Your infrastructure continuously generates log data that you can use to monitor network infrastructure and manage security events.
I share you my cheat sheet of importants events that I used to monitor, but before, lets activate all the logs we need
1 / Enable Advanced auditing
For some events we’ld like to monitor, we’ve to activate some additional auditing features provided by microsoft :
1.1 / Shared objects
In the Group Policy Management Console you can activate the “Audit File Share” by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit File Share
1.2 / Access object auditing
Object access auditing is not enabled by default but should be enabled on sensitive systems. To do so, simply set use the Local Security Policy to set Security Settings -> Local Policies -> Audit Policy -> Audit object access to Enabled for Success and Failure
2 / Events you should monitor
2.1 / Account Management Events
These events are recorded on the system where the account was created or modified, a Hacker will usually try to create rogue accounts and try to gain privileges.
You can find theese events in the Security Section of Event Viewer
| Event ID | What it means |
| 4625 | Failed account log on |
| 4648 | A logon attempt was made with explicit credentials |
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4723 | An user attempted to change an account’s password |
| 4724 | An attempt was made to reset an account’s password |
| 4725 | A user account was disabled |
| 4726 | A user account was deleted |
| 4738 | A user account was changed |
| 4740 | A user account was locked out |
| 4767 | A user account was unlocked |
| 4727 | A security-enabled global group was created |
| 4728 | A member was added to a security-enabled global group |
| 4729 | A member was removed from a security-enabled global group |
| 4730 | A security-enabled global group was deleted |
| 4731 | A security-enabled local group was created |
| 4732 | A member was added to a security-enabled local group |
| 4733 | A member was removed from a security-enabled local group |
| 4734 | A security-enabled local group was deleted |
| 4735 | A security-enabled local group was changed |
| 4737 | A security-enabled global group was changed |
| 4754 | A security-enabled universal group was created |
| 4755 | A security-enabled universal group was changed |
| 4756 | A member was added to a security-enabled universal group |
| 4757 | A member was removed from a security-enabled universal group |
| 4758 | A security-enabled universal group was deleted |
2.2 / Scheduled Task Logging
| Event ID | What it means | Source |
| 4698 | Events related to Windows scheduled tasks being created | |
| 4699 | Events related to Windows scheduled tasks being deleted | |
| 4700 | Events related to Windows scheduled tasks being enabled | |
| 4701 | Events related to Windows scheduled tasks being disabled | |
| 4702 | Events related to Windows scheduled tasks being modified |
2.3 / File Access Logging
To activate the file access logging, you’ve to activate the logging on a folder (and all subfolders or not) or file. To do that : Right click on a file/folder, Security Pannel, Advanced, Auditing pannel, Continue, & “Add”
| Event ID | What it means |
| 4656 | A handle to an object was requested. |
| 4658 | The handle to an object was closed. |
| 4660 | An object was deleted. |
| 4663 | An attempt was made to access an object. |
| 4670 | Permissions on an object were changed. |
2.4 / Network share Logging
| Event ID | What it means |
| 5140 | A network share object was accessed. |
| 5142 | A network share object was added. |
| 5143 | A network share object was modified. |
| 5144 | A network share object was deleted. |
2.5 / Firewall rules changes
| Event ID | What it Means |
| 4950 | A Windows Firewall setting has changed. |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added. |
| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. |
| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. |
Thanks to read this post :)
One comment
Pingback: Monitor Windows Logs with Centreon & NsClient++ | AlexNogard: IT Howtos & Turotials