PRACTITIONER GUIDE | SECURITY OPERATIONS
Practitioner GuideUpdated 13 min read

Windows Event Log Security Monitoring Baseline: The 20 Event IDs Every SOC Must Be Collecting and What Each One Means

Default
Windows audit policy does not log process creation (4688) or PowerShell script block logging -- both must be explicitly enabled
10
logon type values in Windows, of which types 3, 10, and 2 are most relevant for lateral movement and interactive session detection
Security
event log has a default maximum size of 20 MB on Windows -- overwritten events are lost unless forwarded to a SIEM before log rotation
Event ID 4688
process creation logging with command-line arguments requires both Advanced Audit Policy AND a separate GPO setting for command-line inclusion

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The 5 highest-value Windows event IDs for detection: 4625 (failed logon, brute force), 4648 (explicit credential logon, lateral movement indicator), 4688 (process creation with command line, requires GPO to enable), 4698 (scheduled task creation, persistence mechanism), 4672 (special privileges assigned, covers accounts with SeDebugPrivilege). Default Windows audit settings do not generate most of these; enable Advanced Audit Policy via Group Policy first.

Windows logs more security-relevant events than most organizations collect, and most organizations collect more events than they analyze. The practical approach is to identify the small set of event IDs that provide the highest detection value, ensure the Advanced Audit Policy settings are configured to generate them, forward them to the SIEM, and build detection rules against them. This guide covers the 20 most valuable event IDs and the configuration required to generate each one.

Enabling Advanced Audit Policy: The Foundation

Default Windows audit settings do not generate most of the events in this guide. Enable Advanced Audit Policy via Group Policy:

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration

Minimum required subcategories for the baseline:

CategorySubcategorySetting
Logon/LogoffLogonSuccess, Failure
Logon/LogoffLogoffSuccess
Logon/LogoffAccount LockoutFailure
Logon/LogoffSpecial LogonSuccess
Account LogonKerberos AuthenticationSuccess, Failure
Account LogonCredential ValidationSuccess, Failure
Account ManagementUser Account ManagementSuccess, Failure
Account ManagementSecurity Group ManagementSuccess
Account ManagementComputer Account ManagementSuccess
Privilege UseSensitive Privilege UseSuccess, Failure
Detailed TrackingProcess CreationSuccess
DS AccessDirectory Service AccessFailure
DS AccessDirectory Service ChangesSuccess
Policy ChangeAudit Policy ChangeSuccess
Policy ChangeAuthentication Policy ChangeSuccess
Object AccessFile System (for sensitive paths)Success, Failure

For process creation events to include command-line arguments (critical for detecting obfuscated commands): Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events = Enabled

For PowerShell script block logging: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging = Enabled

Authentication Events: Logon, Logoff, and Failure

Event ID 4624: Successful Logon The most fundamental event. The critical field is LogonType:

  • Type 2: Interactive (keyboard at the console)
  • Type 3: Network (file share, SMB, net use)
  • Type 4: Batch (scheduled tasks)
  • Type 5: Service (service startup)
  • Type 7: Unlock
  • Type 10: RemoteInteractive (RDP, Terminal Services)
  • Type 11: CachedInteractive (offline cached credential)

For lateral movement detection, focus on Type 3 logons from workstations to workstations (should be rare) and Type 10 logons (RDP) to unexpected systems. Type 3 logons using a Domain Admin account to a standard workstation are high-priority findings.

Event ID 4625: Failed Logon Critical for brute force detection. Fields to extract: SubStatus code distinguishes password failure (0xC000006A) from account disabled (0xC0000072) from account locked (0xC0000234). A high volume of 0xC000006A on a single account is a brute force in progress.

Event ID 4634 / 4647: Logoff Correlate with 4624 to calculate session duration. Unusually long sessions or sessions that span business hours boundaries deserve attention.

Event ID 4648: Logon Using Explicit Credentials Generated when a process runs using different credentials (RunAs, Invoke-Command -Credential). Legitimate uses include scheduled tasks and admin tools, but this event fired by unexpected processes from unexpected accounts is a lateral movement indicator.

