# Windows General Log Recommendations

	Category	Name	ID	Level	Event Log	Event Source
1	Boot Events	Shutdown Initiate Failed	1074	Warning	User32	User32
2	Application Crashes	BSOD	1001	Error	System	Microsoft-Windows-WER-SystemErrorReporting
3	Boot Events	Windows Shutdown	13	Information	System	Microsoft-Windows-Kernel-General
4	Boot Events	Windows Startup	12	Information	System	Microsoft-Windows-Kernel-General
5	Clearing Event Logs	Event Log was Cleared	104	Information	System	Microsoft-Windows-Eventlog
6	Group Policy Errors	Generic Internal Error	1126	Error	System	Microsoft-Windows-GroupPolicy
7	Group Policy Errors	Group Policy Application Failed due to Connectivity	1129	Error	System	Microsoft-Windows-GroupPolicy
8	Group Policy Errors	Internal Error	1125	Error	System	Microsoft-Windows-GroupPolicy
9	Kernel Driver Signing	Failed Kernel Driver Loading	219	Warning	System	Microsoft-Windows-Kernel-PnP
10	Software and Service Installation	New Kernel Filter Driver	6	Information	System	Microsoft-Windows-FilterManager
11	Software and Service Installation	New Windows Service	7045	Information	System	Microsoft-Windows-FilterManager
12	Software and Service Installation	Service Start Failure	7000	Error	System	Service Control Manager
13	Software and Service Installation	Windows Update Installed	19	Information	System	Microsoft-Windows-WindowsUpdateClient
14	System Integrity	System Time Changed	1	Information	System	Microsoft-Windows-Kernel-General
15	System or Service Failures	Windows Service Fails or Crashes	7022, 7023, 7024, 7026, 7031, 7032, 7034	Error	System	Service Control Manager
16	Software and Service Installation	Update Packages Installed	2	Information	Setup	Microsoft-Windows-Servicing
17	Windows Update Errors	Hotpatching Failed	1009	Information	Setup	Microsoft-Windows-Servicing
18	Account Usage	Account Lockouts	4740	Information	Security	Microsoft-Windows-Security-Auditing
19	Account Usage	Account Login with Explicit Credentials	4648	Information	Security	Microsoft-Windows-Security-Auditing
20	Account Usage	Account Name Changed	4781	Information	Security	Microsoft-Windows-Security-Auditing
21	Account Usage	Account removed from Local Sec. Grp.	4733	Information	Security	Microsoft-Windows-Security-Auditing
22	Account Usage	Credential Authentication	4776	Information	Security	Microsoft-Windows-Security-Auditing
23	Account Usage	Credentials backed up	5376	Information	Security	Microsoft-Windows-Security-Auditing
24	Account Usage	Credentials restored	5377	Information	Security	Microsoft-Windows-Security-Auditing
25	Account Usage	Failed User Account Login	4625	Information	Security	Microsoft-Windows-Security-Auditing
26	Account Usage	Logoff Event	4634	Information	Security	Microsoft-Windows-Security-Auditing
27	Account Usage	Logon with Special Privs	4672	Information	Security	Microsoft-Windows-Security-Auditing
28	Account Usage	New User Account Created	4720	Information	Security	Microsoft-Windows-Security-Auditing
29	Account Usage	New User Account Enabled	4722	Information	Security	Microsoft-Windows-Security-Auditing
30	Account Usage	Password Hash Accessed	4782	Information	Security	Microsoft-Windows-Security-Auditing
31	Account Usage	Password Policy Checking API called	4793	Information	Security	Microsoft-Windows-Security-Auditing
32	Account Usage	Security-enabled Group Created	4731	Information	Security	Microsoft-Windows-Security-Auditing
33	Account Usage	Security-Enabled group Modification	4735	Information	Security	Microsoft-Windows-Security-Auditing
34	Account Usage	SID History add attempted on Account	4766	Information	Security	Microsoft-Windows-Security-Auditing
35	Account Usage	SID History added to Account	4765	Information	Security	Microsoft-Windows-Security-Auditing
36	Account Usage	Successful User Account Login	4624	Information	Security	Microsoft-Windows-Security-Auditing
37	Account Usage	User Account Deleted	4726	Information	Security	Microsoft-Windows-Security-Auditing
38	Account Usage	User Account Disabled	4725	Information	Security	Microsoft-Windows-Security-Auditing
39	Account Usage	User Account Unlocked	4767	Information	Security	Microsoft-Windows-Security-Auditing
40	Account Usage	User Added to Privileged Group	4728, 4732, 4756	Information	Security	Microsoft-Windows-Security-Auditing
41	Account Usage	User Right Assigned	4704	Information	Security	Microsoft-Windows-Security-Auditing
42	Application Whitelisting	Process Created	4688	Information	Security	Microsoft-Windows-Security-Auditing
