Top Windows Security Events Logs You Must Monitor

0

Windows events logs are rich source of information on the occurrence of any incidents , proactive motioning of specific events will provide you more information on the clients environment. Investigate such events to stop threats before it reaches your network and keep monitoring a important events of active directory and improve insights on specific event actions apart from correlated rules.


Event ID List Threat Actor Behavior
5447Windows Filtering Platform Policy was Changed
5147Suspicious activity detected for which Windows Filtering Platform Blocked a packet
5155Suspicious incoming connection for specific application or service listening on a port ,Windows Filtering Platform has blocked
5153Attacker tried to access a network,user, a group, a computer, an application, a printer, or a shared folder for which Windows Filtering Platform has dropped a packet and blocked
5152Suspicious incoming connection for specific application or service listening on a port ,Windows Filtering Platform has blocked
5031Specific application or service on windows trying to get suspicious packets as inbound packets to the system for which Windows Filtering Platform has blocked
5025Windows firewall service has been stopped
4954Windows Firewall Group Policy settings has been changed. The new settings have been applied
4950Windows firewall settings has been changed
4947Windows Firewall Exception list was updated successfully which may allow a new connection which will bypass the windows firewall policies
4946Windows Firewall Exception list was updated successfully which may allow a new connection which will bypass the windows firewall policies
4698Scheduled task has been created to run specific jobs
4699Previously Scheduled task was deleted successfully
4700Scheduled task was enabled successfully
4701Previously Scheduled task was deleted successfully
4702Scheduled task was updated successfully
4697Suspicious service was installed by Threat actor or Legitimate service installed by windows admin
4657Possible changes made in registry to be persistence on system
4616System time was changed
4782Suspicious access of the password hash of an account
4777The domain controller failed to validate the credentials for an account
4772A Kerberos authentication ticket request failed
4755Access granted under universal group to trust domain
4737Access granted under global to access in any trusting domain but it should have members from its own domain.
4735Access granted under domain local group means the group can only be granted access to objects within its domain but can have members from any trusted domain.
4767A user account was unlocked
4740A user account was locked out
4738User account ACL ( Access Control List ) changed
4725A user account was disabled
4723An attempt was made to change the password of an account
4722A user account was enabled
4720A user account was created
1102 Audit logs was cleared
4648User account logged in with domain credentials and another programs was accessed using different credentials., Example : Sharepoint
4625Failed account log on

Conclusion

Monitor such events with high priority as this may be the critical indicator of attacks which may compromise your organization in next few minutes !


Next articleInvestigation of the .CAB files in Windows
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here