Strengthen your security posture: 10 critical Windows Event IDs to monitor
Strengthen Your Security Posture:
10 critical Windows Event IDs every security team should be monitoring
Every login. Every change. Every clue.
Your Windows Event Logs are full of signals—if you know where to look.
Even with antivirus, firewalls, and access controls in place, attackers can slip through the cracks. Their movements often go unnoticed, quietly hidden inside your Event Logs. But there’s good news: The right eyes—and the right alerts—can expose threats hiding in plain sight.
In this free eBook, we break down:
- The 10 most critical Windows Event IDs that deserve your attention.
- How to spot early signs of compromise, privilege misuse, and suspicious access.
- What each Event ID means, how attackers exploit it, and what to do about it.
- The limits of native tools like Event Viewer—and how AD360 can help you go beyond them.
Whether you're triaging incidents or building a proactive threat detection strategy, this guide gives you a sharper edge.
- I. Introduction
- II. Exploring Windows Security Event logs: An essential data source
- III. Identifying critical Windows Event IDs for security monitoring
- IV. Windows Event Viewer: A critical tool with its own set of challenges
- V. Strengthen your security posture: An introduction to ManageEngine AD360
- VI. 10 critical Windows Event IDs and how AD360 enhances monitoring
- VII. Conclusion: Transforming raw data into security intelligence: A path forward
I. Introduction
Decoding the digital footprint by leveraging Windows Event logs for proactive threat detection
Consider your network as a well-defended fortress. You’ve implemented robust firewalls, deployed vigilant antivirus software, and enforced strict access controls. But what if the threat actor has already breached your defenses, silently navigating your systems and issuing covert commands? These subtle activities often manifest in your Windows Event Logs—a rich source of intelligence that, if properly understood and monitored, can serve as an invaluable early warning system against cyberthreat.
Each login, file access, and system modification generates a digital trace within these logs. However, with thousands of events logged daily, identifying the critical signs of an attack can be a daunting task. Relying solely on native Windows tools can make this process akin to searching for a needle in a haystack, leaving security teams potentially overwhelmed and at risk of missing key indicators of malicious activity.
This e-book aims to guide you in strengthening your security posture by focusing on the most crucial Windows Event IDs—those vital signals that demand your attention. We'll explore the significance of these events, the malicious behaviors they can uncover, and, most importantly, how ManageEngine AD360 can enhance your ability to detect and respond to threats efficiently and effectively. By transforming these hidden signals into actionable intelligence, you can proactively defend your network against evolving cyberthreats.
II. Exploring Windows Security Event logs: An essential data source
To effectively leverage Windows Event Logs for security monitoring, it is crucial to understand the different categories of logs and the structure of the individual event entries. Windows organizes events into several main categories, including Application, Security, and System logs. The Security log is of primary importance for cybersecurity professionals, as it records authentication events, such as logon and logoff attempts, changes to user accounts and group memberships, modifications to file and registry permissions, and other security-related activities. Application logs contain events logged by applications and services running on the system, which can sometimes provide indicators of malicious activity or system anomalies. Finally, System logs capture events related to the Windows operating system itself, such as driver failures, system errors, and hardware issues.
Each entry within these event logs follows a structured format, containing key components that provide essential information about the event. The Event ID is a unique numerical identifier that distinguishes a specific type of event from others. The Timestamp indicates the exact date and time when the event occurred. The Source identifies the component or application that generated the event, while the User field specifies the user account associated with the event. The Computer field indicates the system on which the event was logged. The Description provides a textual explanation of what happened. Lastly, the Level of the event signifies its severity or category, such as Information (successful action), Warning (potential future problem), Error (significant problem), Critical (severe problem), Success Audit (successful security access attempt), or Failure Audit (failed security access attempt).
Before any effective monitoring can take place, it's essential to ensure that the necessary security event logs are enabled and properly configured. This involves defining appropriate audit policies through the Group Policy Management Console to dictate which security-related events should be recorded. As a fundamental security audit policy best practice, organizations should define auditing for both successful and failed account and general logon events to gain visibility into user authentication activities.
To begin examining these logs, users can access the Event Viewer console, the native Windows tool for viewing and managing event logs. This can be done by searching for "Event Viewer" in the Start Menu or by navigating through Administrative Tools.
III. Identifying critical Windows Event IDs for security monitoring
Given the vast number of Event IDs that Windows can generate, it's crucial to focus on those that are most indicative of potential security threats, unauthorized access, or system anomalies. These critical Event IDs can be broadly categorized to facilitate understanding and monitoring efforts.
