Notable Event Log EventID’s for Incident Response, Threat Hunting, Forensics, etc
Quick-use filter string
1100,1102,4609,4611,4616,4618,4624,4625,4634,4647,4648,4656,4657,4662,4663,4664,4670,4672,4688,4689,4692,4693,4695,4696,4697,4698,4699,4700,4701,4702,4703,4704,4705,4715,4717,4718,4719,4720,4722,4723,4724,4725,4726,4731,4732,4733,4734,4735,4738,4739,4740,4767,4776,4778,4779,4780,4781,4782,4793,4798,4800,4801,4802,4803,4816,4817,4882,4885,4890,4898,4899,4906,4907,4908,4912,4946,4947,4948,4950,4951,4952,4953,4956,4957,4958,4964,5025,5027,5028,5029,5030,5031,5034,5035,5037,5038,5142,5143,5144,5146,5158,5376,5377,5378,5441,6145,6272,6273,6274,6275,6276,6277,6278,6279,6280,6281,6410,6416,6419,6420,6421,6422,6423,6424
NOTE: These are worth the effort, but will likely need filtering to make manageable
4662,4673,5145,5379
| EventID | Description | Filter |
|---|---|---|
| 1100 | The event logging service has shut down. | |
| 1102 | The audit log was cleared. | |
| 4609 | Windows is shutting down | |
| 4611 | A trusted logon process has been registered with the Local Security Authority. | |
| 4616 | The system time was changed. | |
| 4618 | A monitored security event pattern has occurred. | |
| 4624 | An account was successfully logged on. | |
| 4625 | An account failed to log on. | |
| 4634 | An account was logged off. | |
| 4647 | User initiated logoff. | |
| 4648 | A logon was attempted using explicit credentials. | |
| 4656 | A handle to an object was requested | |
| 4657 | A registry value was modified. | OperationType %%1904, %%1905, %%1906 |
| 4662 | An operation was performed on an object | |
| 4663 | An attempt was made to access an object | |
| 4664 | An attempt was made to create a hard link | |
| 4670 | Permissions on an object were changed. | |
| 4672 | Special privileges assigned to new logon. | |
| 4688 | A new process has been created. | |
| 4689 | A process has exited. | |
| 4692 | Backup of data protection master key was attempted. | |
| 4693 | Recovery of data protection master key was attempted. | |
| 4695 | Unprotection of auditable protected data was attempted. | |
| 4696 | A primary token was assigned to process | |
| 4697 | A service was installed in the system. | |
| 4698 | A scheduled task was created. | |
| 4699 | A scheduled task was deleted. | |
| 4700 | A scheduled task was enabled. | |
| 4701 | A scheduled task was disabled | |
| 4702 | A scheduled task was updated. | |
| 4703 | A user right was adjusted. | |
| 4704 | A user right was assigned. | |
| 4705 | A user right was removed | |
| 4715 | The audit policy (SACL) on an object was changed. | |
| 4717 | System security access was granted to an account. | |
| 4718 | System security access was removed from an account. | |
| 4719 | System audit policy was changed. | |
| 4720 | A user account was created. | |
| 4722 | A user account was enabled. | |
| 4723 | An attempt was made to change an account’s password. | |
| 4724 | An attempt was made to reset an account’s password. | |
| 4725 | A user account was disabled. | |
| 4726 | A user account was deleted. | |
| 4731 | A security-enabled local group was created. | |
| 4732 | A member was added to a security-enabled local group. | |
| 4733 | A member was removed from a security-enabled local group. | |
| 4734 | A security-enabled local group was deleted. | |
| 4735 | A security-enabled local group was changed. | |
| 4738 | A user account was changed. | |
| 4739 | Domain Policy was changed. | |
| 4740 | A user account was locked out. | |
| 4767 | A user account was unlocked. | |
| 4776 | The domain controller attempted to validate the credentials for an account. | |
| 4778 | A session was reconnected to a Window Station. | |
| 4779 | A session was disconnected from a Window Station. | |
| 4780 | The ACL was set on accounts which are members of administrators groups. | |
| 4781 | The name of an account was changed. | |
| 4782 | The password hash an account was accessed. | |
| 4793 | The Password Policy Checking API was called. | |
| 4798 | A user’s local group membership was enumerated. | |
| 4800 | The workstation was locked. | |
| 4801 | The workstation was unlocked. | |
| 4802 | The screen saver was invoked | |
| 4803 | The screen saver was dismissed. | |
| 4816 | RPC detected an integrity violation while decrypting an incoming message. | |
| 4817 | Auditing settings on object were changed. | |
| 4882 | The security permissions for Certificate Services changed. | |
| 4885 | The audit filter for Certificate Services changed. | |
| 4890 | The certificate manager settings for Certificate Services changed. | |
