Notable Event IDs to record that will help in forensics, if not exclicity in detection. Exlcudes those already included in existing Sigma rules.
Table of Contents
| EventID | Description | Filter |
|---|---|---|
| 4647 | User initiated logoff. | |
| 4670 | Permissions on an object were changed. | |
| 4696 | A primary token was assigned to process | |
| 4700 | A scheduled task was enabled. | |
| 4703 | A user right was adjusted. | |
| 4705 | A user right was removed | |
| 4715 | The audit policy (SACL) on an object was changed. | |
| 4778 | A session was reconnected to a Window Station. | |
| 4779 | A session was disconnected from a Window Station. | |
| 4780 | The ACL was set on accounts which are members of administrators groups. | |
| 4793 | The Password Policy Checking API was called. | |
| 4801 | The workstation was unlocked. | |
| 4802 | The screen saver was invoked | |
| 4803 | The screen saver was dismissed. | |
| 4817 | Auditing settings on object were changed. | |
| 4885 | The audit filter for Certificate Services changed. | |
| 4890 | The certificate manager settings for Certificate Services changed. | |
| 4906 | The CrashOnAuditFail value has changed. | |
| 4907 | Auditing settings on object changed | |
| 4908 | Special Groups Logon table modified | |
| 4912 | Per-User Audit Policy changed | |
| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. | |
| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. | |
| 4953 | Windows Firewall ignored a rule because it could not be parsed. | |
| 4956 | Windows Firewall has changed the active profile. | |
| 4957 | Windows Firewall did not apply the following rule. | |
| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. | |
| 4964 | Special groups assigned to a new logon | |
| 5027 | Windows Firewall Service unable to retrieve the security policy from the local storage service will continue enforcing the current policy | |
| 5028 | Windows Firewall Service unable to parse the new security policy service will continue with currently enforced policy | |
| 5029 | Windows Firewall Service failed to initialize the driver service will continue to enforce the current policy | |
| 5146 | The Windows Filtering Platform has blocked a packet. | |
| 5158 | The Windows Filtering Platform has permitted a bind to a local port. | |
| 6145 | One or more errors occurred while processing security policy in the group policy objects. | |
| 6272 | Network Policy Server granted access to a user | |
| 6274 | Network Policy Server discarded the request for a user | |
| 6275 | Network Policy Server discarded the accounting request for a user |
| EventID | Description | Filter |
|---|---|---|
| 4770 | A Kerberos service ticket was renewed. | |
| 4820 | A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions |
| EventID | Description | Filter |
|---|---|---|
| 12 | The operating system started at system time xxxx | |
| 13 | The operating system is shutting down at system time xxxx | |
| 27 | Network link is disconnected | !source=Kernel-Boot |
| 33 | Network link has been established | !source=Kernel-Boot |
| 105 | Power source change | |
| 107 | The system has resumed from sleep |
| EventID | Description | Filter |
|---|---|---|
| 541 | The setting serverlevelplugindll on scope . has been set to $dll_path |
(All)
| EventID | Description | Filter |
|---|---|---|
| 307 | Print Job | Level 4 |
(All)
| EventID | Description |
|---|---|
| 32867 | PowerShell input object |
| 32868 | PowerShell output object |
| EventID | Description | Filter |
|---|---|---|
| 40961 | PowerShell Console Starting | |
| 40962 | PowerShell Console Started | |
| 24577 | Powershell script ran | |
| 8193, 8194 | Session created | |
| 8197 | Session Closed | |
| 53504 | Records the authenticating user |
| EventID | Description | Filter |
|---|---|---|
| 9707 | Detects the start of the execution of a process from both the “Software\Microsoft\Windows\CurrentVersion\Run” and “Software\Microsoft\Windows\CurrentVersion\RunOnce” registry keys with the full command line. | |
| 9708 | Detects when the aforementioned process finishes execution with the corresponding PID (Useful when the process is still running on the system). |
(All)
| EventID | Description |
|---|---|
| 31001 | Failed login to destination |
| EventID | Description |
|---|---|
| 15 | FileCreateStreamHash |
| 18 | PipeEvent (Pipe Connected) |
| EventID | Description |
|---|---|
| 200 | Task Executed |
| 201 | Task Completed |
| EventID | Description |
|---|---|
| 1149 | User authentication succeeded |
| EventID | Description |
|---|---|
| 22 | Shell start notification received |
| 23 | Session logoff succeeded |
| 24 | Session has been disconnected |
| 25 | Session reconnection succeeded |
| 39 | Session |
| 40 | Session |
| EventID | Description |
|---|---|
| 513 | TPM Owner Authorization information was backed up successfully to Active Directory Domain Services. |
| 514 | Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: %1 |
| EventID | Description |
|---|---|
| 55 | Indicates whether the computer has Internet or Not. |
| EventID | Description |
|---|---|
| 1 | Triggers when you mount a VHD (Virtual Hard Disk). |
| 2 | Triggers when you unmount a VHD (Virtual Hard Disk). |
| 12 | Contains information about the type, path, handle count of the mounted device. |
| EventID | Description |
|---|---|
| 811 | Triggers when a user logon to a machine. You can check for the “ |
| EventID | Description |
|---|---|
| 8001 | WLAN AutoConfig service has successfully connected to a wireless network. |
| 8003 | WLAN AutoConfig service has successfully disconnected from a wireless network. |
| EventID | Description |
|---|---|
| 5857 | Provider started |
| 5858 | Provider error |
| EventID | Description |
|---|---|
| 6 | WSMan Session created |
| 8 15, 16, 33 | WSMan Session deinitialization |
| 81 | Processing Client Request |
| 82 | Entering the plugin |
| 134 | Sending response |
| 91 | Session Created |
| 168 | Authenticating attempt |
| 169 | Authentication success |
| EventID | Description | Filter |
|---|---|---|
| 770 | DNS Server plugin DLL has been loaded |
| EventID | Description |
|---|---|
| 400 | Engine started |
| 403 | Engine stopped |
| 800 | Includes partial script code |