43	Application Whitelisting	Process Terminated	4689	Information	Security	Microsoft-Windows-Security-Auditing
44	Certificate Services	CA Services Request	4886	Information	Security	Microsoft-Windows-Security-Auditing
45	Certificate Services	Certificate Manager Settings Changed	4890	Information	Security	Microsoft-Windows-Security-Auditing
46	Certificate Services	Certificate Request Attributes Changed	4874	Information	Security	Microsoft-Windows-Security-Auditing
47	Certificate Services	Certificate Request Extension Changed	4873	Information	Security	Microsoft-Windows-Security-Auditing
48	Certificate Services	Certificate Revoked	4870	Information	Security	Microsoft-Windows-Security-Auditing
49	Certificate Services	Certificate Services approved request	4887	Information	Security	Microsoft-Windows-Security-Auditing
50	Certificate Services	Certificate Services Audit Filter Changed	4885	Information	Security	Microsoft-Windows-Security-Auditing
51	Certificate Services	Certificate Services Configuration Changed	4891	Information	Security	Microsoft-Windows-Security-Auditing
52	Certificate Services	Certificate Services denied request	4888	Information	Security	Microsoft-Windows-Security-Auditing
53	Certificate Services	Certificate Services Loaded Template	4898	Information	Security	Microsoft-Windows-Security-Auditing
54	Certificate Services	Certificate Services Permissions Changed	4882	Information	Security	Microsoft-Windows-Security-Auditing
55	Certificate Services	Certificate Services Property Changed	4892	Information	Security	Microsoft-Windows-Security-Auditing
56	Certificate Services	Certificate Services Started	4880	Information	Security	Microsoft-Windows-Security-Auditing
57	Certificate Services	Certificate Services Stopped	4881	Information	Security	Microsoft-Windows-Security-Auditing
58	Certificate Services	Certificate Services Template Security Updated	4900	Information	Security	Microsoft-Windows-Security-Auditing
59	Certificate Services	Certificate Services Template Updated	4899	Information	Security	Microsoft-Windows-Security-Auditing
60	Certificate Services	Entries Removed from Certificate Database	4896	Information	Security	Microsoft-Windows-Security-Auditing
61	Clearing Event Logs	Event Log Service Shutdown	1100	Information	Security	Microsoft-Windows-EventLog
62	Clearing Event Logs	Event Log was Cleared	1102	Information	Security	Microsoft-Windows-Eventlog
63	DNS/Directory Services	Directory service created	5137	Information	Security	Microsoft-Windows-Security-Auditing
64	DNS/Directory Services	Directory service deleted	5141	Information	Security	Microsoft-Windows-Security-Auditing
65	DNS/Directory Services	Directory service modified	5136	Information	Security	Microsoft-Windows-Security-Auditing
66	DNS/Directory Services	Directory service moved	5139	Information	Security	Microsoft-Windows-Security-Auditing
67	DNS/Directory Services	Directory service recovered	5138	Information	Security	Microsoft-Windows-Security-Auditing
68	Kernel Driver Signing	Detected an invalid image hash of a file	5038	Information	Security	Microsoft-Windows-Security-Auditing
69	Kernel Driver Signing	Detected an invalid page hash of an image file	6281	Information	Security	Microsoft-Windows-Security-Auditing
70	Network Policy	Encrypted Data Recovery Policy Changed	4714	Information	Security	Microsoft-Windows-Security-Auditing
71	Network Policy	Kerberos Policy Changed	4713	Information	Security	Microsoft-Windows-Security-Auditing
72	Network Policy	Kerberos Service Ticket Req. Failed	4769	Information	Security	Microsoft-Windows-Security-Auditing
73	Network Policy	Network Policy Server Denied Access	6273	Information	Security	Microsoft-Windows-Security-Auditing
74	Network Policy	Network Policy Server Discarded Accounting Request	6275	Information	Security	Microsoft-Windows-Security-Auditing
75	Network Policy	Network Policy Server Discarded Request	6274	Information	Security	Microsoft-Windows-Security-Auditing
76	Network Policy	Network Policy Server Granted Access	6272	Information	Security	Microsoft-Windows-Security-Auditing
77	Network Policy	Network Policy Server Granted Full Access	6278	Information	Security	Microsoft-Windows-Security-Auditing
78	Network Policy	Network Policy Server Granted Probationary Access	6277	Information	Security	Microsoft-Windows-Security-Auditing
79	Network Policy	Network Policy Server Locked Account	6279	Information	Security	Microsoft-Windows-Security-Auditing
80	Network Policy	Network Policy Server Quarantined User	6276	Information	Security	Microsoft-Windows-Security-Auditing