| 4898 | Certificate Services loaded a template | |
| 4899 | A Certificate Services template was updated | |
| 4906 | The CrashOnAuditFail value has changed. | |
| 4907 | Auditing settings on object changed | |
| 4908 | Special Groups Logon table modified | |
| 4912 | Per-User Audit Policy changed | |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added. | |
| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. | |
| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. | |
| 4950 | A Windows Firewall setting has changed (local only) | |
| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. | |
| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. | |
| 4953 | Windows Firewall ignored a rule because it could not be parsed. | |
| 4956 | Windows Firewall has changed the active profile. | |
| 4957 | Windows Firewall did not apply the following rule. | |
| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. | |
| 4964 | Special groups assigned to a new logon | |
| 5025 | Windows Firewall Service has been stopped | |
| 5027 | Windows Firewall Service unable to retrieve the security policy from the local storage service will continue enforcing the current policy | |
| 5028 | Windows Firewall Service unable to parse the new security policy service will continue with currently enforced policy | |
| 5029 | Windows Firewall Service failed to initialize the driver service will continue to enforce the current policy | |
| 5030 | Windows Firewall Service failed to start | |
| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. | |
| 5034 | The Windows Firewall Driver was stopped | |
| 5035 | Windows Firewall Driver failed to start | |
| 5037 | Windows Firewall Driver detected critical runtime error Terminating | |
| 5038 | Code integrity determined that the image hash of a file is not valid | Level 0 or 4 |
| 5142 | Network share object added | |
| 5143 | Network share object changed | |
| 5144 | Network share object deleted | |
| 5146 | The Windows Filtering Platform has blocked a packet. | |
| 5158 | The Windows Filtering Platform has permitted a bind to a local port. | |
| 5376 | Credential Manager credentials were backed up | |
| 5377 | Credential Manager credentials were restored from a backup. | |
| 5378 | The requested credentials delegation was disallowed by policy. | |
| 5441 | The following filter was present when the Windows Filtering Platform Base Filtering Engine started | |
| 6145 | One or more errors occurred while processing security policy in the group policy objects. | |
| 6272 | Network Policy Server granted access to a user | |
| 6273 | Network Policy Server denied access to a user | |
| 6274 | Network Policy Server discarded the request for a user | |
| 6275 | Network Policy Server discarded the accounting request for a user | |
| 6276 | Network Policy Server quarantined a user | |
| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy | |
| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy | |
| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts | |
| 6280 | Network Policy Server unlocked the user account | |
| 6281 | Code Integrity determined that the page hashes of an image file are not valid. | Level 0 or 4 |
| 6410 | Code integrity determined that a file does not meet the security requirements to load into a process. | Level 0 or 4 |
| 6416 | A new external device was recognized by the system | |
| 6419 | A request was made to disable a device. | |
| 6420 | A device was disabled. | |
| 6421 | A request was made to enable a device. | |
| 6422 | A device was enabled. | |
| 6423 | The installation of this device is forbidden by system policy. | |
| 6424 | The installation of this device was allowed after having previously been forbidden by policy. |
Quick-use filter string
4649,4706,4707,4713,4714,4716,4727,4728,4729,4730,4737,4741,4742,4743,4744,4745,4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4759,4760,4761,4762,4763,4764,4765,4766,4768,4769,4770,4771,4794,4799,4820,4865,4866,4867,5136,5137,5138,5139,5140,5141
| EventID | Description | Filter |
|---|---|---|
| 4649 | A replay attack was detected. | |
| 4706 | A new trust was created to a domain. | |
| 4707 | A trust to a domain was removed. | |
| 4713 | Kerberos policy was changed. | |
| 4714 | Encrypted data recovery policy was changed | |
| 4716 | Trusted domain information was modified. | |
| 4727 | A security-enabled global group was created. | |
| 4728 | A member was added to a security-enabled global group. | |
| 4729 | A member was removed from a security-enabled global group. | |
