Event IDs, Logging, & SIEMs
Hunting Suspicious Activity
Account Logon Events
| Event ID | Description |
|---|---|
4624 | Sucessful Logon |
4625 | Failed Logon |
4634 | Sucessful Logoff |
4647 | User-initiated Logoff |
4548 | Logon using Explicit Credentials |
4672 | Special Privileges Assigned |
4768 | Kerberos Ticket (TGT) Requested |
4769 | Kerberos Service Ticket Requested |
4771 | Kerberos Pre-auth Failed |
4776 | Attempted to Validate Credentials |
4778 | Session Reconnected |
4779 | Session Disconnected |
Account Management
| Event ID | Description |
|---|---|
4720 | Account created |
4722 | Account enabled |
4724 | Attempt to reset a password |
4728 | User added to a global group |
4732 | User added to a local group |
4756 | User added to a universal group |
Hunting Password Attacks
Hunt for event ID 4625 (Logon Failed) and Logon Type 3 (Network Logon) Looking for rapid succession of failed attempts to the same machine, or multiple machines.
Last updated
