Windows Logging Recommendations

Search…
Windows Event Log Recommendations By Log Source
 
​
Category 
Name 
ID 
Level 
Event Log 
Event Source 
1 
Boot Events 
Shutdown Initiate Failed 
1074 
Warning 
User32 
User32 
2 
Application Crashes 
BSOD 
1001 
Error 
System 
Microsoft-Windows-WER-SystemErrorReporting 
3 
Boot Events 
Windows Shutdown 
13 
Information 
System 
Microsoft-Windows-Kernel-General 
4 
Boot Events 
Windows Startup 
12 
Information 
System 
Microsoft-Windows-Kernel-General 
5 
Clearing Event Logs 
Event Log was Cleared 
104 
Information 
System 
Microsoft-Windows-Eventlog 
6 
Group Policy Errors 
Generic Internal Error 
1126 
Error 
System 
Microsoft-Windows-GroupPolicy 
7 
Group Policy Errors 
Group Policy Application Failed due to Connectivity 
1129 
Error 
System 
Microsoft-Windows-GroupPolicy 
8 
Group Policy Errors 
Internal Error 
1125 
Error 
System 
Microsoft-Windows-GroupPolicy 
9 
Kernel Driver Signing 
Failed Kernel Driver Loading 
219 
Warning 
System 
Microsoft-Windows-Kernel-PnP 
10 
Software and Service Installation 
New Kernel Filter Driver 
6 
Information 
System 
Microsoft-Windows-FilterManager 
11 
Software and Service Installation 
New Windows Service 
7045 
Information 
System 
Microsoft-Windows-FilterManager 
12 
Software and Service Installation 
Service Start Failure 
7000 
Error 
System 
Service Control Manager 
13 
Software and Service Installation 
Windows Update Installed 
19 
Information 
System 
Microsoft-Windows-WindowsUpdateClient 
14 
System Integrity 
System Time Changed 
1 
Information 
System 
Microsoft-Windows-Kernel-General 
15 
System or Service Failures 
Windows Service Fails or Crashes 
7022, 7023, 7024, 7026, 7031, 7032, 7034 
Error 
System 
Service Control Manager 
16 
Software and Service Installation 
Update Packages Installed 
2 
Information 
Setup 
Microsoft-Windows-Servicing 
17 
Windows Update Errors 
Hotpatching Failed 
1009 
Information 
Setup 
Microsoft-Windows-Servicing 
18 
Account Usage 
Account Lockouts 
4740 
Information 
Security 
Microsoft-Windows-Security-Auditing 
19 
Account Usage 
Account Login with Explicit Credentials 
4648 
Information 
Security 
Microsoft-Windows-Security-Auditing 
What log events should I collect/send to my SIEM?
​
Account Management
            4740: Account Lockouts
            4627: Group Membership Information
            4703: A user right was adjusted.
            4704: A user right (privilege) was assigned.
            4704: A user right (privilege) was removed.
            4720: A user account was created.
            4722: A user account was enabled.
            4723: Attempt was made to change account's password.
            4724: An attempt was made to reset an account's password.
            4725: A user account was disabled.
            4726: A user account was deleted.
            4727: A security-enabled global group was created.
            4728: A member was added to a security-enabled global group.
            4729: A member was removed to a security-enabled global group.
            4730: A security-enabled global group was deleted.
            4731: A security-enabled local group was created.
            4732: A member was added to a security-enabled local group.
            4733: A member was removed from a security-enabled local group.
            4734: A security-enabled local group was deleted.
            4735: Modification of Security-enabled groups
            4737: A security-enabled global group was changed.
            4738: A user account was changed.
            4739: Domain Policy was changed.
            4741: A computer account was created.
            4742: A computer account was changed.
            4743: A computer account was deleted.
            4744: A security-disabled local group was created.
            4745: A security-disabled local group was changed.
            4746: A member was added to a security-disabled local group.
            4747: A member was removed from a security-disabled local group.
            4748: A security-disabled local group was deleted.
            4749: A security-disabled global group was created.
            4750: A security-disabled global group was changed.
            4751: A member was added to a security-disabled global group.
            4752: A member was removed from a security-disabled global group.
            4753: A security-disabled global group was deleted.
            4754: A security-enabled universal group was created.
            4755: A security-enabled universal group was changed.