81	Network Policy	Network Policy Server Unlocked Account	6280	Information	Security	Microsoft-Windows-Security-Auditing
82	Network Policy	Network share accessed	5140	Information	Security	Microsoft-Windows-Security-Auditing
83	Network Policy	Network Share Checked	5145	Information	Security	Microsoft-Windows-Security-Auditing
84	Network Policy	Network Share Created	5142	Information	Security	Microsoft-Windows-Security-Auditing
85	Network Policy	Network Share Deleted	5144	Information	Security	Microsoft-Windows-Security-Auditing
86	Network Policy	New Trust for Domain	4706	Information	Security	Microsoft-Windows-Security-Auditing
87	Network Policy	Role Separation Enabled	4897	Information	Security	Microsoft-Windows-Security-Auditing
88	Network Policy	System Audit Policy Changed	4719	Information	Security	Microsoft-Windows-Security-Auditing
89	Network Policy	Trusted Domain Information Modified	4716	Information	Security	Microsoft-Windows-Security-Auditing
90	Network Policy	TS Session Disconnect	4779	Information	Security	Microsoft-Windows-Security-Auditing
91	Network Policy	TS Session Reconnect	4778	Information	Security	Microsoft-Windows-Security-Auditing
92	Network Policy	Wireless 802.1X Auth	5632	Information	Security	Microsoft-Windows-Security-Auditing
93	System Integrity	Registry Modification	4657	Information	Security	Microsoft-Windows-Security-Auditing
94	Network Policy	RADIUS User assigned IP	20250	Success	RemoteAccess	Microsoft-Windows-MPRMSG
95	Network Policy	RADIUS User Authenticated	20274	Success	RemoteAccess	Microsoft-Windows-MPRMSG
96	Network Policy	RADIUS User Disconnected	20275	Success	RemoteAccess	Microsoft-Windows-MPRMSG
97	PowerShell Activities	Get-MessageTrackingLog cmdlet	800	Information	Powershell	Microsoft-Windows-Powershell
98	PowerShell Activities	Remote Connection	169	Information	Powershell	Microsoft-Windows-Powershell
99	Mobile Device Activities	Disconnect from Wireless connection	8003	Information	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
100	Mobile Device Activities	Starting a Wireless connection	8000, 8011	Information	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
101	Mobile Device Activities	Successfully connected to a Wireless connection	8001	Information	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
102	Mobile Device Activities	Wireless Association Status	11000, 11001	Information	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
103	Mobile Device Activities	Wireless Association Status	11002	Error	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
104	Mobile Device Activities	Wireless Authentication Started and Failed	12011, 12012	Information	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
105	Mobile Device Activities	Wireless Authentication Started and Failed	12013	Error	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
106	Mobile Device Activities	Wireless Connection Failed	8002	Error	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
107	Mobile Device Activities	Wireless Security Started, Stopped, Successful, or Failed	11004, 11005	Information	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
108	Mobile Device Activities	Wireless Security Started, Stopped, Successful, or Failed	11010, 11006	Error	Microsoft-Windows-WLAN-AutoConfig/Operational	Microsoft-Windows-WLAN-AutoConfig
109	Windows Update Errors	Windows Update Failed	20, 24, 25, 31, 34, 35	Error	Microsoft-Windows-WindowsUpdateClient/Operational	Microsoft-Windows-WindowsUpdateClient
110	Windows Firewall	Firewall Failed to load Group Policy	2009	Error	Microsoft-Windows-Windows Firewall With Advanced Security/Firewall	Microsoft-Windows-Windows Firewall With Advanced Security
111	Windows Firewall	Firewall Rule Add	2004	Information	Microsoft-Windows-Windows Firewall With Advanced Security/Firewall	Microsoft-Windows-Windows Firewall With Advanced Security
112	Windows Firewall	Firewall Rule Change	2005	Information	Microsoft-Windows-Windows Firewall With Advanced Security/Firewall	Microsoft-Windows-Windows Firewall With Advanced Security
113	Windows Firewall	Firewall Rules Deleted	2006, 2033	Information	Microsoft-Windows-Windows Firewall With Advanced Security/Firewall	Microsoft-Windows-Windows Firewall With Advanced Security
114	Windows Defender Activities	Action on Malware Failed	1008	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
115	Windows Defender Activities	Detected Malware	1006, 1116	Warning	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
116	Windows Defender Activities	Failed to remove item from quarantine	1010	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
117	Windows Defender Activities	Failed to update engine	2003	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
118	Windows Defender Activities	Failed to update signatures	2001	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
119	Windows Defender Activities	File Restored from Quarantine	1009	Information	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
120	Windows Defender Activities	Malware Removal Error	1118	Information	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
121	Windows Defender Activities	Malware Removal Fatal Error	1119	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
122	Windows Defender Activities	Malware Removed	1007, 1117	Information	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
123	Windows Defender Activities	Real-Time Protection failed	3002	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
124	Windows Defender Activities	Reverting to last known good set of signatures	2004	Warning	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
125	Windows Defender Activities	Scan Failed	1005	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
126	Windows Defender Activities	Unexpected Error	5008	Error	Microsoft-Windows-Windows Defender/Operational	Microsoft-Windows-Windows Defender
127	External Media Detection	New Device Information	43	Information	Microsoft-Windows-USB-USBHUB3-Analytic	Microsoft-Windows-USB-USBHUB3
128	Network Policy	Outbound TS Connect Attempt	1024	Information	Microsoft-Windows-TerminalServices-RDPClient/Operational	Microsoft-Windows-TerminalServices-ClientActiveXCore
129	Task Scheduler Activities	New Task Registered	106	Information	Microsoft-Windows-TaskScheduler/Operational	Microsoft-Windows-TaskScheduler
130	Task Scheduler Activities	Task Deleted	141	Information	Microsoft-Windows-TaskScheduler/Operational	Microsoft-Windows-TaskScheduler
131	Task Scheduler Activities	Task Disabled	142	Information	Microsoft-Windows-TaskScheduler/Operational	Microsoft-Windows-TaskScheduler
132	Task Scheduler Activities	Task Launched	200	Information	Microsoft-Windows-TaskScheduler/Operational	Microsoft-Windows-TaskScheduler
133	Printing Services	Printing Document	307	Information	Microsoft-Windows-PrintService/Operational	Microsoft-Windows-PrintService
134	PowerShell Activities	Exception Raised	4103	Information	Microsoft-Windows-Powershell/Operational	Microsoft-Windows-Powershell
135	PowerShell Activities	Exception Raised	4104	Information	Microsoft-Windows-Powershell/Operational	Microsoft-Windows-Powershell
136	PowerShell Activities	Exception Raised	4105	Information	Microsoft-Windows-Powershell/Operational	Microsoft-Windows-Powershell
137	PowerShell Activities	Exception Raised	4106	Information	Microsoft-Windows-Powershell/Operational	Microsoft-Windows-Powershell
138	Mobile Device Activities	Network Connection and Disconnection Status (Wired and Wireless)	10000, 10001	Information	Microsoft-Windows-NetworkProfile/Operational	Microsoft-Windows-NetworkProfile
139	Account Usage	Group Assigned to new Session	300	Information	Microsoft-Windows-LSA/Operational	LsaSrv
140	External Media Detection	New Mass Storage Installation	400, 410	Information	Microsoft-Windows-Kernel-PnP/Device Configuration	Microsoft-Windows-Kernel-PnP
141	DNS/Directory Services	DNS Request/Response	256, 257	Information	Microsoft-Windows-DNSServer/Analytical	Microsoft-Windows-DNSServer
142	DNS/Directory Services	DNS Query Complete	3008	Information	Microsoft-Windows-DNS-Client/Operational	Microsoft-Windows-DNS-Client
143	DNS/Directory Services	DNS Response Complete	3020	Information	Microsoft-Windows-DNS-Client/Operational	Microsoft-Windows-DNS-Client
144	Kernel Driver Signing	Code Integrity Check	3001, 3002, 3003, 3004, 3010, 3023	Warning, Error	Microsoft-Windows-CodeIntegrity/Operational	Microsoft-Windows-CodeIntegrity
145	Certificate Services	CA Permissions Corrupted or Missing	90	Information	Microsoft-Windows-CertificationAuthority	Microsoft-Windows-CertificationAuthority
146	Microsoft Cryptography API	Cert Trust Chain Build Failed	11	Information	Microsoft-Windows-CAPI2/Operational	Microsoft-Windows-CAPI2
147	Microsoft Cryptography API	Private Key Accessed	70	Information	Microsoft-Windows-CAPI2/Operational	Microsoft-Windows-CAPI2
148	Microsoft Cryptography API	X.509 Object	90	Information	Microsoft-Windows-CAPI2/Operational	Microsoft-Windows-CAPI2
