Home / ALL / Top Windows events you should monitor
Windows security logo

Top Windows events you should monitor

Your infrastructure continuously generates log data that you can use to monitor network infrastructure and manage security events.

I share you my cheat sheet of importants events that I used to monitor, but before, lets activate all the logs we need

1 / Enable Advanced auditing

For some events we’ld like to monitor, we’ve to activate some additional auditing features provided by microsoft :

1.1 / Shared objects

In the Group Policy Management Console you can activate the “Audit File Share” by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit File Share

1.2 / Access object auditing

Object access auditing is not enabled by default but should be enabled on sensitive systems. To do so, simply set use the Local Security Policy to set Security Settings -> Local Policies -> Audit Policy -> Audit object access to Enabled for Success and Failure

Loading...

2 / Events you should monitor

2.1 / Account Management Events

These events are recorded on the system where the account was created or modified, a Hacker will usually try to create rogue accounts and try to gain privileges.

You can find theese events in the Security Section of Event Viewer

Event IDWhat it means
4625Failed account log on
4648A logon attempt was made with explicit credentials
4720A user account was created
4722A user account was enabled
4723An user attempted to change an account’s password
4724An attempt was made to reset an account’s password
4725A user account was disabled
4726A user account was deleted
4738A user account was changed
4740A user account was locked out
4767A user account was unlocked
4727A security-enabled global group was created
4728A member was added to a security-enabled global group
4729A member was removed from a security-enabled global group
4730A security-enabled global group was deleted
4731A security-enabled local group was created
4732A member was added to a security-enabled local group
4733A member was removed from a security-enabled local group
4734A security-enabled local group was deleted
4735A security-enabled local group was changed
4737A security-enabled global group was changed
4754A security-enabled universal group was created
4755A security-enabled universal group was changed
4756A member was added to a security-enabled universal group
4757A member was removed from a security-enabled universal group
4758A security-enabled universal group was deleted

2.2 / Scheduled Task Logging

Event IDWhat it meansSource
4698Events related to Windows scheduled tasks being created
4699Events related to Windows scheduled tasks being deleted
4700Events related to Windows scheduled tasks being enabled
4701Events related to Windows scheduled tasks being disabled
4702Events related to Windows scheduled tasks being modified

2.3 / File Access Logging

To activate the file access logging, you’ve to activate the logging on a folder (and all subfolders or not) or file. To do that : Right click on a file/folder, Security Pannel, Advanced, Auditing pannel, Continue, & “Add”

Event IDWhat it means
4656A handle to an object was requested.
4658The handle to an object was closed.
4660An object was deleted.
4663An attempt was made to access an object.
4670Permissions on an object were changed.

2.4 / Network share Logging

Event IDWhat it means
5140A network share object was accessed.
5142A network share object was added.
5143A network share object was modified.
5144A network share object was deleted.

2.5 / Firewall rules changes

Event IDWhat it Means
4950A Windows Firewall setting has changed.
4946A change has been made to Windows Firewall exception list. A rule was added.
4947A change has been made to Windows Firewall exception list. A rule was modified.
4948A change has been made to Windows Firewall exception list. A rule was deleted.

Thanks to read this post :)

Loading...

About Alexandre Nogard

Check Also

Authentification SSH par certificat

Dans ce cour article, nous allons voir comment mettre en place une authentication SSH par …

Centreon : Migration de votre base MySQL

Si comme moi vous avez installé sur votre machine votre Centreon ainsi que vos bases …

Centreon : Update 2.3.X vers 2.4.5 sur Centos 6.X

Les versions 2.4.X de Centreon sont maintenant stables depuis quelques temps et on fait leurs …

Leave a Reply

Your email address will not be published. Required fields are marked *