| 4730 | A security-enabled global group was deleted. | |
| 4737 | A security-enabled global group was changed. | |
| 4741 | A computer account was created. | |
| 4742 | A computer account was changed. | |
| 4743 | A computer account was deleted. | |
| 4744 | A security-disabled local group was created | |
| 4745 | A security-disabled local group was changed | |
| 4746 | A member was added to a security-disabled local group | |
| 4747 | A member was removed from a security-disabled local group | |
| 4748 | A security-disabled local group was deleted | |
| 4749 | A security-disabled global group was created | |
| 4750 | A security-disabled global group was changed | |
| 4751 | A member was added to a security-disabled global group | |
| 4752 | A member was removed from a security-disabled global group | |
| 4753 | A security-disabled global group was deleted | |
| 4754 | A security-enabled universal group was created. | |
| 4755 | A security-enabled universal group was changed. | |
| 4756 | A member was added to a security-enabled universal group. | |
| 4757 | A member was removed from a security-enabled universal group. | |
| 4759 | A security-disabled universal group was created | |
| 4760 | A security-disabled universal group was changed | |
| 4761 | A member was added to a security-disabled universal group | |
| 4762 | A member was removed from a security-disabled universal group | |
| 4763 | A security-disabled universal group was deleted | |
| 4764 | A group’s type was changed. | |
| 4765 | SID History was added to an account. | |
| 4766 | An attempt to add SID History to an account failed. | |
| 4768 | A Kerberos authentication ticket (TGT) was requested. | |
| 4769 | A Kerberos service ticket was requested. | |
| 4770 | A Kerberos service ticket was renewed. | |
| 4771 | Kerberos pre-authentication failed. | |
| 4794 | An attempt was made to set the Directory Services Restore Mode administrator password. | |
| 4799 | A security-enabled local group membership was enumerated. | |
| 4820 | A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions | |
| 4865 | A trusted forest information entry was added. | |
| 4866 | A trusted forest information entry was removed. | |
| 4867 | A trusted forest information entry was added. | |
| 5136 | A directory service object was modified. [1] | |
| 5137 | A directory service object was created. | |
| 5138 | A directory service object was undeleted | |
| 5139 | A directory service object was moved. | |
| 5140 | (NOISY!) Network share object accessed | |
| 5141 | A directory service object was deleted |
| EventID | Description | Filter | | :—–: | :———————————————————————————————- | ———————- | | 12 | The operating system started at system time xxxx | | | 13 | The operating system is shutting down at system time xxxx | | | 27 | Network link is disconnected | !source=Kernel-Boot | | 33 | Network link has been established | !source=Kernel-Boot | | 41 | The system has rebooted without cleanly shutting down first | | | 42 | The system is entering sleep | | | 104 | Event Log was Cleared | | | 105 | Power source change | | | 107 | The system has resumed from sleep | | | 219 | Failed Kernel Driver Loading | Level 3 | | 1001 | System Crash | | | 7022 | Service hung on starting | Level 0, 1, 2, 3, or 4 | | 7023 | Service terminated with error | Level 0, 1, 2, 3, or 4 | | 7024 | Service terminated with the following service-specific error | Level 0, 1, 2, 3, or 4 | | 7026 | The boot-start or system-start driver(s) [did not/failed to] load | Level 0, 1, 2, 3, or 4 | | 7030 | Service Creation Errors | | | 7031 | Service terminated unexpectedly | Level 0, 1, 2, 3, or 4 | | 7032 | Service tried to take a corrective action (1) after the unexpected termination of the % service | Level 0, 1, 2, 3, or 4 | | 7034 | service terminated unexpectedly | Level 0, 1, 2, 3, or 4 | | 7035 | The [Service Name] service was successfully sent a [start/stop] control | | | 7036 | The [Service Name] service entered the [Status] state | | | 7040 | The service state has changed | Level 0, 1, 2, 3, or 4 | | 7045 | A service was installed in the system | Level 0, 1, 2, 3, or 4 |
| EventID | Description | | :—–: | :————————————————————- | | 1001 | Application Crash | | 1002 | Application Hang | | 1003 | Application Error | | 11707 | Product: [1] – Installation operation completed successfully. | | 11724 | Product: [1] – Removal completed successfully. |
Note: Some installable applications are known to write to this log. Consider looking in your logs to determine if any more are necessary for proper visibility.
