Windows Event Log Security Monitoring Baseline: The 20 Event IDs Every SOC Must Be Collecting and What Each One Means

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The 5 highest-value Windows event IDs for detection: 4625 (failed logon, brute force), 4648 (explicit credential logon, lateral movement indicator), 4688 (process creation with command line, requires GPO to enable), 4698 (scheduled task creation, persistence mechanism), 4672 (special privileges assigned, covers accounts with SeDebugPrivilege). Default Windows audit settings do not generate most of these; enable Advanced Audit Policy via Group Policy first.
Windows logs more security-relevant events than most organizations collect, and most organizations collect more events than they analyze. The practical approach is to identify the small set of event IDs that provide the highest detection value, ensure the Advanced Audit Policy settings are configured to generate them, forward them to the SIEM, and build detection rules against them. This guide covers the 20 most valuable event IDs and the configuration required to generate each one.
Enabling Advanced Audit Policy: The Foundation
Default Windows audit settings do not generate most of the events in this guide. Enable Advanced Audit Policy via Group Policy:
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
Minimum required subcategories for the baseline:
| Category | Subcategory | Setting |
|---|---|---|
| Logon/Logoff | Logon | Success, Failure |
| Logon/Logoff | Logoff | Success |
| Logon/Logoff | Account Lockout | Failure |
| Logon/Logoff | Special Logon | Success |
| Account Logon | Kerberos Authentication | Success, Failure |
| Account Logon | Credential Validation | Success, Failure |
| Account Management | User Account Management | Success, Failure |
| Account Management | Security Group Management | Success |
| Account Management | Computer Account Management | Success |
| Privilege Use | Sensitive Privilege Use | Success, Failure |
| Detailed Tracking | Process Creation | Success |
| DS Access | Directory Service Access | Failure |
| DS Access | Directory Service Changes | Success |
| Policy Change | Audit Policy Change | Success |
| Policy Change | Authentication Policy Change | Success |
| Object Access | File System (for sensitive paths) | Success, Failure |
For process creation events to include command-line arguments (critical for detecting obfuscated commands): Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events = Enabled
For PowerShell script block logging: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging = Enabled
Authentication Events: Logon, Logoff, and Failure
Event ID 4624: Successful Logon The most fundamental event. The critical field is LogonType:
- Type 2: Interactive (keyboard at the console)
- Type 3: Network (file share, SMB, net use)
- Type 4: Batch (scheduled tasks)
- Type 5: Service (service startup)
- Type 7: Unlock
- Type 10: RemoteInteractive (RDP, Terminal Services)
- Type 11: CachedInteractive (offline cached credential)
For lateral movement detection, focus on Type 3 logons from workstations to workstations (should be rare) and Type 10 logons (RDP) to unexpected systems. Type 3 logons using a Domain Admin account to a standard workstation are high-priority findings.
Event ID 4625: Failed Logon Critical for brute force detection. Fields to extract: SubStatus code distinguishes password failure (0xC000006A) from account disabled (0xC0000072) from account locked (0xC0000234). A high volume of 0xC000006A on a single account is a brute force in progress.
Event ID 4634 / 4647: Logoff Correlate with 4624 to calculate session duration. Unusually long sessions or sessions that span business hours boundaries deserve attention.
Event ID 4648: Logon Using Explicit Credentials Generated when a process runs using different credentials (RunAs, Invoke-Command -Credential). Legitimate uses include scheduled tasks and admin tools, but this event fired by unexpected processes from unexpected accounts is a lateral movement indicator.
Event ID 4672: Special Privileges Assigned Generated whenever an account with sensitive privileges (SeDebugPrivilege, SeTcbPrivilege, SeBackupPrivilege) logs on. Any account with SeDebugPrivilege can dump LSASS. Monitor for non-admin accounts triggering this event.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Privilege Use, Account Management, and Policy Changes
Event ID 4673: Sensitive Privilege Use Generated when a privileged operation uses a sensitive right. SeDebugPrivilege used by a non-standard process is a credential dumping indicator.
Event ID 4720: User Account Created Monitor for new accounts created outside of the expected provisioning process (service account, HR system, IT helpdesk). Attacker persistence via new account creation is a classic technique.
Event ID 4722 / 4723 / 4724: Account Enabled / Password Change / Password Reset Account enables and password resets on disabled or dormant accounts without a corresponding helpdesk ticket are high-priority findings.
Event ID 4728 / 4732 / 4756: Member Added to Security Group 4728: member added to global security group 4732: member added to local security group 4756: member added to universal security group Any addition to Domain Admins, Enterprise Admins, Schema Admins, or Administrators local group should generate an immediate alert regardless of time of day.
Event ID 4740: Account Locked Out High volume lockouts across multiple accounts suggest a password spray attack. A single user locked out repeatedly suggests targeted brute force.
Event ID 4907: Auditing Settings Changed on Object Modifying audit settings on a sensitive object (a file, a registry key, an AD object) to reduce or disable auditing is a defense evasion tactic.
Event ID 4719: System Audit Policy Changed Any change to the audit policy should be alerting. Attackers who gain admin access sometimes disable auditing to cover their tracks.
Process and Object Events: Detecting Tooling and Credential Access
Event ID 4688: Process Created (with command line) The most detection-rich event in Windows when command-line logging is enabled. Key patterns:
lsass.exeas the parent process of anything unexpected (lsass should not spawn child processes)- PowerShell with
-EncodedCommand,-WindowStyle Hidden,-NoProfile -NonInteractive cmd.exespawned bymshta.exe,wscript.exe, orcscript.exe(LOLBins)whoami.exe,net.exe user /domain,nltest.exe /dclist(enumeration commands)mimikatz.exe,procdump.exeby parent PID that is not a known admin process
Event ID 4104: PowerShell Script Block Logging
Logs the actual content of PowerShell scripts before execution, including de-obfuscated content. Requires the GPO setting in the foundation section. Search for: IEX, Invoke-Expression, DownloadString, [Convert]::FromBase64String, and known malicious function names (Invoke-Mimikatz, Invoke-BloodHound).
Event ID 4656 / 4663: Object Access Requires per-object SACL configuration. Set SACLs on:
- LSASS process handle opens (detect credential dumping tools attempting to open LSASS)
- SAM database file (
C:\Windows\System32\config\SAM) access - NTDS.dit access attempts on domain controllers
- Sensitive directories (C:\Users\Administrator, C:\Windows\System32\drivers\etc)
Event ID 4698 / 4702: Scheduled Task Created / Modified Scheduled tasks are a common persistence mechanism. Alert on scheduled task creation that executes from temp directories, PowerShell with encoded commands, or file paths associated with common malware staging locations.
Domain Controller-Specific Events
These events only appear on Domain Controllers and are critical for detecting AD-level attacks:
Event ID 4662: Operation Performed on AD Object The key event for detecting DCSync attacks. DCSync triggers 4662 events with:
- Object type: domainDNS
- Properties:
{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}(DS-Replication-Get-Changes) - Properties:
{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}(DS-Replication-Get-Changes-All)
Alert on any account that is NOT a Domain Controller computer account triggering these replication rights.
Event ID 4769: Kerberos Service Ticket Request
Filter for encryption type 0x17 (RC4-HMAC). In environments that have migrated to AES encryption, RC4 requests from user accounts are anomalous and may indicate Kerberoasting. Alert on: TicketEncryptionType = 0x17 AND ServiceName != krbtgt AND CallerComputerName is not a DC.
Event ID 4771: Kerberos Pre-Authentication Failed Brute force against Kerberos. High volume 4771 events against a single account or from a single source IP is a password spray or brute force attempt.
Event ID 4776: NTLM Credential Validation Generated on the DC when NTLM authentication is used. Monitor for 4776 with ErrorCode 0xC000006A (wrong password) in high volume. In environments with NTLM disabled, any 4776 event is anomalous.