Here is a list of some common Windows security Event IDs that every IT professional should be familiar with:
| Category | Event ID | Description |
|---|---|---|
| Logon/Logoff | 4624 | An account was successfully logged on. This event documents every successful attempt to log on to a local computer, regardless of the logon type, user location, or account type. |
| 4625 | An account failed to log on. This event is recorded for every failed attempt to log on to the local computer. | |
| 4634 | An account was logged off. This event signals the completion of a logoff process for a user. | |
| 4647 | User initiated logoff. This event specifically indicates a user-initiated logoff. | |
| 4648 | A logon was attempted using explicit credentials. This event is logged when a user successfully logs on using explicit credentials (like RunAs) while already logged on as a different user. | |
| 4779 | User disconnected terminal server or virtual host session without logging off. This event can indicate a potential risk if sessions are not properly terminated. | |
| 4798 | A user's local group membership was enumerated. | |
| 4799 | A security-enabled local group membership was enumerated. These events might precede malicious activity targeting local groups. | |
| Account Management | 4720 | A user account was created. Monitoring account creation is essential for identifying potentially rogue accounts. |
| 4722 | A user account was enabled. Unexpected enabling of disabled accounts warrants investigation. | |
| 4723 | An attempt was made to change the password of an account. Password changes, especially for administrative accounts, should be closely monitored. | |
| 4725 | A user account was disabled. Similar to enabling, unexpected account disabling should be reviewed. | |
| 4728 | A member was added to a security-enabled global group. | |
| 4732 | A member was added to a security-enabled local group. | |
| 4756 | A member was added to a security-enabled universal group. These events are critical for tracking changes to privileged group memberships. | |
| 4738 | A user account was changed. Monitoring account modifications can reveal unauthorized changes to user attributes. | |
| 4740 | A user account was locked out. Frequent account lockouts can indicate brute-force attacks. | |
| 4767 | A user account was unlocked. Monitoring account unlocks can be useful in conjunction with lockout events. | |
| Privilege Use | 4672 | Special privileges assigned to new logon. This event logs when a user is granted special privileges upon logon, which is crucial for spotting potential privilege escalation. |
| 4673 | A privileged service was called. Monitoring the invocation of privileged services can reveal unauthorized actions. | |
| 4674 | An attempted operation on a privileged object was made. Attempts to manipulate privileged objects should be closely monitored. | |
| 4964 | Special groups are assigned to new logons. Similar to 4672, but focuses on group assignments. | |
| Object Access | 4656 | A handle to an object was requested. |
| 4658 | The handle to an object was closed. | |
| 4659 | A handle to an object was requested with the intent to delete. | |
| 4660 | An object was deleted. | |
| 4663 | An attempt was made to access an object. These events, when properly audited, can track access to sensitive files, folders, and registry keys. | |
| 4670 | Permissions on an object were changed. Changes to object permissions can grant unauthorized access. | |
| 4691 | Indirect access to an object was requested. This event can indicate unusual access patterns. | |
| System Events/Audit Policy Changes | 1100 | The event logging service has shut down. |
| 1102 | The audit log was cleared. | |
| 1104 | The security log is now full. These events can indicate attempts to tamper with or disable security logging. | |
| 4719 | The system audit policy was changed. Modifications to the audit policy itself should be monitored for potential tampering. | |
| Malware Detection (Microsoft Defender Antivirus) | 1116/1006 | Malware or unwanted software was detected. |
| 1007/1117 | An action to protect the system was performed. | |
| 1008/1118 | An action to protect the system failed. | |
| 1015 | Suspicious behavior was detected. These events from Microsoft Defender Antivirus are crucial for identifying potential malware infections. | |
| Scheduled Tasks | 4698 | A scheduled task was created. |
| 4699 | A scheduled task was deleted. | |
| 4700 | A scheduled task was enabled. | |
| 4701 | A scheduled task was disabled. | |
| 4702 | A scheduled task was updated. Monitoring changes to scheduled tasks can reveal malicious persistence mechanisms. |
IV. Windows Event Viewer: A critical tool with its own set of challenges
The Windows Event Viewer provides the fundamental capabilities for monitoring the Security Log and the critical Event IDs identified earlier. To access the Security Log, open Event Viewer and navigate to Windows Logs > Security. The Event Viewer interface is typically divided into three main panes: the Navigation pane on the left, which allows you to select different log categories; the Details pane in the center, which displays a list of events within the selected log; and the Actions pane on the right, offering options for filtering and managing logs.
To focus on specific Event IDs, you can utilize the Filter Current Log option found in the Actions pane. This feature allows you to specify criteria for the events you want to view, including entering specific Event IDs or a range of IDs. For instance, to monitor failed logon attempts, you would filter for Event ID 4625.
For more focused and recurring monitoring, you can create Custom Views. This allows you to define a set of filter criteria, including multiple Event IDs, and save it for easy access in the future. This is particularly useful for creating a view that displays all the critical Event IDs relevant to your organization's security monitoring strategy.
