Scribd
Upload
133 views

The Eight Most Critical Windows Event Ids

The document summarizes the 8 most critical Windows security event IDs that system administrators should monitor. It lists the top 8 events covering categories like logon/logoff, account management, event log, and object access. For each event, it provides the event ID, description, and reasons to monitor them such as detecting insider threats, password guessing attacks, and privilege abuse. It stresses the importance of configuring audit policies, aggregating logs, and using tools to analyze the logs and generate alerts and reports.

Uploaded by

Vanessa-M
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
133 views

The Eight Most Critical Windows Event Ids

The document summarizes the 8 most critical Windows security event IDs that system administrators should monitor. It lists the top 8 events covering categories like logon/logoff, account management, event log, and object access. For each event, it provides the event ID, description, and reasons to monitor them such as detecting insider threats, password guessing attacks, and privilege abuse. It stresses the importance of configuring audit policies, aggregating logs, and using tools to analyze the logs and generate alerts and reports.

Uploaded by

Vanessa-M
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

The 8 most critical

Windows security
event IDs
Table of Contents

The Windows Security Log ................................................................................................................. 2

What makes a Windows security event critical? ............................................................................ 2

The eight most critical Windows security event IDs  .................................................................... 3

Securing Active Directory ................................................................................................................... 5

www.adauditplus.com 1
The Windows Security Log

The Windows Security Log, which you can find under  Event Viewer, records critical user

actions such as logons and logoffs, account management, object access, and more.

Microsoft describes the Windows Security Log as "your best and last defense," and rightly

so. The Security Log helps detect potential security problems, ensures user accountability,

and serves as evidence during security breaches.

What makes a Windows security event critical?

Among the multitude of Windows security events, the few that can be deemed critical can

be broadly classified into two groups:

1. Events whose single occurrence indicates malicious activity. For example, a normal
end-user account getting unexpectedly added to a sensitive security group.

2. Events whose successive occurrence above an accepted baseline indicates malicious


activity. For example, an abnormally large number of failed logons.

www.adauditplus.com 2
The eight most critical Windows security event IDs 

Serial Event ID and Reasons to monitor


Category
Number description (by no means exhaustive)

(1) & (2) Logon and 4624 (Successful To detect abnormal and possibly


logoff logon) unauthorized insider activity, like a
logon from an inactive or restricted
account, users logging on outside of
normal working hours, concurrent
logons to many resources, etc.

To get information on user behavior


like user attendance, user working
hours, etc.

4625 (Failed To detect possible brute-force,


logon) dictionary, and other password 
guess attacks, which are
characterized by a sudden spike in
failed logons.

To arrive at a benchmark for the 


account lockout threshold policy 
setting.

(3), (4), Account 4728 (Member To ensure group membership for


and (5) management added to security- privileged users, who hold the “keys
enabled global to the kingdom,” is scrutinized
group) regularly. This is especially true for
security group membership
4732 (Member additions.
added to security-
enabled local To detect privilege abuse by users
group) who are responsible for unauthorized
additions.
4756 (Member
added to security- To detect accidental additions.
enabled universal
group)

www.adauditplus.com 3
(6) Event log 1102 (Log cleared)  To spot users with malicious intent, 
(Alternatively the such as those responsible for
event log service tampering with event logs.
can also be
disabled which
results in the logs
not getting
recorded. This is
done by the
system audit
policy, in which
case event 4719
gets recorded.)

(7) Account 4740 (User To detect possible brute-force,


management account locked dictionary, and other password
out) guess attacks, which are
characterized by a sudden spike in
failed logons.

To mitigate the impact of legitimate


users getting locked out and being
unable to carry out their work.

(8) Object access 4663 (Attempt To detect unauthorized attempts to


made to access access files and folders.
object)

www.adauditplus.com 4
Securing Active Directory
First and foremost, you need to configure your audit policy so that Windows can record the
relevant events in the Security Log. Next, you need to aggregate and analyze the collected
logs, then translate those findings into actionable information, like reports and alerts. Using
native tools and PowerShell scripts to complete these tasks demands expertise and a lot of
time. To get the job done quickly and efficiently, a third-party tool is truly indispensable.

With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus simplifies the
continuous monitoring of logons and logoffs,  group membership changes,  event log
clearance,  account lockouts,  file servers, and  much  more across your Active Directory,
member servers, and workstations.

Note

While much care has been taken to prepare this document, we give no warranties
whatsoever with respect to this document, including but not limited to the accuracy of any
information contained therein.

ManageEngine ADAudit Plus is a real-time change auditing and user behavior analytics
solution that helps keep your Active Directory, Azure AD, Windows servers, and
workstations secure and compliant.

Demo

You might also like