| EventID | Description | | :—–: | ——————————————- | | 8003 | … would have been prevented from running. | | 8004 | … was prevented from running. |
| EventID | Description | | :—–: | ——————————————- | | 8006 | … would have been prevented from running. | | 8007 | … was prevented from running. |
| EventID | Description | | :—–: | ——————————- | | 8022 | … was prevented from running. |
| EventID | Description | | :—–: | ——————————- | | 8025 | … was prevented from running. |
| EventID | Description | | :—–: | ——————————————————————- | | 101 | NTLM usage attempted. | | 105 | Kerberos authentication from a particular device was not permitted. | | 106 | The user or device was not allowed to authenticate to the server. | | 305 | Kerberos TGT request did not meet access control restrictions. | | 306 | User, device or both do not meet the access control restrictions. |
| EventID | Description | | :—–: | ——————————————————————————————————— | | 100 | An NTLM sign-in failure occurs for an account that is in the Protected Users security group. | | 104 | The security package on the client does not contain the credentials. | | 303 | A Kerberos ticket-granting-ticket (TGT) was successfully issued for a member of the Protected User group. |
(All)
| EventID | Description | Filter | | :—–: | ————————————————————————————————————————————————————————————————————————————————————————————– | ———— | | 3001 | Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available. | Level 2 or 3 | | 3002 | Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. | Level 2 or 3 | | 3003 | Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached. | Level 2 or 3 | | 3004 | Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. | Level 2 or 3 | | 3010 | Code Integrity was unable to load the %2 catalog. | Level 2 or 3 | | 3023 | Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available. | Level 2 or 3 |
| EventID | Description | Filter | | :—–: | ——————————————————————— | —— | | 541 | The setting serverlevelplugindll on scope . has been set to $dll_path |
| EventID | Description | Filter | | :—–: | ——————————— | —— | | 3008 | DNS Client events Query Completed |
| EventID | Description | | :—–: | :———————– | | 2004 | User-Mode drivers loaded |
(All)
| EventID | Description | Filter | | :—–: | —————————————————————————————————– | ——- | | 1085 | Windows failed to apply the … settings | Level 2 | | 1125 | The processing of Group Policy failed because of an internal system error. | Level 2 | | 1127 | The processing of Group Policy failed due to an internal error. | Level 2 | | 1129 | The processing of Group Policy failed because of lack of network connectivity to a domain controller. | Level 2 |
| EventID | Description | | :—–: | :—————————- | | 400 | New Mass Storage Installation | | 410 | New Mass Storage Installation |
| EventID | Description | | :—–: | :——————————————————————————————- | | 8001 | NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked. | | 8002 | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. | | 8003 | NTLM server blocked in the domain audit: Audit NTLM authentication in this domain. | | 8004 | Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. |
| EventID | Description | Filter | | :—–: | :———- | ——- | | 307 | Print Job | Level 4 |
| EventID | Description |
|---|---|
| 32850 | Creating a server remote session |
| 32867 | PowerShell input object |
| 32868 | PowerShell output object |
(All)
| EventID | Description | | :——–: | :—————————— | | 4103 | Pipeline executed | | 4104 | Scriptblock executed | | 40961 | PowerShell Console Starting | | 40962 | PowerShell Console Started | | 24577 | Powershell script ran | | 8193, 8194 | Session created | | 8197 | Session Closed | | 53504 | Records the authenticating user |
| EventID | Description | | :—–: | ——————————————- | | 131 | Accepted new TCP connection | | 140 | Connection failed; bad username or password |
| EventID | Description | | :—–: | ——————————————————————- | | * | This event log contains log about the “Exploit Protection” feature. |
| EventID | Description | | :—–: | ————————————————————————————————————————————————————————————————————— | | 9707 | Detects the start of the execution of a process from both the “Software\Microsoft\Windows\CurrentVersion\Run” and “Software\Microsoft\Windows\CurrentVersion\RunOnce” registry keys with the full command line. | | 9708 | Detects when the aforementioned process finishes execution with the corresponding PID (Useful when the process is still running on the system). | | 28115 | Triggered when a shortcut is added to the “App Resolver Cache”. Indicates when an application is installed. |
(All)
| EventID | Description | | :—–: | ————————— | | 31001 | Failed login to destination |
| EventID | Description | | :—–: | —————————————————– | | 1 | Process creation | | 2 | A process changed a file creation time | | 3 | Network connection | | 4 | Sysmon service state changed | | 5 | Process terminated | | 6 | Driver loaded | | 7 | Image loaded | | 8 | CreateRemoteThread | | 9 | RawAccessRead | | 10 | ProcessAccess | | 11 | FileCreate | | 12 | RegistryEvent (Object create and delete) | | 13 | RegistryEvent (Value Set) | | 14 | RegistryEvent (Key and Value Rename) | | 15 | FileCreateStreamHash | | 17 | PipeEvent (Pipe Created) | | 18 | PipeEvent (Pipe Connected) | | 19 | WmiEvent (WmiEventFilter activity detected) | | 20 | WmiEvent (WmiEventConsumer activity detected) | | 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | | 22 | DNSEvent (DNS query) | | 255 | Error |