            4756: A security-enabled universal group was changed.
            4757: A security-enabled universal group was changed.
            4758: A security-enabled universal group was created.
            4759: A security-disabled universal group was created.
            4760: A security-disabled universal group was changed.
            4761: A member was added to a security-disabled universal group.
            4762: A member was removed from a security-disabled universal group.
            4763: A security-disabled universal group was deleted.
            4764: A group's type was changed.
            4765: SID History was added to an account.
            4766: An attempt to add SID History to an account failed.
            4767: A user account was unlocked.
            4780: The ACL was set on accounts which are members of administrators group.
            4781: The name of an account was changed.
            4782: The password hash an account was accessed.
            4793: The Password Policy Checking API was called.
            4794: An attempt was made to set the Directory Services Restore Mode administrator password.
            4798: A user's local group membership was enumerated.
            4799: A security-enabled local group membership was enumerated.
            5376: Credential Manager credentials were backed up.
            5377: Credential Manager credentials were restored from a backup.
Active Directory
            4662: Directory Service Access Operation Performed On An Object
            5136: A directory service object was modified.
            5137: A directory service object was created.
            5138: A directory service object was undeleted.
            5139: A directory service object was moved.
            5141: A directory service object was deleted.
            4713: Kerberos Policy was changed.
            4706: A new trust was created to a domain.
            4707: A trust to a domain was removed.
            4716: Trusted domain information was modified.
            4717: System security access was granted to an account.
            4718: System security access was removed from an account.
            4739: Domain Policy was changed.
            4864: A namespace collision was detected.
            4865: A trusted forest information entry was added.
            4866: A trusted forest information entry was removed.
            4867: A trusted forest information entry was modified.
Application Error and Hang
            EventID=1000
            EventID=1002
            WER Application Crashes Reports
            EventID=1001
Applocker
            Microsoft-Windows-AppLocker/EXE and DLL
            Rules that look for Applocker EXE or Script events
            Applocker Packaged app execution
            Applocker Packaged app installation
Authentication Events
  4624: An account was successfully logged on.
  4625: An account failed to log on.
  4626: User/Device claims information.
  4634: An account was successfully logged off.
  4647: User initiated logoff.
  4649: A replay attack was detected.
  4672: Special privileges assigned to a new logon, administrative logins -sa, -ada, etc.
  4675: SIDs were filtered.
  4774: An account was mapped for logon.
  4775: An account could not be mapped for logon.
  4776: The computer attempted to validate the credentials for an account.
  4777: The domain controller failed to validate the credentials for an account.
  4778: A session was reconnected to a Window Station.
  4779: A session was disconnected from a Window Station.
  4800 The workstation was locked.
  4801 The workstation was unlocked.
  4802 The screen saver was invoked.
  4803 The screen saver was dismissed.
  4964: Special groups have been assigned a new logon.
  5378 The requested credentials delegation was disallowed by policy.
  **** Suppress [EventData[Data[1]="S-1-5-18"]] to avoid SECURITY_LOCAL_SYSTEM_RID*******
BITS
  Microsoft-Windows-Bits-Client/Operational
Certificate Authority
            Security
            4886: Certificate Services received certificate request
            4887: Approved and Certificate issued
            4888: Denied request
Code Integrity
  Windows Code Integrity Checks (Kernel-mode Driver and User-mode Protected Media Validation)
  Level = 2 or 3
  and Event ID is
  EventID=3001 or
  EventID=3002 or
  EventID=3003 or
  EventID=3004 or
  EventID=3010 or
  EventID=3023)
  Windows Code Integrity Checks (Invalid hashes)
  Level=0 or Level=4 and
  EventID=5038 or
  EventID=6281 or
  EventID=6410
DNS Logs
  3008: DNS Client events Query Completed
  Suppress EventData[Data[@Name="QueryOptions"]="140737488355328"
  Suppress EventData[Data[@Name="QueryResults"]=""
  150: DNS Server could not load or initialize the plug-in DLL
  770: DNS Server plugin DLL has been loaded
  541: The setting serverlevelplugindll on scope . has been set to $dll_path
Drivers Logs
  Microsoft-Windows-Kernel-PnP
  Level=3 and EventID=219
  Microsoft-Windows-DriverFrameworks-UserMode/Operational
  Detect User-Mode drivers loaded - for potential BadUSB detection.
  EventID=2004
EventLog Diagnostics
  1100: The event logging service has shut down.
  1104: The security log is now full.
  1105: Event log automatic backup.
  1108: The event logging service encountered an error while processing an incoming event published from %1
Explicit Login Credentials
  Microsoft-Windows-Security-Auditing
  Level=4 or Level=0 and EventID=4648 and ProcessName != 'C:\Windows\System32\taskhost.exe'
Firewall Events
 
  Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  4944: The following policy was active when the Windows Firewall started.
  4945: A rule was listed when the Windows Firewall started.
  4946: A change has been made to Windows Firewall exception list. A rule was added.
  4947: A change has been made to Windows Firewall exception list. A rule was modified.
  4948: A change has been made to Windows Firewall exception list. A rule was deleted.
  4949: Windows Firewall settings were restored to the default values.
  4950: A Windows Firewall setting has changed.
  4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.
  4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
  4953: A rule has been ignored by Windows Firewall because it could not parse the rule.
  4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.
  4956: Windows Firewall has changed the active profile.
  4957: Windows Firewall did not apply the following rule
  4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
  Security Log
  5024: The Windows Firewall Service has started successfully.
  5025:  The Windows Firewall Service has been stopped.
  5027:  The Windows Firewall Service was unable to retrieve the security policy from local storage. The service will continue enforcing the current policy.
  5028:  The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
  5029:  The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
  5030:  The Windows Firewall Service failed to start.
  5032:  Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
  5033:  The Windows Firewall Driver has started successfully.
  5034:  The Windows Firewall Driver was stopped.
  5035:  The Windows Firewall Driver failed to start.
  5037:  The Windows Firewall Driver detected critical runtime error. Terminating.
External Devices Log
  Security
  6416: A new external device was recognized by the System.
  6419: A request was made to disable a device.
  6420: A device was disabled.
  6421: A request was made to enable a device.
  6422: A device was enabled..
  6423: The installation of this device is forbidden by system policy.
  6424: The installation of this device was allowed after having previously been forbidden by policy.
  Microsoft-Windows-USB-USBHUB3-Analytic
  Level=4 and EventID=43
  EventData[Data[@Name='fid_DeviceDescription']="USB Mass Storage Device
  Microsoft-Windows-Kernel-PnP/Configuration
  400, 410: New Mass Storage Device Installation
  Level=4 and
  EventID=400 or EventID=410
  and EventData[Data[@Name='DriverName']=usbstor.inf
GPO logs
  Microsoft-Windows-GroupPolicy
  Level 2 and
  1085: Application of Group Policy failures
  1125: Group Policy Service
  1127: Group Policy Service
  1129: Group Policy Preprocessing Networking
  Security
  6144: Security policy in the group policy objects has been applied successfully.
  6145: One or more errors occurred while processing security policy in the group policy object.
Kerberos
  Security
  4768 - A Kerberos authentication ticket (TGT) was requested
  4769 - A Kerberos service ticket was requested
  4770 - A Kerberos service ticket was renewed
  4771 - A Kerberos pre-authentication failed.
  4772 - A Kerberos authentication ticket request failed.
  4773 - A Kerberos service ticket request failed.
LOG Deletion
  Security
  1102: Security Log File Cleared
  System
  104: Log File Cleared
Object Manipulation
  Security
  4715: The audit policy (SACL) on an object was changed.
  4817: Auditing settings on object were changed.
  4656: A handle to an object was requested.
  4658: The handle to an object was closed.
  4660: An object was deleted.
  4663: An attempt was made to access an object.
  4670: Permissions on an object were changed.
Operating System
  System
  41: The system has rebooted without cleanly shutting down first
  1001: Application crashes, hangs, and generic reports
  4621: Administrator recovered system from CrashOnAuditFail.
  6008: The previous system shutdown was unexpected.
  1074: Shutdown initiate requests, with user, process and reason (if supplied)
  12: System startup (12 - includes OS/SP/Version) and shutdown
  16962: A remote call to the SAM database has been denied
  16965: Remote calls to the SAM database have been denied in the past 900 seconds throttling window
  16968: The following client would have been normally been denied access to the SAM database
  16969: Remote calls to the SAM database are being restricted using the default security descriptor
  16965: is enabled via a registry key
  Security
  4719: System audit policy was changed.
