Windows Event Logs

Below are a few windows event logs which can help identify threats such as brute force attacks. They can also highlight suspicious activity should your group policy be ignored. Example: Admins disabling the local firewall.

Windows Event Logs

Security		4624	Account Logon
Security		4625	Failed login
Security		4720	A user account was created
Security		4722	A user account was enabled
Security		4726	A user account was deleted
Security		4740	A user account was locked out
Security		4724, 4738	Additional user creation events
Security		4728	A member was added to a security-enabled global group
Security		4732	A member was added to a security-enabled local group
Security		4724	An attempt was made to reset an accounts password
Security		4767	A user account was unlocked
Security 	4781	The name of an account was changed
Security		4738	A user account was changed
Security		4660	 An object was deleted
Security		4776	The domain controller attempted to validate the credentials for an account
Security		4743	A computer account was deleted

Security		1100	The event logging service has shut down
Security		1102	Clear Event log

Firewall		2003	Disable firewall
Firewall		4948	A change has been made to Windows Firewall exception list. A rule was deleted
Firewall		4950	A Windows Firewall setting has changed
Firewall		5025	The Windows Firewall Service has been stopped

Windows Defender Logs

Microsoft-Windows-AppLocker/EXE and DLL
(EXE/MSI) was allowed to run but would have been prevented from running if the AppLocker policy were enforced

Microsoft-Windows-AppLocker/EXE and DLL
(EXE/MSI) was prevented from running.

Windows Defender has detected malware or other potentially unwanted software

Windows Defender has taken action to protect this machine from malware or other potentially unwanted software


Create a website or blog at

%d bloggers like this: