Top Windows events you should monitor

Your infrastructure continuously generates log data that you can use to monitor network infrastructure and manage security events.

I share you my cheat sheet of importants events that I used to monitor, but before, lets activate all the logs we need

1 / Enable Advanced auditing

For some events we’ld like to monitor, we’ve to activate some additional auditing features provided by microsoft :

1.1 / Shared objects

In the Group Policy Management Console you can activate the “Audit File Share” by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit File Share

1.2 / Access object auditing

Object access auditing is not enabled by default but should be enabled on sensitive systems. To do so, simply set use the Local Security Policy to set Security Settings -> Local Policies -> Audit Policy -> Audit object access to Enabled for Success and Failure

2 / Events you should monitor

2.1 / Account Management Events

These events are recorded on the system where the account was created or modified, a Hacker will usually try to create rogue accounts and try to gain privileges.

You can find theese events in the Security Section of Event Viewer

Event ID	What it means
4625	Failed account log on
4648	A logon attempt was made with explicit credentials
4720	A user account was created
4722	A user account was enabled
4723	An user attempted to change an account’s password
4724	An attempt was made to reset an account’s password
4725	A user account was disabled
4726	A user account was deleted
4738	A user account was changed
4740	A user account was locked out
4767	A user account was unlocked
4727	A security-enabled global group was created
4728	A member was added to a security-enabled global group
4729	A member was removed from a security-enabled global group
4730	A security-enabled global group was deleted
4731	A security-enabled local group was created
4732	A member was added to a security-enabled local group
4733	A member was removed from a security-enabled local group
4734	A security-enabled local group was deleted
4735	A security-enabled local group was changed
4737	A security-enabled global group was changed
4754	A security-enabled universal group was created
4755	A security-enabled universal group was changed
4756	A member was added to a security-enabled universal group
4757	A member was removed from a security-enabled universal group
4758	A security-enabled universal group was deleted

2.2 / Scheduled Task Logging

Event ID	What it means	Source
4698	Events related to Windows scheduled tasks being created
4699	Events related to Windows scheduled tasks being deleted
4700	Events related to Windows scheduled tasks being enabled
4701	Events related to Windows scheduled tasks being disabled
4702	Events related to Windows scheduled tasks being modified

2.3 / File Access Logging

To activate the file access logging, you’ve to activate the logging on a folder (and all subfolders or not) or file. To do that : Right click on a file/folder, Security Pannel, Advanced, Auditing pannel, Continue, & “Add”

Event ID	What it means
4656	A handle to an object was requested.
4658	The handle to an object was closed.
4660	An object was deleted.
4663	An attempt was made to access an object.
4670	Permissions on an object were changed.

2.4 / Network share Logging

Event ID	What it means
5140	A network share object was accessed.
5142	A network share object was added.
5143	A network share object was modified.
5144	A network share object was deleted.

2.5 / Firewall rules changes

Event ID	What it Means
4950	A Windows Firewall setting has changed.
4946	A change has been made to Windows Firewall exception list. A rule was added.
4947	A change has been made to Windows Firewall exception list. A rule was modified.
4948	A change has been made to Windows Firewall exception list. A rule was deleted.

Thanks to read this post :)