporting |
167 | Application Whitelisting | SRP Block | 865, 866, 867, 868, 882 | Warning | Application | Microsoft-Windows-SoftwareRestrictionPolicies |
168 | Software and Service Installation | New MSI File Installed | 1022, 1033 | Information | Application | MsiInstaller |
What log events should I collect/send to my SIEM?
Account Management
4740: Account Lockouts
4627: Group Membership Information
4703: A user right was adjusted.
4704: A user right (privilege) was assigned.
4704: A user right (privilege) was removed.
4720: A user account was created.
4722: A user account was enabled.
4723: Attempt was made to change account's password.
4724: An attempt was made to reset an account's password.
4725: A user account was disabled.
4726: A user account was deleted.
4727: A security-enabled global group was created.
4728: A member was added to a security-enabled global group.
4729: A member was removed to a security-enabled global group.
4730: A security-enabled global group was deleted.
4731: A security-enabled local group was created.
4732: A member was added to a security-enabled local group.
4733: A member was removed from a security-enabled local group.
4734: A security-enabled local group was deleted.
4735: Modification of Security-enabled groups
4737: A security-enabled global group was changed.
4738: A user account was changed.
4739: Domain Policy was changed.
4741: A computer account was created.
4742: A computer account was changed.
4743: A computer account was deleted.
4744: A security-disabled local group was created.
4745: A security-disabled local group was changed.
4746: A member was added to a security-disabled local group.
4747: A member was removed from a security-disabled local group.
4748: A security-disabled local group was deleted.
4749: A security-disabled global group was created.
4750: A security-disabled global group was changed.
4751: A member was added to a security-disabled global group.
4752: A member was removed from a security-disabled global group.
4753: A security-disabled global group was deleted.
4754: A security-enabled universal group was created.
4755: A security-enabled universal group was changed.
4756: A security-enabled universal group was changed.
4757: A security-enabled universal group was changed.
4758: A security-enabled universal group was created.
4759: A security-disabled universal group was created.
4760: A security-disabled universal group was changed.
4761: A member was added to a security-disabled universal group.
4762: A member was removed from a security-disabled universal group.
4763: A security-disabled universal group was deleted.
4764: A group's type was changed.
4765: SID History was added to an account.
4766: An attempt to add SID History to an account failed.
4767: A user account was unlocked.
4780: The ACL was set on accounts which are members of administrators group.
4781: The name of an account was changed.
4782: The password hash an account was accessed.
4793: The Password Policy Checking API was called.
4794: An attempt was made to set the Directory Services Restore Mode administrator password.
4798: A user's local group membership was enumerated.
4799: A security-enabled local group membership was enumerated.
5376: Credential Manager credentials were backed up.
5377: Credential Manager credentials were restored from a backup.
Active Directory
4662: Directory Service Access Operation Performed On An Object
5136: A directory service object was modified.
5137: A directory service object was created.
5138: A directory service object was undeleted.
5139: A directory service object was moved.
5141: A directory service object was deleted.
4713: Kerberos Policy was changed.
4706: A new trust was created to a domain.
4707: A trust to a domain was removed.
4716: Trusted domain information was modified.
4717: System security access was granted to an account.
4718: System security access was removed from an account.
4739: Domain Policy was changed.
4864: A namespace collision was detected.
4865: A trusted forest information entry was added.
4866: A trusted forest information entry was removed.
4867: A trusted forest information entry was modified.
Application Error and Hang
EventID=1000
EventID=1002
WER Application Crashes Reports
EventID=1001
Applocker
Microsoft-Windows-AppLocker/EXE and DLL
Rules that look for Applocker EXE or Script events
Applocker Packaged app execution
Applocker Packaged app installation
Authentication Events
4624: An account was successfully logged on.
4625: An account failed to log on.
4626: User/Device claims information.
4634: An account was successfully logged off.
4647: User initiated logoff.
4649: A replay attack was detected.
4672: Special privileges assigned to a new logon, administrative logins -sa, -ada, etc.
4675: SIDs were filtered.
4774: An account was mapped for logon.
4775: An account could not be mapped for logon.
4776: The computer attempted to validate the credentials for an account.
4777: The domain controller failed to validate the credentials for an account.
4778: A session was reconnected to a Window Station.
4779: A session was disconnected from a Window Station.
4800 The workstation was locked.
4801 The workstation was unlocked.
4802 The screen saver was invoked.
4803 The screen saver was dismissed.
4964: Special groups have been assigned a new logon.