149	Application Whitelisting	Application Ran	8020	Information	Microsoft-Windows-AppLocker/Packaged app-Execution	Microsoft-Windows-AppLocker
150	Application Whitelisting	Application Installed	8023	Information	Microsoft-Windows-AppLocker/Packaged app-Deployment	Microsoft-Windows-AppLocker
151	Application Whitelisting	AppLocker Warning	8006	Error	Microsoft-Windows-AppLocker/MSI and Script	Microsoft-Windows-AppLocker
152	Application Whitelisting	AppLocker Warning	8007	Warning	Microsoft-Windows-AppLocker/MSI and Script	Microsoft-Windows-AppLocker
153	Application Whitelisting	Script or Installer ran	8005	Information	Microsoft-Windows-AppLocker/MSI and Script	Microsoft-Windows-AppLocker
154	Application Whitelisting	AppLocker Block	8002	Information	Microsoft-Windows-AppLocker/EXE and DLL	Microsoft-Windows-AppLocker
155	Application Whitelisting	AppLocker Block	8003	Error	Microsoft-Windows-AppLocker/EXE and DLL	Microsoft-Windows-AppLocker
156	Application Whitelisting	AppLocker Block	8004	Warning	Microsoft-Windows-AppLocker/EXE and DLL	Microsoft-Windows-AppLocker
157	Software and Service Installation	New Application Installation	903, 904	Information	Microsoft-Windows-Application-Experience/Program-Inventory	Microsoft-Windows-Application-Experience
158	Software and Service Installation	Removed Application	907, 908	Information	Microsoft-Windows-Application-Experience/Program-Inventory	Microsoft-Windows-Application-Experience
159	Software and Service Installation	Summary of Software Activities	800	Information	Microsoft-Windows-Application-Experience/Program-Inventory	Microsoft-Windows-Application-Experience
160	Software and Service Installation	Updated Application	905, 906	Information	Microsoft-Windows-Application-Experience/Program-Inventory	Microsoft-Windows-Application-Experience
161	Account Usage	Create Profile failed	1518	Error	Application	Microsoft-Windows-User Profiles Service
162	Account Usage	Temp Profile Logon	1511	Error	Application	Microsoft-Windows-User Profiles Service
163	Application Crashes	App Crash	1000	Error	Application	Application Error
164	Application Crashes	App Error	1000	Error	Application	Application Error
165	Application Crashes	App Hang	1002	Error	Application	Application Hang
166	Application Crashes	WER	1001	Information	Application	Windows Error Reporting
167	Application Whitelisting	SRP Block	865, 866, 867, 868, 882	Warning	Application	Microsoft-Windows-SoftwareRestrictionPolicies
168	Software and Service Installation	New MSI File Installed	1022, 1033	Information	Application	MsiInstaller

## What log events should I collect/send to my SIEM? ### Account Management 4740: Account Lockouts 4627: Group Membership Information 4703: A user right was adjusted. 4704: A user right (privilege) was assigned. 4704: A user right (privilege) was removed. 4720: A user account was created. 4722: A user account was enabled. 4723: Attempt was made to change account's password. 4724: An attempt was made to reset an account's password. 4725: A user account was disabled. 4726: A user account was deleted. 4727: A security-enabled global group was created. 4728: A member was added to a security-enabled global group. 4729: A member was removed to a security-enabled global group. 4730: A security-enabled global group was deleted. 4731: A security-enabled local group was created. 4732: A member was added to a security-enabled local group. 4733: A member was removed from a security-enabled local group. 4734: A security-enabled local group was deleted. 4735: Modification of Security-enabled groups 4737: A security-enabled global group was changed. 4738: A user account was changed. 4739: Domain Policy was changed. 4741: A computer account was created. 4742: A computer account was changed. 4743: A computer account was deleted. 4744: A security-disabled local group was created. 4745: A security-disabled local group was changed. 4746: A member was added to a security-disabled local group. 4747: A member was removed from a security-disabled local group. 4748: A security-disabled local group was deleted. 4749: A security-disabled global group was created. 4750: A security-disabled global group was changed. 4751: A member was added to a security-disabled global group. 4752: A member was removed from a security-disabled global group. 4753: A security-disabled global group was deleted. 4754: A security-enabled universal group was created. 4755: A security-enabled universal group was changed. 4756: A security-enabled universal group was changed. 