Selecting a specific event in the Details pane will display detailed information about that event in the lower section of the window or in a separate pop-up window if you double-click the event. This detailed information includes the Event ID, timestamp, source, user, computer, and a description of the event, as well as specific fields relevant to the event type, such as the logon type for Event ID 4624 or the failure reason for Event ID 4625.
While the Event Viewer provides essential functionalities for examining Windows Event Logs, it has several limitations when it comes to comprehensive security monitoring. The interface can be complex and less user-friendly, especially for those not deeply familiar with event logs. The filtering capabilities, while functional, can be limited for more intricate queries involving correlations across different event types or timeframes. Searching through large volumes of logs can be slow, hindering timely analysis, particularly during incident response. Logs stored locally on individual machines are susceptible to tampering if a system is compromised, as an attacker could potentially clear the logs to erase their tracks. Native tools lack consistent data retention options beyond setting a maximum log size, which can lead to important older events being overwritten without consideration for their age. Correlating events across multiple systems to gain a holistic view of a security incident is a manual and challenging process with Event Viewer alone.
Furthermore, there are no built-in alerting mechanisms to notify administrators in real time when critical security events occur. The absence of prebuilt security reports and compliance auditing features makes it difficult to rely solely on Event Viewer for meeting regulatory requirements.
Event logs often lack detailed information, such as the source of a change or the before and after values of modified attributes. The sheer volume of legitimate events can create significant noise, making it difficult to identify truly suspicious activities. Monitoring specific activities like LDAP queries or protocol-specific details in authentication events is not easily achievable with native tools. Obtaining a consolidated view of user activity across various machines and domain controllers requires significant manual effort in collecting and analyzing logs from disparate sources. Finally, the maximum size limitations of event logs can result in the overwriting of older, potentially critical security information.
V. Strengthen your security posture: An introduction to ManageEngine AD360
To overcome the inherent limitations of native Windows Event Logging, organizations are increasingly turning to security solutions like ManageEngine AD360. AD360 is specifically designed to provide real-time Active Directory auditing and comprehensive Windows Server security event log monitoring, offering a significant leap forward in threat detection and response.
AD360 addresses the challenge of log volume and distributed data by providing a centralized platform for collecting, analyzing, and archiving security event logs from all your Windows systems. This unified view eliminates the need for manual, system-by-system log reviews, offering a holistic perspective of your security landscape.
One of the most significant advantages of AD360 is its advanced real-time alerting system. You can configure immediate alerts for critical security events, ensuring that you are notified the moment suspicious activity occurs. These alerts can be customized based on specific Event IDs, users, source IPs, and more, allowing you to focus on the events that truly matter.
AD360 comes with a rich set of prebuilt, event-specific reports and intuitive dashboards. These reports provide instant visibility into various aspects of your Windows security, including user logon activity, account management changes, and file access attempts, eliminating the need for complex manual report generation.
The solution also excels at correlating events and identifying patterns of suspicious behavior that might go unnoticed with native tools. By analyzing sequences of events, AD360 can detect potential brute-force attacks, lateral movement, and other malicious activities.
Furthermore, AD360 leverages its in-built user behavior analytics (UBA) to establish baselines of normal user activity and detect anomalies that could indicate compromised accounts or insider threats . This proactive approach to threat detection adds another layer of security beyond simple rule-based alerting.
Finally, AD360 simplifies compliance efforts by providing audit-ready reports that meet the requirements of various regulatory standards like HIPAA, the PCI DSS, and the GDPR . This helps organizations demonstrate due diligence and maintain a strong security posture.
