BluSapphire
Search…
Windows Logging Recommendations
Windows Event Log Recommendations By Log Source
Category
Name
ID
Level
Event Log
Event Source
1
Boot Events
Shutdown Initiate Failed
1074
Warning
User32
User32
2
Application Crashes
BSOD
1001
Error
System
Microsoft-Windows-WER-SystemErrorReporting
3
Boot Events
Windows Shutdown
13
Information
System
Microsoft-Windows-Kernel-General
4
Boot Events
Windows Startup
12
Information
System
Microsoft-Windows-Kernel-General
5
Clearing Event Logs
Event Log was Cleared
104
Information
System
Microsoft-Windows-Eventlog
6
Group Policy Errors
Generic Internal Error
1126
Error
System
Microsoft-Windows-GroupPolicy
7
Group Policy Errors
Group Policy Application Failed due to Connectivity
1129
Error
System
Microsoft-Windows-GroupPolicy
8
Group Policy Errors
Internal Error
1125
Error
System
Microsoft-Windows-GroupPolicy
9
Kernel Driver Signing
Failed Kernel Driver Loading
219
Warning
System
Microsoft-Windows-Kernel-PnP
10
Software and Service Installation
New Kernel Filter Driver
6
Information
System
Microsoft-Windows-FilterManager
11
Software and Service Installation
New Windows Service
7045
Information
System
Microsoft-Windows-FilterManager
12
Software and Service Installation
Service Start Failure
7000
Error
System
Service Control Manager
13
Software and Service Installation
Windows Update Installed
19
Information
System
Microsoft-Windows-WindowsUpdateClient
14
System Integrity
System Time Changed
1
Information
System
Microsoft-Windows-Kernel-General
15
System or Service Failures
Windows Service Fails or Crashes
7022, 7023, 7024, 7026, 7031, 7032, 7034
Error
System
Service Control Manager
16
Software and Service Installation
Update Packages Installed
2
Information
Setup
Microsoft-Windows-Servicing
17
Windows Update Errors
Hotpatching Failed
1009
Information
Setup
Microsoft-Windows-Servicing
18
Account Usage
Account Lockouts
4740
Information
Security
Microsoft-Windows-Security-Auditing
19
Account Usage
Account Login with Explicit Credentials
4648
Information
Security
Microsoft-Windows-Security-Auditing

What log events should I collect/send to my SIEM?

Account Management

4740: Account Lockouts
4627: Group Membership Information
4703: A user right was adjusted.
4704: A user right (privilege) was assigned.
4704: A user right (privilege) was removed.
4720: A user account was created.
4722: A user account was enabled.
4723: Attempt was made to change account's password.
4724: An attempt was made to reset an account's password.
4725: A user account was disabled.
4726: A user account was deleted.
4727: A security-enabled global group was created.
4728: A member was added to a security-enabled global group.
4729: A member was removed to a security-enabled global group.
4730: A security-enabled global group was deleted.
4731: A security-enabled local group was created.
4732: A member was added to a security-enabled local group.
4733: A member was removed from a security-enabled local group.
4734: A security-enabled local group was deleted.
4735: Modification of Security-enabled groups
4737: A security-enabled global group was changed.
4738: A user account was changed.
4739: Domain Policy was changed.
4741: A computer account was created.
4742: A computer account was changed.
4743: A computer account was deleted.
4744: A security-disabled local group was created.
4745: A security-disabled local group was changed.
4746: A member was added to a security-disabled local group.
4747: A member was removed from a security-disabled local group.
4748: A security-disabled local group was deleted.
4749: A security-disabled global group was created.
4750: A security-disabled global group was changed.
4751: A member was added to a security-disabled global group.
4752: A member was removed from a security-disabled global group.
4753: A security-disabled global group was deleted.
4754: A security-enabled universal group was created.
4755: A security-enabled universal group was changed.
4756: A security-enabled universal group was changed.
4757: A security-enabled universal group was changed.
4758: A security-enabled universal group was created.
4759: A security-disabled universal group was created.
4760: A security-disabled universal group was changed.
4761: A member was added to a security-disabled universal group.
4762: A member was removed from a security-disabled universal group.
4763: A security-disabled universal group was deleted.
4764: A group's type was changed.
4765: SID History was added to an account.
4766: An attempt to add SID History to an account failed.
4767: A user account was unlocked.
4780: The ACL was set on accounts which are members of administrators group.
4781: The name of an account was changed.
4782: The password hash an account was accessed.
4793: The Password Policy Checking API was called.
4794: An attempt was made to set the Directory Services Restore Mode administrator password.
4798: A user's local group membership was enumerated.
4799: A security-enabled local group membership was enumerated.
5376: Credential Manager credentials were backed up.
5377: Credential Manager credentials were restored from a backup.

