42 Windows Server Security Events You Should Monitor for Suspicious Activities

Copy of design2 (4)

42 Windows Server Security Events You Should Monitor for Suspicious Activities

SOC Analyst must know this 42 Event ID’s for suspicious activities and it helps to investigate security incidents in Windows.

As a part of windows server monitoring, investigations and soc windows based investigations use windows event ID’s. you can use this event ID’s in this list to search for suspicious activities and health monitoring on admin side also use this event ID’s to detect several windows based incidents.

42 Windows Event ID’s

Event IDWhat it means
4624Successful account log on
4625Failed account log on
4634An account logged off
4648A logon attempt was made with explicit credentials
4719System audit policy was changed.
4964A special group has been assigned to a new log on
1102Audit log was cleared. This can relate to a potential attack
4720A user account was created
4722A user account was enabled
4723An attempt was made to change the password of an account
4725A user account was disabled
4728A user was added to a privileged global group
4732A user was added to a privileged local group
4756A user was added to a privileged universal group
4738A user account was changed
4740A user account was locked out
4767A user account was unlocked
4737A privileged global group was modified
4755A privileged universal group was modified
4772A Kerberos authentication ticket request failed
4777The domain controller failed to validate the credentials of an account.
4782Password hash an account was accessed
4616System time was changed
4657A registry value was changed
4697An attempt was made to install a service
4698, 4699, 4700, 4701, 4702Events related to Windows scheduled tasks being created, modified, deleted, enabled or disabled
4946A rule was added to the Windows Firewall exception list
4947A rule was modified in the Windows Firewall exception list
4950A setting was changed in Windows Firewall
4954Group Policy settings for Windows Firewall has changed
5025The Windows Firewall service has been stopped
5031Windows Firewall blocked an application from accepting incoming traffic
5152, 5153A network packet was blocked by Windows Filtering Platform
5155Windows Filtering Platform blocked an application or service from listening on a port
5157Windows Filtering Platform blocked a connection

Leave your thought here

Your email address will not be published. Required fields are marked *

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the compare bar
Connect with our expert
Need help.? Contact our
Scan the code
Hi Welcome to SiemHunters learning platform