VI. 10 critical Windows Event IDs and how AD360 enhances monitoring
While numerous Windows Event IDs provide valuable information, focusing on the most critical ones can significantly improve your security monitoring efficiency. Here are 10 critical Event IDs that AD360 can help you monitor more effectively than native tools:
| Event ID | Description | Why it's critical | How AD360 enhances monitoring |
|---|---|---|---|
| 4624 | Successful Account Logon | This event records every successful user logon, providing essential information about who accessed the system and when. Monitoring this can help detect unusual login times, sources, or concurrent logons, which could indicate compromised accounts. | AD360 provides real-time alerts for logons from unusual locations or outside business hours, offers predefined reports on logon activity, and helps correlate successful logons with subsequent user behavior to identify anomalies. It also provides a centralized view of all successful logons across your network. |
| 4625 | Failed Account Logon | This event logs every failed logon attempt, which can be a strong indicator of brute-force attacks or attempts to use compromised credentials. | AD360 can detect and alert on a sudden surge in failed logon attempts, provides detailed reports on the reasons and sources of failures, and can correlate failed attempts with subsequent successful logons from the same source, potentially indicating a successful brute-force attack. |
| 4728 | A Member was Added to a Security-Enabled Global Group | This event signifies the addition of a member to a security-enabled global group in Active Directory. Monitoring this is crucial for detecting unauthorized privilege escalation, as adding a user to a highly privileged group, like Domain Admins, can grant them excessive control. | AD360 provides real-time alerts when members are added to critical security groups, offers reports on group membership changes, and allows you to set up real-time alerts for specific privileged groups to ensure immediate notification of any modifications. |
| 4732 | A Member was Added to a Security-Enabled Local Group | This event indicates the addition of a member to a security-enabled local group on a specific machine. Monitoring additions to the local Administrators group is vital, as it grants administrative rights on that particular system, potentially bypassing domain-level controls. | AD360 provides alerts when users are added to sensitive local groups like Administrators, offers centralized reports on local group membership changes across your network, and helps identify inconsistencies in local administrator group memberships. |
| 4756 | A Member was Added to a Security-Enabled Universal Group | Similar to global groups, monitoring additions to security-enabled universal groups is important, as it can grant access to resources across the entire Active Directory forest, making unauthorized changes a significant security risk. | AD360 provides real-time alerts for additions to critical universal security groups, offers detailed reports on these membership changes, and allows you to create alerts for privileged universal groups. |
| 1102 | The Audit Log was Cleared | This event is logged when the Windows Security Audit Log is cleared. Attackers often clear logs to hide their malicious activities, making this a critical event to monitor. | AD360 provides immediate real-time alerts when the Security Log is cleared and offers the capability to automatically archive security logs to a secure location before they can be tampered with, ensuring log data is retained for forensic analysis. |
| 4740 | User Account Locked Out | While account lockouts can be normal, a high frequency of lockouts, especially for critical accounts, can indicate a brute-force attack in progress. | AD360 provides real-time alerts for account lockouts, helps identify the source of the lockout, and offers reports on frequently locked-out users, aiding in the detection of potential attacks or account issues. |
| 4663 | An Attempt was Made to Access an Object | This event logs attempts to access files, folders, and other objects. Monitoring access attempts to sensitive data can help detect unauthorized access or potential data breaches. | AD360 provides detailed audit trails of file and folder accesses, allows you to set up alerts for access attempts to specific critical objects, and offers file integrity monitoring to detect unauthorized modifications or deletions. |
| 4672 | Special Privileges Assigned to New Logon | This event is generated when special privileges are assigned to a new logon session. Monitoring the assignment of sensitive privileges like SeDebugPrivilege or SeBackupPrivilege can help detect potential privilege escalation. | AD360 provides real-time alerts when sensitive privileges are assigned, especially to non-administrative accounts, and offers reports detailing users with special privileges and changes to their assignments. |
| 4724 | An attempt was made to reset an account's password | This event is generated every time an account attempts to reset the password for another account (both user and computer accounts). | AD360 can keep a close eye on the most recent password changes and resets made by users, and can gain instant insight into users who frequently change their passwords. |
| 4756 | A Member was Added to a Security-Enabled Universal Group | Similar to global groups, monitoring additions to security-enabled universal groups is important, as it can grant access to resources across the entire Active Directory forest, making unauthorized changes a significant security risk. | AD360 provides real-time alerts for additions to critical universal security groups, offers detailed reports on these membership changes, and allows you to create alerts for privileged universal groups. |
VII. Conclusion: Transforming raw data into security intelligence: A path forward
In the ongoing battle against cyberthreats, knowledge is your most potent weapon. Windows Event Logs hold a wealth of information about the activities within your environment, but effectively harnessing this data requires more than just the native tools. ManageEngine AD360 provides the enhanced capabilities needed to transform these raw logs into actionable security intelligence.
By focusing your monitoring efforts on the critical Windows Event IDs highlighted in this e-book and leveraging the advanced features of AD360, you can gain unprecedented visibility into your Windows environment, detect threats earlier in the attack life cycle, and respond more effectively to security incidents. Don't let the unseen whispers of cyber intrusion go unheard. Embrace the power of intelligent log monitoring and fortify your security posture today.
About AD360
ManageEngine AD360 is a unified identity platform that seamlessly connects people, technology and experiences while giving enterprises full visibility and control over their identity infrastructure. It offers automated life cycle management; secure SSO; adaptive MFA; and risk-based governance, auditing, compliance and identity analytics—all from a single, intuitive console. With extensive out-of-the-box integrations and support for custom connectors, AD360 easily integrates into existing IT ecosystems to enhance security and streamline identity operations. Trusted by leading enterprises across healthcare, finance, education, and government, AD360 simplifies identity management, fortifies security, and ensures compliance with evolving regulatory standards. For more information, please visit https://www.manageengine.com/active-directory-360/.