Every Windows administrator should focus on these critical event IDs for security monitoring and troubleshooting. This list is organized by category based on Microsoft’s official documentation and real-world incident response experience.
These events should be your first alerting priority as they directly indicate authentication issues or potential attacks.
Event ID Category What It Means 4624 Successful Logon An account successfully logged on. Check logon type (2=interactive, 3=network, 10=RDP) 4625 Failed Logon Failed logon attempt. High volume = brute force attack 4648 Explicit Credentials Logon using explicit credentials (runas, net use). Rare in legitimate use – high signal value 4672 Admin Logon Special privileges assigned (admin logon). Alert when unexpected accounts appear 4740 Account Lockout User account was locked out. Investigate if frequent 4768 Kerberos TGT Request Kerberos authentication ticket request. Failures indicate credential issues 4769 Kerberos Service Ticket Service ticket requested. Monitor for unusual service access patterns 4649 Replay Attack Replay attack detected. Critical security event requiring investigation
Event ID Category What It Means 4720 User Created New user account created. Often precedes privilege escalation 4724 Password Reset Attempt to reset account password 4728 Global Group Member Member added to security-enabled global group 4732 Local Group Member Member added to local security group. Watch Administrators group! 4765 SID History Added SID History added to account – potential privilege escalation attack 4780 Admin ACL Set ACL set on admin group member accounts
Attackers leave these traces when establishing backdoors:
Event ID Channel What It Means 7045 System New service installed. Common for malware and persistence 4697 Security Service installed by Security Subsystem (alternate channel) 4698 Security Scheduled task created. Monitor XML payload for actions 4702 Security Scheduled task updated. Attackers reuse legitimate task names 5861 WMI-Activity Permanent WMI consumer registered – stealthy persistence that survives reboot
Event ID Channel What It Means 4688 Security Process created. Requires “Include command line” policy enabled 4104 PowerShell PowerShell script block executed. Captures deobfuscated content – invaluable for detecting encoded attacks 1 Sysmon Process create with hashes and signatures (requires Sysmon installed)
Event ID Channel What It Means 4624 (Type 3) Security Network logon. Burst across hosts = lateral movement indicator 4624 (Type 10) Security RDP logon. Unusual source IPs warrant investigation 5140 Security Network share accessed 3 Sysmon Network connection from process – pairs with 4624 type 3 for attribution
Event ID Category What It Means 1102 Security Audit log cleared. NO legitimate reason – ALERT IMMEDIATELY104 System Event log cleared (non-Security logs) 4719 Security System audit policy changed. Attackers disable auditing before malicious actions 4907 Security Auditing settings on object changed 4616 Security System time changed. Can be used to hide activity or break Kerberos
Event ID Category What It Means 4660 Object Access Object deleted 4673 Privilege Use Privileged service called. Noisy; filter for specific privileges 4674 Privilege Use Operation attempted on privileged object
From Microsoft’s official monitoring guidance:
Event ID What It Means 4618 Monitored security event pattern detected 4794 Directory Services Restore Mode attempted 4964 Special groups assigned to new logon 4897 Role separation enabled
Many critical events aren’t enabled by default. Microsoft recommends configuring:
Advanced Audit Policy Configuration at: Computer Configuration\Security Settings\Advanced Audit Policy ConfigurationProcess creation auditing to include command lines in Event 4688PowerShell logging (ScriptBlock logging for Event 4104) is essential for detecting obfuscated attacks
For comprehensive coverage, consider deploying Sysmon (System Monitor) from Microsoft Sysinternals, which provides Event IDs 1, 3, and others that fill critical gaps in native Windows logging.
Technique Primary Event IDs Command Execution (T1059) 4688, 4104 Service Persistence (T1543.003) 7045, 4697 Scheduled Task (T1053.005) 4698, 4702 Account Creation (T1136) 4720, 4732, 4728 Remote Services (T1021) 4624 (Type 3), 5140 Log Clearing (T1070.001) 1102, 104, 4719
Focus your monitoring on this core set first, then expand based on your environment’s specific risks and compliance requirements.