| EventID | Description | | :—–: | :——————————————— | | 106 | Task Scheduled | | 129 | Task Scheduler successfully completed task … | | 140 | Task Updated | | 141 | Task Removed | | 200 | Task Executed | | 201 | Task Completed |
| EventID | Description | | :—–: | ———————————- | | 1024 | RDP connection attempt | | 1025 | RDP connection made | | 1102 | multi-transport connection attempt | | 1103 | multi-transport connection made |
| EventID | Description | | :—–: | —————————– | | 1149 | User authentication succeeded |
| EventID | Description |
| :—–: | ————————————————– |
| 21 | Session logon succeeded |
| 22 | Shell start notification received |
| 23 | Session logoff succeeded |
| 24 | Session has been disconnected |
| 25 | Session reconnection succeeded |
| 39 | Session
| EventID | Description | | :—–: | ——————————————————————————————————- | | 513 | TPM Owner Authorization information was backed up successfully to Active Directory Domain Services. | | 514 | Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: %1 |
| EventID | Description | | :—–: | ————————————————— | | 55 | Indicates whether the computer has Internet or Not. |
| EventID | Description | | :—–: | —————————————————————————— | | 1 | Triggers when you mount a VHD (Virtual Hard Disk). | | 2 | Triggers when you unmount a VHD (Virtual Hard Disk). | | 12 | Contains information about the type, path, handle count of the mounted device. |
| EventID | Description | Filter | | :—–: | ——————————————————————————————————————————————————————————– | ——- | | 1002 | An antimalware scan was stopped before it finished. | Level 2 | | 1005 | An antimalware scan failed. | | 1006 | The antimalware engine found malware or other potentially unwanted software. | | 1007 | The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. | | 1008 | The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. | | 1009 | The antimalware platform restored an item from quarantine. | | 1013 | The antimalware platform deleted history of malware and other potentially unwanted software. | | 1014 | The antimalware platform could not delete history of malware and other potentially unwanted software. | | 1015 | The antimalware platform detected suspicious behavior. | | 1116 | The antimalware platform detected malware or other potentially unwanted software. | | 1117 | The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. | | 1118 | The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. | | 1119 | The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message. | | 2001 | The antimalware definition update failed. | | 2003 | The antimalware engine update failed. | | 2006 | The platform update failed. | | 2042 | The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware. | | 3002 | Real-time protection encountered an error and failed. | | 5001 | Real-time protection is disabled. | | 5008 | The antimalware engine encountered an error and failed. | | 5010 | Scanning for malware and other potentially unwanted software is disabled. | | 5012 | Scanning for viruses is disabled. | | 5101 | The antimalware platform is expired. |
| EventID | Description | | :—–: | —————————————– | | 2002 | Windows Defender Firewall setting changed | | 2004 | Firewall Rule Added | | 2005 | Firewall Rule Changed | | 2006 | Firewall Rule Deleted | | 2033 | Firewall Rule Deleted | | 2009 | Firewall Failed to load group policy |
| EventID | Description |
| :—–: | ———————————————————————————————————————————————————— |
| 811 | Triggers when a user logon to a machine. You can check for the “
| EventID | Description | | :—–: | ———————————————————————————————————————————————————- | | 5600 | Indicates change in the proxy configuration. For example if i change my proxy configuration from the “Internet Option” menu. The event will get generated. |
| EventID | Description | | :—–: | —————————————————————————— | | 8001 | WLAN AutoConfig service has successfully connected to a wireless network. | | 8003 | WLAN AutoConfig service has successfully disconnected from a wireless network. |
| EventID | Description | | :—–: | —————————————- | | 5857 | Provider started | | 5858 | Provider error | | 5860 | Registration of Temporary Event Consumer | | 5861 | Registration of Permanent Event Consumer |
| EventID | Description | | :———-: | —————————— | | 6 | WSMan Session created | | 8 15, 16, 33 | WSMan Session deinitialization | | 81 | Processing Client Request | | 82 | Entering the plugin | | 134 | Sending response | | 91 | Session Created | | 168 | Authenticating attempt | | 169 | Authentication success |
Legacy. Final release was 2016. | EventID | Description | Filter | | :—–: | ———– | —————– | | 1 | | with Level 2 or 3 | | 2 | | with Level 2 or 3 |
| EventID | Description | Filter | | :—–: | ——————————————————- | —— | | 150 | DNS Server could not load or initialize the plug-in DLL | | 770 | DNS Server plugin DLL has been loaded |
| EventID | Description | | :—–: | —————————- | | 400 | Engine started | | 403 | Engine stopped | | 800 | Includes partial script code |
Sources