Active Directory

4662: Directory Service Access Operation Performed On An Object
5136: A directory service object was modified.
5137: A directory service object was created.
5138: A directory service object was undeleted.
5139: A directory service object was moved.
5141: A directory service object was deleted.
4713: Kerberos Policy was changed.
4706: A new trust was created to a domain.
4707: A trust to a domain was removed.
4716: Trusted domain information was modified.
4717: System security access was granted to an account.
4718: System security access was removed from an account.
4739: Domain Policy was changed.
4864: A namespace collision was detected.
4865: A trusted forest information entry was added.
4866: A trusted forest information entry was removed.
4867: A trusted forest information entry was modified.

Application Error and Hang

EventID=1000
EventID=1002
WER Application Crashes Reports
EventID=1001

Applocker

Microsoft-Windows-AppLocker/EXE and DLL
Rules that look for Applocker EXE or Script events
Applocker Packaged app execution
Applocker Packaged app installation

Authentication Events

4624: An account was successfully logged on.
4625: An account failed to log on.
4626: User/Device claims information.
4634: An account was successfully logged off.
4647: User initiated logoff.
4649: A replay attack was detected.
4672: Special privileges assigned to a new logon, administrative logins -sa, -ada, etc.
4675: SIDs were filtered.
4774: An account was mapped for logon.
4775: An account could not be mapped for logon.
4776: The computer attempted to validate the credentials for an account.
4777: The domain controller failed to validate the credentials for an account.
4778: A session was reconnected to a Window Station.
4779: A session was disconnected from a Window Station.
4800 The workstation was locked.
4801 The workstation was unlocked.
4802 The screen saver was invoked.
4803 The screen saver was dismissed.
4964: Special groups have been assigned a new logon.
5378 The requested credentials delegation was disallowed by policy.
**** Suppress [EventData[Data[1]="S-1-5-18"]] to avoid SECURITY_LOCAL_SYSTEM_RID*******

BITS

Microsoft-Windows-Bits-Client/Operational

Certificate Authority

Security
4886: Certificate Services received certificate request
4887: Approved and Certificate issued
4888: Denied request

Code Integrity

Windows Code Integrity Checks (Kernel-mode Driver and User-mode Protected Media Validation)
Level = 2 or 3
and Event ID is
EventID=3001 or
EventID=3002 or
EventID=3003 or
EventID=3004 or
EventID=3010 or
EventID=3023)
Windows Code Integrity Checks (Invalid hashes)
Level=0 or Level=4 and
EventID=5038 or
EventID=6281 or
EventID=6410

DNS Logs

3008: DNS Client events Query Completed
Suppress EventData[Data[@Name="QueryOptions"]="140737488355328"
Suppress EventData[Data[@Name="QueryResults"]=""
150: DNS Server could not load or initialize the plug-in DLL
770: DNS Server plugin DLL has been loaded
541: The setting serverlevelplugindll on scope . has been set to $dll_path

Drivers Logs

Microsoft-Windows-Kernel-PnP
Level=3 and EventID=219
Microsoft-Windows-DriverFrameworks-UserMode/Operational
Detect User-Mode drivers loaded - for potential BadUSB detection.
EventID=2004