  4817: A trusted logon process has been registered with the Local Security Authority.
  4902: The Per-user audit policy table was created.
  4906: The CrashOnAuditFail value has changed.
  4908: Special Groups Logon table modified.
  4912: Per User Audit Policy was changed.
  4904: An attempt was made to register a security event source..
  4905: An attempt was made to unregister a security event source.
  4610: An authentication package has been loaded by the Local Security Authority.
  4611: A trusted logon process has been registered with the Local Security Authority.
  4614: A notification package has been loaded by the Security Account Manager.
  4622: A security package has been loaded by the Local Security Authority.
  4697: A service was installed in the system.
  4817: Auditing settings on object were changed.
  4826 Boot Configuration Data loaded.
  4608: Windows is starting up
  Microsoft-Windows-SMBServer/Audit
  3000: Client attempted to use SMBv1
Privilege Use
  Security
  4673: A privileged service was called..
  4674: An operation was attempted on a privileged object..
  4985: The state of a transaction has changed.
Process execution
  Security
  4688: Process Created
  4699: Process Terminated
Registry
  Security
  4657: Registry modified events for Operations
  and EventData[Data[@Name=OperationType]] =
  1904: New Registry Value created OR
  1905: Existing Registry Value modified OR
  1906: Registry Value Deleted
Services
  System
  Level 0 OR 1 OR 2 OR 3 OR 4
  7022: The service hung on starting
  7023: The service terminated with the following error
  7023: The service terminated with the following error
  7024: The service terminated with service-specific error
  7026: The following boot-start or system-start driver(s) failed to load
  7031: The service terminated unexpectedly. It has done this x time(s).
  7040: Service Start Type Changed
  7045: Service Installed
Network Shares
  Security
  5140: Network share object access
  5142: Network Share create
  5144: Network Share Delete
  5145: A network share object was checked to see whether client can be granted desired access
  5168: SPN check for SMB/SMB2 failed.
  Microsoft-Windows-SMBClient/Operational
  Event ID: 30622 OR
  Event ID: 30624
  Microsoft-Windows-SMBClient/Security
  Microsoft-Windows-SMBServer/Security
System Time Modification
  Security
  4616: System Time Changed
Task Scheduler
  Microsoft-Windows-TaskScheduler/Operational
  EventID=106 or
  EventID=129 or
  EventID=141 or
  EventID=142 or
  EventID=200 or
  EventID=201
  Security
  4698: A scheduled task was created
  4699: A scheduled task was deleted
  4700: A scheduled task was enabled
  4701: A scheduled task was disabled
  4702: A scheduled task was updated
PowerShell
  Microsoft-Windows-PowerShell/Operational
  Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
  Windows PowerShell
Print Jobs
  Microsoft-Windows-PrintService/Operational
  Level=4 and EventID=307
Terminal Services
  All TSG Admin Events
  Microsoft-Windows-TerminalServices-Gateway/Admin
  Microsoft-Windows-TerminalServices-Gateway/Operational
  All TSG Client USB Device Events
  Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
  All TSG Client USB Device Events
  Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
  All TSG Client USB PNP Events
  Microsoft-Windows-TerminalServices-PnPDevices/Admin
  All TSG Client USB PNP Events
  Microsoft-Windows-TerminalServices-PnPDevices/Operational
  All TSG Printer Events
  Microsoft-Windows-TerminalServices-Printers/Admin
  All TSG Printer Events
  Microsoft-Windows-TerminalServices-Printers/Operational
  All TSG Server USB Device Events
  Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
  All TSG Server USB Device Events
  Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
WMI
  Microsoft-Windows-WMI-Activity/Operational
  Microsoft-Windows-TPM-WMI
  513: TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.
  514: Failed to backup TPM Owner Authorization information to Active Directory Domain Services.
Windows Defender
  Microsoft-Windows-Windows Defender/Operational
  Event ID: 1006 OR 1007 OR 1008 OR 1009
  Event ID: 1116 OR 1117 OR 1118 OR 1119
Wireless
  Security
  5632: Request made to authenticate to Wireless network.
  5633: A request was made to authenticate to a wired network.
Threat Intel Sources
Lateral Movement Logging Recommendations
Last modified 1yr ago