4757: A security-enabled universal group was changed. 4758: A security-enabled universal group was created. 4759: A security-disabled universal group was created. 4760: A security-disabled universal group was changed. 4761: A member was added to a security-disabled universal group. 4762: A member was removed from a security-disabled universal group. 4763: A security-disabled universal group was deleted. 4764: A group's type was changed. 4765: SID History was added to an account. 4766: An attempt to add SID History to an account failed. 4767: A user account was unlocked. 4780: The ACL was set on accounts which are members of administrators group. 4781: The name of an account was changed. 4782: The password hash an account was accessed. 4793: The Password Policy Checking API was called. 4794: An attempt was made to set the Directory Services Restore Mode administrator password. 4798: A user's local group membership was enumerated. 4799: A security-enabled local group membership was enumerated. 5376: Credential Manager credentials were backed up. 5377: Credential Manager credentials were restored from a backup. ### Active Directory 4662: Directory Service Access Operation Performed On An Object 5136: A directory service object was modified. 5137: A directory service object was created. 5138: A directory service object was undeleted. 5139: A directory service object was moved. 5141: A directory service object was deleted. 4713: Kerberos Policy was changed. 4706: A new trust was created to a domain. 4707: A trust to a domain was removed. 4716: Trusted domain information was modified. 4717: System security access was granted to an account. 4718: System security access was removed from an account. 4739: Domain Policy was changed. 4864: A namespace collision was detected. 4865: A trusted forest information entry was added. 4866: A trusted forest information entry was removed. 4867: A trusted forest information entry was modified. ### Application Error and Hang EventID=1000 EventID=1002 WER Application Crashes Reports EventID=1001 ### Applocker Microsoft-Windows-AppLocker/EXE and DLL Rules that look for Applocker EXE or Script events Applocker Packaged app execution Applocker Packaged app installation ### Authentication Events 4624: An account was successfully logged on. 4625: An account failed to log on. 4626: User/Device claims information. 4634: An account was successfully logged off. 4647: User initiated logoff. 4649: A replay attack was detected. 4672: Special privileges assigned to a new logon, administrative logins -sa, -ada, etc. 4675: SIDs were filtered. 4774: An account was mapped for logon. 4775: An account could not be mapped for logon. 4776: The computer attempted to validate the credentials for an account. 4777: The domain controller failed to validate the credentials for an account. 4778: A session was reconnected to a Window Station. 4779: A session was disconnected from a Window Station. 4800 The workstation was locked. 4801 The workstation was unlocked. 4802 The screen saver was invoked. 4803 The screen saver was dismissed. 4964: Special groups have been assigned a new logon. 5378 The requested credentials delegation was disallowed by policy. \*\*\*\* Suppress \[EventData\[Data\[1]="S-1-5-18"]] to avoid SECURITY\_LOCAL\_SYSTEM\_RID\*\*\*\*\*\*\* ### BITS Microsoft-Windows-Bits-Client/Operational ### Certificate Authority Security 4886: Certificate Services received certificate request 4887: Approved and Certificate issued 4888: Denied request ### Code Integrity Windows Code Integrity Checks (Kernel-mode Driver and User-mode Protected Media Validation) Level = 2 or 3 and Event ID is EventID=3001 or EventID=3002 or EventID=3003 or EventID=3004 or EventID=3010 or EventID=3023) Windows Code Integrity Checks (Invalid hashes) Level=0 or Level=4 and EventID=5038 or EventID=6281 or EventID=6410 ### DNS Logs 3008: DNS Client events Query Completed Suppress EventData\[Data\[@Name="QueryOptions"]="140737488355328" Suppress EventData\[Data\[@Name="QueryResults"]="" 150: DNS Server could not load or initialize the plug-in DLL 770: DNS Server plugin DLL has been loaded 541: The setting serverlevelplugindll on scope . has been set to $dll\_path ### Drivers Logs Microsoft-Windows-Kernel-PnP Level=3 and EventID=219 Microsoft-Windows-DriverFrameworks-UserMode/Operational Detect User-Mode drivers loaded - for potential BadUSB detection. EventID=2004 ### EventLog Diagnostics 1100: The event logging service has shut down. 1104: The security log is now full. 1105: Event log automatic backup. 