EventLog Diagnostics

1100: The event logging service has shut down.
1104: The security log is now full.
1105: Event log automatic backup.
1108: The event logging service encountered an error while processing an incoming event published from %1

Explicit Login Credentials

Microsoft-Windows-Security-Auditing
Level=4 or Level=0 and EventID=4648 and ProcessName != 'C:\Windows\System32\taskhost.exe'

Firewall Events

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
4944: The following policy was active when the Windows Firewall started.
4945: A rule was listed when the Windows Firewall started.
4946: A change has been made to Windows Firewall exception list. A rule was added.
4947: A change has been made to Windows Firewall exception list. A rule was modified.
4948: A change has been made to Windows Firewall exception list. A rule was deleted.
4949: Windows Firewall settings were restored to the default values.
4950: A Windows Firewall setting has changed.
4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953: A rule has been ignored by Windows Firewall because it could not parse the rule.
4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956: Windows Firewall has changed the active profile.
4957: Windows Firewall did not apply the following rule
4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Security Log
5024: The Windows Firewall Service has started successfully.
5025: The Windows Firewall Service has been stopped.
5027: The Windows Firewall Service was unable to retrieve the security policy from local storage. The service will continue enforcing the current policy.
5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030: The Windows Firewall Service failed to start.
5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033: The Windows Firewall Driver has started successfully.
5034: The Windows Firewall Driver was stopped.
5035: The Windows Firewall Driver failed to start.
5037: The Windows Firewall Driver detected critical runtime error. Terminating.

External Devices Log

Security
6416: A new external device was recognized by the System.
6419: A request was made to disable a device.
6420: A device was disabled.
6421: A request was made to enable a device.
6422: A device was enabled..
6423: The installation of this device is forbidden by system policy.
6424: The installation of this device was allowed after having previously been forbidden by policy.
Microsoft-Windows-USB-USBHUB3-Analytic
Level=4 and EventID=43
EventData[Data[@Name='fid_DeviceDescription']="USB Mass Storage Device
Microsoft-Windows-Kernel-PnP/Configuration
400, 410: New Mass Storage Device Installation
Level=4 and
EventID=400 or EventID=410
and EventData[Data[@Name='DriverName']=usbstor.inf

GPO logs

Microsoft-Windows-GroupPolicy
Level 2 and
1085: Application of Group Policy failures
1125: Group Policy Service
1127: Group Policy Service
1129: Group Policy Preprocessing Networking
Security
6144: Security policy in the group policy objects has been applied successfully.
6145: One or more errors occurred while processing security policy in the group policy object.

Kerberos

Security
4768 - A Kerberos authentication ticket (TGT) was requested
4769 - A Kerberos service ticket was requested
4770 - A Kerberos service ticket was renewed
4771 - A Kerberos pre-authentication failed.
4772 - A Kerberos authentication ticket request failed.
4773 - A Kerberos service ticket request failed.

LOG Deletion

Security
1102: Security Log File Cleared
System
104: Log File Cleared

Object Manipulation

Security
4715: The audit policy (SACL) on an object was changed.
4817: Auditing settings on object were changed.
4656: A handle to an object was requested.
4658: The handle to an object was closed.
4660: An object was deleted.
4663: An attempt was made to access an object.
4670: Permissions on an object were changed.

