Important Event IDs for SOC Analysts#
System Log Event IDs#
Service Control Manager Events#
- Event ID 7000: The service failed to start due to the following error…
- Event ID 7001: The service depends on the service which failed to start…
- Event ID 7034: The service terminated unexpectedly…
- Event ID 7040: The start type of the service was changed from…
- Event ID 7045: A service was installed in the system.
System Shutdown and Startup Events#
- Event ID 6005: The Event Log service was started.
- Event ID 6006: The Event Log service was stopped.
- Event ID 6008: The previous system shutdown was unexpected.
Time Change Events#
- Event ID 1 (Kernel-General): The system time has changed to…
Disk and Hardware Events#
- Event ID 7 (Disk): The device, \Device\Harddisk0\DR0, has a bad block.
- Event ID 51 (Disk): An error was detected on device \Device\Harddisk0\DR0 during a paging operation.
Security Log Event IDs#
Successful Logon Events#
- Event ID 4624: An account was successfully logged on.
Failed Logon Events#
- Event ID 4625: An account failed to log on.
Account Management Events#
- Event ID 4720: A user account was created.
- Event ID 4722: A user account was enabled.
- Event ID 4725: A user account was disabled.
- Event ID 4726: A user account was deleted.
Privilege Use Events#
- Event ID 4672: Special privileges assigned to new logon.
Audit Log Clearing#
- Event ID 1102: The audit log was cleared.
System Integrity Events#
- Event ID 4616: The system time was changed.
Additional Account Management Events#
- Event ID 4727: A security-enabled global group was created.
- Event ID 4728: A member was added to a security-enabled global group.
- Event ID 4732: A member was added to a security-enabled local group.
- Event ID 4756: A member was added to a security-enabled universal group.
- Event ID 4767: A user account was unlocked.
Application Log Event IDs#
Application Errors#
- Event ID 1000 (Application Error): Faulting application name…
Application Hang#
- Event ID 1002 (Application Hang): The program [application name] version [version] stopped interacting with Windows…
MsiInstaller Events#
- Event ID 11707: Installation of [product name] succeeded.
- Event ID 11708: Installation of [product name] failed.
Setup Log Event IDs#
Windows Update Events#
- Event ID 19 (WindowsUpdateClient): Installation Successful: Windows successfully installed the following update…
- Event ID 20 (WindowsUpdateClient): Installation Failure: Windows failed to install the following update…
- Event ID 21 (WindowsUpdateClient): Installation Pending: Windows is waiting to install the following update…
System Installation Events#
- Event ID 300 (Setup): The Windows installer has initiated a system restart to complete the installation or update…
Application and Service Logs Event IDs#
PowerShell Logs#
- Event ID 4103 (Microsoft-Windows-PowerShell): PowerShell Pipeline Execution Details.
- Event ID 4104 (Microsoft-Windows-PowerShell): PowerShell Script Block Logging.
Sysmon Logs#
- Event ID 1: Process Creation - Logs the creation of a process, including details like the parent process, command line, hashes, and more.
- Event ID 2: File Creation Time Change - Detects when the creation time of a file is modified.
- Event ID 3: Network Connection - Captures TCP/UDP connections established by a process.
- Event ID 4: Sysmon Service State Changed - Logs when Sysmon starts or shuts down.
- Event ID 5: Process Terminated - Logs when a process ends.
- Event ID 6: Driver Loaded - Captures the loading of kernel-mode drivers or dynamic-link libraries.
- Event ID 7: Image Loaded - Logs the loading of an image (DLL or EXE) into a process.
- Event ID 8: CreateRemoteThread - Logs the creation of a thread in a process by another process, often used in injection techniques.
- Event ID 9: Raw Access Read - Logs processes attempting to read raw disk sectors.
- Event ID 10: Process Access - Captures details of a process accessing another process.
- Event ID 11: File Creation - Logs the creation of new files.
- Event ID 12: Registry Object Added or Deleted - Logs the creation or deletion of registry keys and values.
- Event ID 13: Registry Value Set - Logs when a registry value is modified.
- Event ID 14: Registry Object Renamed - Logs the renaming of registry keys.
- Event ID 15: File Stream Created - Logs the creation of alternate data streams.
- Event ID 16: Sysmon Configuration Change - Logs when the Sysmon configuration is modified.
- Event ID 17: Pipe Created - Logs the creation of named pipes.
- Event ID 18: Pipe Connected - Logs the connection to a named pipe.
- Event ID 19: WMI Event Filter - Captures the creation of WMI event filters.
- Event ID 20: WMI Event Consumer - Logs the creation of WMI event consumers.
- Event ID 21: WMI Event Consumer Binding - Logs the binding between WMI filters and consumers.
- Event ID 22: DNS Query - Captures DNS query requests.
- Event ID 23: File Deleted - Logs when a file is deleted.
- Event ID 24: Clipboard Changed - Logs changes to the clipboard.
- Event ID 25: Process Tampering - Detects tampering with process memory, such as injection.
- Event ID 26: FileShare Access - Logs access to network shares.
- Event ID 27: FileCopy Detected - Captures file copy operations using special tools or APIs.
Windows Defender Logs#
- Event ID 1000 (Windows Defender): Malware Detection.
- Event ID 1116 (Windows Defender): Antivirus scan started.
Task Scheduler Logs#
- Event ID 106 (TaskScheduler): Task registered or updated.
Remote Desktop Services Logs#
- Event ID 1149 (TerminalServices-RemoteConnectionManager): Remote Desktop Services: User authentication succeeded.
- Event ID 4634: An account was logged off.
- Event ID 4647: User initiated logoff.
- Event ID 4648: A logon was attempted using explicit credentials.
- Event ID 5038 (System Integrity): Code integrity determined that the image hash of a file is not valid.
- Event ID 6281 (Audit Failure): Code Integrity determined that the page hashes of an image file are not valid.
- Event ID 4719: System audit policy was changed.
- Event ID 4739: Domain Policy was changed.
- Event ID 4663: An attempt was made to access an object.
- Event ID 5140: A network share object was accessed.