Windows Event Logs

Below are a few windows event logs which can help identify threats such as brute force attacks. They can also highlight suspicious activity should your group policy be ignored. Example: Admins disabling the local firewall.

Windows Event Logs

Security		4624	Account Logon
Security		4625	Failed login
Security		4720	A user account was created
Security		4722	A user account was enabled
Security		4726	A user account was deleted
Security		4740	A user account was locked out
Security		4724, 4738	Additional user creation events
Security		4728	A member was added to a security-enabled global group
Security		4732	A member was added to a security-enabled local group
Security		4724	An attempt was made to reset an accounts password
Security		4767	A user account was unlocked
Security 	4781	The name of an account was changed
Security		4738	A user account was changed
Security		4660	 An object was deleted
Security		4776	The domain controller attempted to validate the credentials for an account
Security		4743	A computer account was deleted

Security		1100	The event logging service has shut down
Security		1102	Clear Event log

Firewall		2003	Disable firewall
Firewall		4948	A change has been made to Windows Firewall exception list. A rule was deleted
Firewall		4950	A Windows Firewall setting has changed
Firewall		5025	The Windows Firewall Service has been stopped

Windows Defender Logs

Microsoft-Windows-AppLocker/EXE and DLL
(EXE/MSI) was allowed to run but would have been prevented from running if the AppLocker policy were enforced

Microsoft-Windows-AppLocker/EXE and DLL
(EXE/MSI) was prevented from running.

Windows Defender has detected malware or other potentially unwanted software

Windows Defender has taken action to protect this machine from malware or other potentially unwanted software

%d bloggers like this: