Below are a few windows event logs which can help identify threats such as brute force attacks. They can also highlight suspicious activity should your group policy be ignored. Example: Admins disabling the local firewall.
Windows Event Logs
Security 4624 Account Logon
Security 4625 Failed login
Security 4720 A user account was created
Security 4722 A user account was enabled
Security 4726 A user account was deleted
Security 4740 A user account was locked out
Security 4724, 4738 Additional user creation events
Security 4728 A member was added to a security-enabled global group
Security 4732 A member was added to a security-enabled local group
Security 4724 An attempt was made to reset an accounts password
Security 4767 A user account was unlocked
Security 4781 The name of an account was changed
Security 4738 A user account was changed
Security 4660 An object was deleted
Security 4776 The domain controller attempted to validate the credentials for an account
Security 4743 A computer account was deleted
Security 1100 The event logging service has shut down
Security 1102 Clear Event log
Firewall 2003 Disable firewall
Firewall 4948 A change has been made to Windows Firewall exception list. A rule was deleted
Firewall 4950 A Windows Firewall setting has changed
Firewall 5025 The Windows Firewall Service has been stopped
Windows Defender Logs
Microsoft-Windows-AppLocker/EXE and DLL
8003
(EXE/MSI) was allowed to run but would have been prevented from running if the AppLocker policy were enforced
Microsoft-Windows-AppLocker/EXE and DLL
8004
(EXE/MSI) was prevented from running.
Microsoft-Windows-WindowsDefender/Operational
1116
Windows Defender has detected malware or other potentially unwanted software
Microsoft-Windows-WindowsDefender/Operational
1117
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software
amoran.io 