Event ID 4672: Special Privileges Assigned Generated whenever an account with sensitive privileges (SeDebugPrivilege, SeTcbPrivilege, SeBackupPrivilege) logs on. Any account with SeDebugPrivilege can dump LSASS. Monitor for non-admin accounts triggering this event.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Privilege Use, Account Management, and Policy Changes

Event ID 4673: Sensitive Privilege Use Generated when a privileged operation uses a sensitive right. SeDebugPrivilege used by a non-standard process is a credential dumping indicator.

Event ID 4720: User Account Created Monitor for new accounts created outside of the expected provisioning process (service account, HR system, IT helpdesk). Attacker persistence via new account creation is a classic technique.

Event ID 4722 / 4723 / 4724: Account Enabled / Password Change / Password Reset Account enables and password resets on disabled or dormant accounts without a corresponding helpdesk ticket are high-priority findings.

Event ID 4728 / 4732 / 4756: Member Added to Security Group 4728: member added to global security group 4732: member added to local security group 4756: member added to universal security group Any addition to Domain Admins, Enterprise Admins, Schema Admins, or Administrators local group should generate an immediate alert regardless of time of day.

Event ID 4740: Account Locked Out High volume lockouts across multiple accounts suggest a password spray attack. A single user locked out repeatedly suggests targeted brute force.

Event ID 4907: Auditing Settings Changed on Object Modifying audit settings on a sensitive object (a file, a registry key, an AD object) to reduce or disable auditing is a defense evasion tactic.

Event ID 4719: System Audit Policy Changed Any change to the audit policy should be alerting. Attackers who gain admin access sometimes disable auditing to cover their tracks.

Process and Object Events: Detecting Tooling and Credential Access

Event ID 4688: Process Created (with command line) The most detection-rich event in Windows when command-line logging is enabled. Key patterns:

  • lsass.exe as the parent process of anything unexpected (lsass should not spawn child processes)
  • PowerShell with -EncodedCommand, -WindowStyle Hidden, -NoProfile -NonInteractive
  • cmd.exe spawned by mshta.exe, wscript.exe, or cscript.exe (LOLBins)
  • whoami.exe, net.exe user /domain, nltest.exe /dclist (enumeration commands)
  • mimikatz.exe, procdump.exe by parent PID that is not a known admin process

Event ID 4104: PowerShell Script Block Logging Logs the actual content of PowerShell scripts before execution, including de-obfuscated content. Requires the GPO setting in the foundation section. Search for: IEX, Invoke-Expression, DownloadString, [Convert]::FromBase64String, and known malicious function names (Invoke-Mimikatz, Invoke-BloodHound).

Event ID 4656 / 4663: Object Access Requires per-object SACL configuration. Set SACLs on:

  • LSASS process handle opens (detect credential dumping tools attempting to open LSASS)
  • SAM database file (C:\Windows\System32\config\SAM) access
  • NTDS.dit access attempts on domain controllers
  • Sensitive directories (C:\Users\Administrator, C:\Windows\System32\drivers\etc)

Event ID 4698 / 4702: Scheduled Task Created / Modified Scheduled tasks are a common persistence mechanism. Alert on scheduled task creation that executes from temp directories, PowerShell with encoded commands, or file paths associated with common malware staging locations.

Domain Controller-Specific Events

These events only appear on Domain Controllers and are critical for detecting AD-level attacks:

Event ID 4662: Operation Performed on AD Object The key event for detecting DCSync attacks. DCSync triggers 4662 events with:

  • Object type: domainDNS
  • Properties: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} (DS-Replication-Get-Changes)
  • Properties: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} (DS-Replication-Get-Changes-All)

Alert on any account that is NOT a Domain Controller computer account triggering these replication rights.

Event ID 4769: Kerberos Service Ticket Request Filter for encryption type 0x17 (RC4-HMAC). In environments that have migrated to AES encryption, RC4 requests from user accounts are anomalous and may indicate Kerberoasting. Alert on: TicketEncryptionType = 0x17 AND ServiceName != krbtgt AND CallerComputerName is not a DC.

Event ID 4771: Kerberos Pre-Authentication Failed Brute force against Kerberos. High volume 4771 events against a single account or from a single source IP is a password spray or brute force attempt.

Event ID 4776: NTLM Credential Validation Generated on the DC when NTLM authentication is used. Monitor for 4776 with ErrorCode 0xC000006A (wrong password) in high volume. In environments with NTLM disabled, any 4776 event is anomalous.