Operating System

System
41: The system has rebooted without cleanly shutting down first
1001: Application crashes, hangs, and generic reports
4621: Administrator recovered system from CrashOnAuditFail.
6008: The previous system shutdown was unexpected.
1074: Shutdown initiate requests, with user, process and reason (if supplied)
12: System startup (12 - includes OS/SP/Version) and shutdown
16962: A remote call to the SAM database has been denied
16965: Remote calls to the SAM database have been denied in the past 900 seconds throttling window
16968: The following client would have been normally been denied access to the SAM database
16969: Remote calls to the SAM database are being restricted using the default security descriptor
16965: is enabled via a registry key

Security

4719: System audit policy was changed.
4817: A trusted logon process has been registered with the Local Security Authority.
4902: The Per-user audit policy table was created.
4906: The CrashOnAuditFail value has changed.
4908: Special Groups Logon table modified.
4912: Per User Audit Policy was changed.
4904: An attempt was made to register a security event source..
4905: An attempt was made to unregister a security event source.
4610: An authentication package has been loaded by the Local Security Authority.
4611: A trusted logon process has been registered with the Local Security Authority.
4614: A notification package has been loaded by the Security Account Manager.
4622: A security package has been loaded by the Local Security Authority.
4697: A service was installed in the system.
4817: Auditing settings on object were changed.
4826 Boot Configuration Data loaded.
4608: Windows is starting up
Microsoft-Windows-SMBServer/Audit
3000: Client attempted to use SMBv1

Privilege Use

Security
4673: A privileged service was called..
4674: An operation was attempted on a privileged object..
4985: The state of a transaction has changed.

Process execution

Security
4688: Process Created
4699: Process Terminated

Registry

Security
4657: Registry modified events for Operations
and EventData[Data[@Name=OperationType]] =
1904: New Registry Value created OR
1905: Existing Registry Value modified OR
1906: Registry Value Deleted

Services

System
Level 0 OR 1 OR 2 OR 3 OR 4
7022: The service hung on starting
7023: The service terminated with the following error
7023: The service terminated with the following error
7024: The service terminated with service-specific error
7026: The following boot-start or system-start driver(s) failed to load
7031: The service terminated unexpectedly. It has done this x time(s).
7040: Service Start Type Changed
7045: Service Installed

Network Shares

Security
5140: Network share object access
5142: Network Share create
5144: Network Share Delete
5145: A network share object was checked to see whether client can be granted desired access
5168: SPN check for SMB/SMB2 failed.
Microsoft-Windows-SMBClient/Operational
Event ID: 30622 OR
Event ID: 30624
Microsoft-Windows-SMBClient/Security
Microsoft-Windows-SMBServer/Security

System Time Modification

Security
4616: System Time Changed

Task Scheduler

Microsoft-Windows-TaskScheduler/Operational
EventID=106 or
EventID=129 or
EventID=141 or
EventID=142 or
EventID=200 or
EventID=201
Security
4698: A scheduled task was created
4699: A scheduled task was deleted
4700: A scheduled task was enabled
4701: A scheduled task was disabled
4702: A scheduled task was updated

PowerShell

Microsoft-Windows-PowerShell/Operational
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
Windows PowerShell
Microsoft-Windows-PrintService/Operational
Level=4 and EventID=307

Terminal Services

All TSG Admin Events
Microsoft-Windows-TerminalServices-Gateway/Admin
Microsoft-Windows-TerminalServices-Gateway/Operational
All TSG Client USB Device Events
Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
All TSG Client USB Device Events
Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
All TSG Client USB PNP Events
Microsoft-Windows-TerminalServices-PnPDevices/Admin
All TSG Client USB PNP Events
Microsoft-Windows-TerminalServices-PnPDevices/Operational
All TSG Printer Events
Microsoft-Windows-TerminalServices-Printers/Admin
All TSG Printer Events
Microsoft-Windows-TerminalServices-Printers/Operational
All TSG Server USB Device Events
Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
All TSG Server USB Device Events
Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational

WMI

Microsoft-Windows-WMI-Activity/Operational
Microsoft-Windows-TPM-WMI
513: TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.
514: Failed to backup TPM Owner Authorization information to Active Directory Domain Services.

Windows Defender

Microsoft-Windows-Windows Defender/Operational
Event ID: 1006 OR 1007 OR 1008 OR 1009
Event ID: 1116 OR 1117 OR 1118 OR 1119

Wireless

Security
5632: Request made to authenticate to Wireless network.
5633: A request was made to authenticate to a wired network.