1108: The event logging service encountered an error while processing an incoming event published from %1 ### Explicit Login Credentials Microsoft-Windows-Security-Auditing Level=4 or Level=0 and EventID=4648 and ProcessName != 'C:\Windows\System32\taskhost.exe' ### Firewall Events ### Microsoft-Windows-Windows Firewall With Advanced Security/Firewall 4944: The following policy was active when the Windows Firewall started. 4945: A rule was listed when the Windows Firewall started. 4946: A change has been made to Windows Firewall exception list. A rule was added. 4947: A change has been made to Windows Firewall exception list. A rule was modified. 4948: A change has been made to Windows Firewall exception list. A rule was deleted. 4949: Windows Firewall settings were restored to the default values. 4950: A Windows Firewall setting has changed. 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. 4956: Windows Firewall has changed the active profile. 4957: Windows Firewall did not apply the following rule 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer Security Log 5024: The Windows Firewall Service has started successfully. 5025: The Windows Firewall Service has been stopped. 5027: The Windows Firewall Service was unable to retrieve the security policy from local storage. The service will continue enforcing the current policy. 5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. 5030: The Windows Firewall Service failed to start. 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 5033: The Windows Firewall Driver has started successfully. 5034: The Windows Firewall Driver was stopped. 5035: The Windows Firewall Driver failed to start. 5037: The Windows Firewall Driver detected critical runtime error. Terminating. ### External Devices Log Security 6416: A new external device was recognized by the System. 6419: A request was made to disable a device. 6420: A device was disabled. 6421: A request was made to enable a device. 6422: A device was enabled.. 6423: The installation of this device is forbidden by system policy. 6424: The installation of this device was allowed after having previously been forbidden by policy. Microsoft-Windows-USB-USBHUB3-Analytic Level=4 and EventID=43 EventData\[Data\[@Name='fid\_DeviceDescription']="USB Mass Storage Device Microsoft-Windows-Kernel-PnP/Configuration 400, 410: New Mass Storage Device Installation Level=4 and EventID=400 or EventID=410 and EventData\[Data\[@Name='DriverName']=usbstor.inf ### GPO logs Microsoft-Windows-GroupPolicy Level 2 and 1085: Application of Group Policy failures 1125: Group Policy Service 1127: Group Policy Service 1129: Group Policy Preprocessing Networking Security 6144: Security policy in the group policy objects has been applied successfully. 6145: One or more errors occurred while processing security policy in the group policy object. ### Kerberos Security 4768 - A Kerberos authentication ticket (TGT) was requested 4769 - A Kerberos service ticket was requested 4770 - A Kerberos service ticket was renewed 4771 - A Kerberos pre-authentication failed. 4772 - A Kerberos authentication ticket request failed. 4773 - A Kerberos service ticket request failed. ### LOG Deletion Security 1102: Security Log File Cleared System 104: Log File Cleared ### Object Manipulation Security 4715: The audit policy (SACL) on an object was changed. 4817: Auditing settings on object were changed. 4656: A handle to an object was requested. 4658: The handle to an object was closed. 4660: An object was deleted. 4663: An attempt was made to access an object. 4670: Permissions on an object were changed. ### Operating System System 41: The system has rebooted without cleanly shutting down first 1001: Application crashes, hangs, and generic reports 4621: Administrator recovered system from CrashOnAuditFail. 6008: The previous system shutdown was unexpected. 1074: Shutdown initiate requests, with user, process and reason (if supplied) 12: System startup (12 - includes OS/SP/Version) and shutdown 16962: A remote call to the SAM database has been denied 16965: Remote calls to the SAM database have been denied in the past 900 seconds throttling window 16968: The following client would have been normally been denied access to the SAM database 16969: Remote calls to the SAM database are being restricted using the default security descriptor 16965: is enabled via a registry key ### Security 4719: System audit policy was changed. 