Event ID 4768: TGT Requested Combine with 4769 to track Kerberos ticket chains. A TGT requested from an unusual IP for a high-privilege account outside business hours is worth investigating.

The bottom line

Enable Advanced Audit Policy via GPO before deploying any SIEM rule. Without the policy settings, the events simply do not exist. Start with the logon events (4624 with logon type filtering, 4625, 4648, 4672), process creation with command line (4688 + 4104 for PowerShell), group membership changes (4728, 4732, 4756), and DCSync indicators (4662 with the replication GUIDs). Forward these to a central SIEM, set the Security event log maximum size to at least 1 GB on servers, and build detection rules starting with the highest-signal events.

Frequently asked questions

Why does Windows not log process creation command-line arguments by default?

Microsoft disabled command-line logging by default due to privacy concerns about capturing credentials that may appear in command-line arguments (some legacy applications pass passwords as command-line parameters). Enable it via GPO: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events. In environments where this is a privacy concern, apply the setting only to servers and domain controllers rather than all workstations.

What is the difference between Event ID 4624 logon type 3 and type 10?

Type 3 is a network logon: the credentials were presented over the network to access a resource (SMB file share, named pipe, etc.). The user's credentials are NOT cached on the target system with type 3 logons, making them less useful for credential harvesting from LSASS. Type 10 is a remote interactive logon via RDP or Terminal Services. With type 10 logons, credentials ARE cached in LSASS memory on the target system. An attacker who gains local admin on a system with type 10 sessions from privileged users can dump those cached credentials from LSASS.

How do I configure the SACL on the LSASS process to detect credential dumping tools?

LSASS process access auditing is configured via System Access Control Lists (SACLs) on the process, not via file SACLs. Use the Windows Sysmon tool (event ID 10 - ProcessAccess) as an easier alternative: Sysmon logs every process that opens a handle to LSASS, with the specific access rights requested. Configure a Sysmon rule to alert on LSASS handle opens with `PROCESS_VM_READ` access from processes other than known-good system processes. This is far more practical than configuring kernel-level SACLs manually.

What log size should I configure for the Security event log on Windows servers?

The default 20 MB maximum size is far too small for servers. On Domain Controllers, configure at least 4 GB (4,096 MB). On member servers, configure at least 512 MB. On workstations, 256 MB is a reasonable minimum. Configure retention to 'Overwrite events as needed' -- log truncation is acceptable if you are forwarding to a SIEM, but losing events between the Windows log buffer and the SIEM forwarder during a high-volume attack window is a risk. For the highest-fidelity retention, forward events to the SIEM in near real-time (under 1 minute lag) using Windows Event Forwarding or a SIEM agent.

Which Windows event IDs are most commonly missed by security teams but high value for detection?

Five high-value but frequently overlooked event IDs: Event 4698 (Scheduled Task Created) detects persistence via scheduled tasks and is missed when teams focus only on process and logon events. Event 4719 (System Audit Policy Changed) detects attackers disabling audit logging. Event 7045 (New Service Installed) in the System log detects malicious service installation, a common persistence mechanism. Event 4776 (NTLM Authentication) with failure code 0xC000006A tracks NTLM password spray attempts against local accounts. Event 1102 (Audit Log Cleared) is a direct indicator of log tampering and should generate an immediate alert regardless of who cleared the log.

How do I configure Windows audit policy using Group Policy without overwriting existing settings?

Use Advanced Audit Policy Configuration (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration) rather than legacy Audit Policy. Advanced Audit Policy provides subcategory-level granularity (for example, configuring 'Audit Logon' for both Success and Failure independently from 'Audit Logoff') and does not conflict with subcategories configured via auditpol.exe. To prevent GPO from overwriting locally configured audit settings on specific machines, enable 'Audit: Force audit policy subcategory settings to override audit policy category settings' in Security Options. Use auditpol /backup /file:current_policy.csv before applying any GPO changes so you have a baseline to restore from if the policy produces unexpected volume changes.

Sources & references

  1. Microsoft: Security auditing overview
  2. NSA: Spotting the Adversary with Windows Event Log Monitoring
  3. Malware Archaeology: Windows Logging Cheat Sheet
  4. Microsoft: Audit policy recommendations

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.