5378 The requested credentials delegation was disallowed by policy.
**** Suppress [EventData[Data[1]="S-1-5-18"]] to avoid SECURITY_LOCAL_SYSTEM_RID*******
BITS
Microsoft-Windows-Bits-Client/Operational
Certificate Authority
Security
4886: Certificate Services received certificate request
4887: Approved and Certificate issued
4888: Denied request
Code Integrity
Windows Code Integrity Checks (Kernel-mode Driver and User-mode Protected Media Validation)
Level = 2 or 3
and Event ID is
EventID=3001 or
EventID=3002 or
EventID=3003 or
EventID=3004 or
EventID=3010 or
EventID=3023)
Windows Code Integrity Checks (Invalid hashes)
Level=0 or Level=4 and
EventID=5038 or
EventID=6281 or
EventID=6410
DNS Logs
3008: DNS Client events Query Completed
Suppress EventData[Data[@Name="QueryOptions"]="140737488355328"
Suppress EventData[Data[@Name="QueryResults"]=""
150: DNS Server could not load or initialize the plug-in DLL
770: DNS Server plugin DLL has been loaded
541: The setting serverlevelplugindll on scope . has been set to $dll_path
Drivers Logs
Microsoft-Windows-Kernel-PnP
Level=3 and EventID=219
Microsoft-Windows-DriverFrameworks-UserMode/Operational
Detect User-Mode drivers loaded - for potential BadUSB detection.
EventID=2004
EventLog Diagnostics
1100: The event logging service has shut down.
1104: The security log is now full.
1105: Event log automatic backup.
1108: The event logging service encountered an error while processing an incoming event published from %1
Explicit Login Credentials
Microsoft-Windows-Security-Auditing
Level=4 or Level=0 and EventID=4648 and ProcessName != 'C:\Windows\System32\taskhost.exe'
Firewall Events
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
4944: The following policy was active when the Windows Firewall started.
4945: A rule was listed when the Windows Firewall started.
4946: A change has been made to Windows Firewall exception list. A rule was added.
4947: A change has been made to Windows Firewall exception list. A rule was modified.
4948: A change has been made to Windows Firewall exception list. A rule was deleted.
4949: Windows Firewall settings were restored to the default values.
4950: A Windows Firewall setting has changed.
4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953: A rule has been ignored by Windows Firewall because it could not parse the rule.
4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956: Windows Firewall has changed the active profile.
4957: Windows Firewall did not apply the following rule
4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Security Log
5024: The Windows Firewall Service has started successfully.
5025: The Windows Firewall Service has been stopped.
5027: The Windows Firewall Service was unable to retrieve the security policy from local storage. The service will continue enforcing the current policy.
5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030: The Windows Firewall Service failed to start.
5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033: The Windows Firewall Driver has started successfully.
5034: The Windows Firewall Driver was stopped.
5035: The Windows Firewall Driver failed to start.
5037: The Windows Firewall Driver detected critical runtime error. Terminating.
External Devices Log
Security
6416: A new external device was recognized by the System.
6419: A request was made to disable a device.
6420: A device was disabled.
6421: A request was made to enable a device.
6422: A device was enabled..
6423: The installation of this device is forbidden by system policy.
6424: The installation of this device was allowed after having previously been forbidden by policy.
Microsoft-Windows-USB-USBHUB3-Analytic
Level=4 and EventID=43
EventData[Data[@Name='fid_DeviceDescription']="USB Mass Storage Device
Microsoft-Windows-Kernel-PnP/Configuration
400, 410: New Mass Storage Device Installation
Level=4 and
EventID=400 or EventID=410
and EventData[Data[@Name='DriverName']=usbstor.inf
GPO logs
Microsoft-Windows-GroupPolicy
Level 2 and
1085: Application of Group Policy failures
1125: Group Policy Service
1127: Group Policy Service
1129: Group Policy Preprocessing Networking
Security
6144: Security policy in the group policy objects has been applied successfully.
6145: One or more errors occurred while processing security policy in the group policy object.
Kerberos
Security
4768 - A Kerberos authentication ticket (TGT) was requested
4769 - A Kerberos service ticket was requested
4770 - A Kerberos service ticket was renewed
4771 - A Kerberos pre-authentication failed.
4772 - A Kerberos authentication ticket request failed.
4773 - A Kerberos service ticket request failed.
LOG Deletion
Security
1102: Security Log File Cleared
System
104: Log File Cleared
Object Manipulation
Security
4715: The audit policy (SACL) on an object was changed.
4817: Auditing settings on object were changed.
4656: A handle to an object was requested.
4658: The handle to an object was closed.
4660: An object was deleted.