4817: A trusted logon process has been registered with the Local Security Authority. 4902: The Per-user audit policy table was created. 4906: The CrashOnAuditFail value has changed. 4908: Special Groups Logon table modified. 4912: Per User Audit Policy was changed. 4904: An attempt was made to register a security event source.. 4905: An attempt was made to unregister a security event source. 4610: An authentication package has been loaded by the Local Security Authority. 4611: A trusted logon process has been registered with the Local Security Authority. 4614: A notification package has been loaded by the Security Account Manager. 4622: A security package has been loaded by the Local Security Authority. 4697: A service was installed in the system. 4817: Auditing settings on object were changed. 4826 Boot Configuration Data loaded. 4608: Windows is starting up Microsoft-Windows-SMBServer/Audit 3000: Client attempted to use SMBv1 ### Privilege Use Security 4673: A privileged service was called.. 4674: An operation was attempted on a privileged object.. 4985: The state of a transaction has changed. ### Process execution Security 4688: Process Created 4699: Process Terminated ### Registry Security 4657: Registry modified events for Operations and EventData\[Data\[@Name=OperationType]] = 1904: New Registry Value created OR 1905: Existing Registry Value modified OR 1906: Registry Value Deleted ### Services System Level 0 OR 1 OR 2 OR 3 OR 4 7022: The service hung on starting 7023: The service terminated with the following error 7023: The service terminated with the following error 7024: The service terminated with service-specific error 7026: The following boot-start or system-start driver(s) failed to load 7031: The service terminated unexpectedly. It has done this x time(s). 7040: Service Start Type Changed 7045: Service Installed ### Network Shares Security 5140: Network share object access 5142: Network Share create 5144: Network Share Delete 5145: A network share object was checked to see whether client can be granted desired access 5168: SPN check for SMB/SMB2 failed. Microsoft-Windows-SMBClient/Operational Event ID: 30622 OR Event ID: 30624 Microsoft-Windows-SMBClient/Security Microsoft-Windows-SMBServer/Security ### System Time Modification Security 4616: System Time Changed ### Task Scheduler Microsoft-Windows-TaskScheduler/Operational EventID=106 or EventID=129 or EventID=141 or EventID=142 or EventID=200 or EventID=201 Security 4698: A scheduled task was created 4699: A scheduled task was deleted 4700: A scheduled task was enabled 4701: A scheduled task was disabled 4702: A scheduled task was updated ### PowerShell Microsoft-Windows-PowerShell/Operational Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational Windows PowerShell ### Print Jobs Microsoft-Windows-PrintService/Operational Level=4 and EventID=307 ### Terminal Services All TSG Admin Events Microsoft-Windows-TerminalServices-Gateway/Admin Microsoft-Windows-TerminalServices-Gateway/Operational All TSG Client USB Device Events Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin All TSG Client USB Device Events Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational All TSG Client USB PNP Events Microsoft-Windows-TerminalServices-PnPDevices/Admin All TSG Client USB PNP Events Microsoft-Windows-TerminalServices-PnPDevices/Operational All TSG Printer Events Microsoft-Windows-TerminalServices-Printers/Admin All TSG Printer Events Microsoft-Windows-TerminalServices-Printers/Operational All TSG Server USB Device Events Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin All TSG Server USB Device Events Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational ### WMI Microsoft-Windows-WMI-Activity/Operational Microsoft-Windows-TPM-WMI 513: TPM Owner Authorization information was backed up successfully to Active Directory Domain Services. 514: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. ### Windows Defender Microsoft-Windows-Windows Defender/Operational Event ID: 1006 OR 1007 OR 1008 OR 1009 Event ID: 1116 OR 1117 OR 1118 OR 1119 ### Wireless Security 5632: Request made to authenticate to Wireless network. 5633: A request was made to authenticate to a wired network. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.blusapphire.io/16_best-practices/windows-logging-recommendations/windows-general-log-recommendations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.