Event ID 4768: TGT Requested Combine with 4769 to track Kerberos ticket chains. A TGT requested from an unusual IP for a high-privilege account outside business hours is worth investigating.
The bottom line
Enable Advanced Audit Policy via GPO before deploying any SIEM rule. Without the policy settings, the events simply do not exist. Start with the logon events (4624 with logon type filtering, 4625, 4648, 4672), process creation with command line (4688 + 4104 for PowerShell), group membership changes (4728, 4732, 4756), and DCSync indicators (4662 with the replication GUIDs). Forward these to a central SIEM, set the Security event log maximum size to at least 1 GB on servers, and build detection rules starting with the highest-signal events.
Frequently asked questions
Why does Windows not log process creation command-line arguments by default?
Microsoft disabled command-line logging by default due to privacy concerns about capturing credentials that may appear in command-line arguments (some legacy applications pass passwords as command-line parameters). Enable it via GPO: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events. In environments where this is a privacy concern, apply the setting only to servers and domain controllers rather than all workstations.
What is the difference between Event ID 4624 logon type 3 and type 10?
Type 3 is a network logon: the credentials were presented over the network to access a resource (SMB file share, named pipe, etc.). The user's credentials are NOT cached on the target system with type 3 logons, making them less useful for credential harvesting from LSASS. Type 10 is a remote interactive logon via RDP or Terminal Services. With type 10 logons, credentials ARE cached in LSASS memory on the target system. An attacker who gains local admin on a system with type 10 sessions from privileged users can dump those cached credentials from LSASS.
How do I configure the SACL on the LSASS process to detect credential dumping tools?
LSASS process access auditing is configured via System Access Control Lists (SACLs) on the process, not via file SACLs. Use the Windows Sysmon tool (event ID 10 - ProcessAccess) as an easier alternative: Sysmon logs every process that opens a handle to LSASS, with the specific access rights requested. Configure a Sysmon rule to alert on LSASS handle opens with `PROCESS_VM_READ` access from processes other than known-good system processes. This is far more practical than configuring kernel-level SACLs manually.
What log size should I configure for the Security event log on Windows servers?
The default 20 MB maximum size is far too small for servers. On Domain Controllers, configure at least 4 GB (4,096 MB). On member servers, configure at least 512 MB. On workstations, 256 MB is a reasonable minimum. Configure retention to 'Overwrite events as needed' -- log truncation is acceptable if you are forwarding to a SIEM, but losing events between the Windows log buffer and the SIEM forwarder during a high-volume attack window is a risk. For the highest-fidelity retention, forward events to the SIEM in near real-time (under 1 minute lag) using Windows Event Forwarding or a SIEM agent.
Which Windows event IDs are most commonly missed by security teams but high value for detection?
Five high-value but frequently overlooked event IDs: Event 4698 (Scheduled Task Created) detects persistence via scheduled tasks and is missed when teams focus only on process and logon events. Event 4719 (System Audit Policy Changed) detects attackers disabling audit logging. Event 7045 (New Service Installed) in the System log detects malicious service installation, a common persistence mechanism. Event 4776 (NTLM Authentication) with failure code 0xC000006A tracks NTLM password spray attempts against local accounts. Event 1102 (Audit Log Cleared) is a direct indicator of log tampering and should generate an immediate alert regardless of who cleared the log.
How do I configure Windows audit policy using Group Policy without overwriting existing settings?
Use Advanced Audit Policy Configuration (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration) rather than legacy Audit Policy. Advanced Audit Policy provides subcategory-level granularity (for example, configuring 'Audit Logon' for both Success and Failure independently from 'Audit Logoff') and does not conflict with subcategories configured via auditpol.exe. To prevent GPO from overwriting locally configured audit settings on specific machines, enable 'Audit: Force audit policy subcategory settings to override audit policy category settings' in Security Options. Use auditpol /backup /file:current_policy.csv before applying any GPO changes so you have a baseline to restore from if the policy produces unexpected volume changes.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