4663: An attempt was made to access an object.
4670: Permissions on an object were changed.
Operating System
System
41: The system has rebooted without cleanly shutting down first
1001: Application crashes, hangs, and generic reports
4621: Administrator recovered system from CrashOnAuditFail.
6008: The previous system shutdown was unexpected.
1074: Shutdown initiate requests, with user, process and reason (if supplied)
12: System startup (12 - includes OS/SP/Version) and shutdown
16962: A remote call to the SAM database has been denied
16965: Remote calls to the SAM database have been denied in the past 900 seconds throttling window
16968: The following client would have been normally been denied access to the SAM database
16969: Remote calls to the SAM database are being restricted using the default security descriptor
16965: is enabled via a registry key
Security
4719: System audit policy was changed.
4817: A trusted logon process has been registered with the Local Security Authority.
4902: The Per-user audit policy table was created.
4906: The CrashOnAuditFail value has changed.
4908: Special Groups Logon table modified.
4912: Per User Audit Policy was changed.
4904: An attempt was made to register a security event source..
4905: An attempt was made to unregister a security event source.
4610: An authentication package has been loaded by the Local Security Authority.
4611: A trusted logon process has been registered with the Local Security Authority.
4614: A notification package has been loaded by the Security Account Manager.
4622: A security package has been loaded by the Local Security Authority.
4697: A service was installed in the system.
4817: Auditing settings on object were changed.
4826 Boot Configuration Data loaded.
4608: Windows is starting up
Microsoft-Windows-SMBServer/Audit
3000: Client attempted to use SMBv1
Privilege Use
Security
4673: A privileged service was called..
4674: An operation was attempted on a privileged object..
4985: The state of a transaction has changed.
Process execution
Security
4688: Process Created
4699: Process Terminated
Registry
Security
4657: Registry modified events for Operations
and EventData[Data[@Name=OperationType]] =
1904: New Registry Value created OR
1905: Existing Registry Value modified OR
1906: Registry Value Deleted
Services
System
Level 0 OR 1 OR 2 OR 3 OR 4
7022: The service hung on starting
7023: The service terminated with the following error
7023: The service terminated with the following error
7024: The service terminated with service-specific error
7026: The following boot-start or system-start driver(s) failed to load
7031: The service terminated unexpectedly. It has done this x time(s).
7040: Service Start Type Changed
7045: Service Installed
Network Shares
Security
5140: Network share object access
5142: Network Share create
5144: Network Share Delete
5145: A network share object was checked to see whether client can be granted desired access
5168: SPN check for SMB/SMB2 failed.
Microsoft-Windows-SMBClient/Operational
Event ID: 30622 OR
Event ID: 30624
Microsoft-Windows-SMBClient/Security
Microsoft-Windows-SMBServer/Security
System Time Modification
Security
4616: System Time Changed
Task Scheduler
Microsoft-Windows-TaskScheduler/Operational
EventID=106 or
EventID=129 or
EventID=141 or
EventID=142 or
EventID=200 or
EventID=201
Security
4698: A scheduled task was created
4699: A scheduled task was deleted
4700: A scheduled task was enabled
4701: A scheduled task was disabled
4702: A scheduled task was updated
PowerShell
Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
Windows PowerShell
Print Jobs
Microsoft-Windows-PrintService/Operational
Level=4 and EventID=307
Terminal Services
All TSG Admin Events
Microsoft-Windows-TerminalServices-Gateway/Admin
Microsoft-Windows-TerminalServices-Gateway/Operational
All TSG Client USB Device Events
Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
All TSG Client USB Device Events
Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
All TSG Client USB PNP Events
Microsoft-Windows-TerminalServices-PnPDevices/Admin
All TSG Client USB PNP Events
Microsoft-Windows-TerminalServices-PnPDevices/Operational
All TSG Printer Events
Microsoft-Windows-TerminalServices-Printers/Admin
All TSG Printer Events
Microsoft-Windows-TerminalServices-Printers/Operational
All TSG Server USB Device Events
Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
All TSG Server USB Device Events
Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
WMI
Microsoft-Windows-WMI-Activity/Operational
Microsoft-Windows-TPM-WMI
513: TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.
514: Failed to backup TPM Owner Authorization information to Active Directory Domain Services.
Windows Defender
Microsoft-Windows-Windows Defender/Operational
Event ID: 1006 OR 1007 OR 1008 OR 1009
Event ID: 1116 OR 1117 OR 1118 OR 1119
Wireless
Security
5632: Request made to authenticate to Wireless network.
5633: A request was made to authenticate to a wired network.
Last updated