Windows Event Log Monitoring: Key Events Every Security Team Should Track

Windows Logs Are a Goldmine

Windows Event Logs record a wealth of security-relevant information, but their volume can be overwhelming. Knowing which events matter most allows you to focus monitoring on the activities most likely to indicate an attack. This guide identifies the key event IDs that every security team should be tracking.

Authentication Events

Event 4624 records successful logons - track logon type 10 (remote desktop) and type 3 (network) for unexpected access. Event 4625 records failed logons - multiple failures from a single source indicate brute force attacks. Event 4648 records explicit credential use, which may indicate pass-the-hash attacks. Event 4672 records when a user with administrative privileges logs on, helping you monitor privileged access.

Process and Service Events

Event 4688 records new process creation - enable command-line logging to see what each process was invoked with. Event 7045 records new service installations, a common persistence mechanism. Event 4697 records service installations attempted in the security context. PowerShell events 4103, 4104, and 4105 record module loading, script block execution, and transcription, revealing malicious PowerShell activity.

Configuration and Policy Changes

Event 4719 records changes to audit policy - attackers often disable logging to cover their tracks. Event 1102 records audit log clearing, another sign of attacker activity. Event 4670 records permission changes on objects. Event 4732 and 4733 record when users are added to or removed from security groups. Forward these events to your SIEM and create alerts for unexpected occurrences. True Protection enriches Windows event data with process context and threat intelligence to surface the most relevant events.