Security operations event id, Summaries of Computer Security

Event ID's used for Daily computer communication over internet.

Typology: Summaries

2025/2026

Uploaded on 01/16/2026

om-kalyankar
om-kalyankar 🇮🇳

1 document

1 / 11

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
TOP Windows Event IDs for SOC Analysts
This list is industry standard and used in real-world
detection engineering.
1. Authentication & Account Logon Events
These events help detect brute force, credential theft,
lateral movement, privilege escalation .
Logon Events (Event Log: Security)
Event
ID
Meaning
Why Important
4624
Successful logon
Baseline user behavior,
detect unusual sources
4625
Failed logon
Brute-force attempts,
password-spraying
4634
Logoff
Helps correlate sessions
4647
User initiated
logoff
Normal logout behavior
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Security operations event id and more Summaries Computer Security in PDF only on Docsity!

TOP Windows Event IDs for SOC Analysts This list is industry standard and used in real-world detection engineering.

  1. Authentication & Account Logon Events These events help detect brute force, credential theft, lateral movement, privilege escalation. Logon Events (Event Log: Security) Event ID Meaning Why Important 4624 Successful logon Baseline user behavior, detect unusual sources 4625 Failed logon Brute-force attempts, password-spraying 4634 Logoff Helps correlate sessions 4647 User initiated logoff Normal logout behavior

4672 Admin privileges assigned Detect privilege escalation 4648 Logon using explicit credentials Pass-the-Hash / Pass-the-Ticket detection 4768 Kerberos TGT request Detect Kerberoasting patterns 4769 Kerberos service ticket request Lateral movement tracking 4776 NTLM authentication NTLM brute-force, legacy auth use

4733 User removed from security group Insider cleanup behavior 4756 User added to global security group High-value group modification 4781 Account name changed Used in identity obfuscation by attackers

  1. Process Creation & Execution Events Crucial for malware execution, persistence, and initial compromise. Event ID Meaning Why Important 4688 Process creation Core for malware detection, parent-child mapping 4689 Process exit Track lifetime and correlate with 4688 4697 New service installed Persistence indicator 7045 Service installed (System log) Used by malware for persistence 4698 Scheduled task created MITRE T1053 persistence 4699 Scheduled task deleted Cleanup activities
  1. Windows Firewall & Network Events Track incoming/outgoing connections, lateral movement, enumeration. Event ID Meaning Why Important 5156 Outbound network connection allowed Malware C communication 5157 Connection blocked Detect attempted malware communication 5158 UDP bind Malware preparing listener 5152 Blocked packets Recon & scanning indicators
  1. Log Clearing & Anti-Forensic Events Attackers often clear logs to hide traces. Event ID Meaning Why Important 1102 Security log cleared HIGH ALERT — almost always malicious 104 (Syste m) Audit log cleared Anti-forensics, insider threat 4719 Audit policy changed Detect disabling of security logs
  1. RDP / Remote Access Events Detect lateral movement, unauthorized access, ransomware operators. Event ID Meaning Why Important 4624 (Logon Type 10/7) Remote logon RDP sessions 4778 Session reconnected Track attacker behavior 4779 Session disconnected Identify suspicious activity 4648 Explicit creds used Pass-the-Hash / RDP
  1. DNS Events Useful for C2 detection, domain abuse, data exfiltration via DNS. Event ID Meaning 5156 + DNS Query Indicative of network callouts DNS Server 22xx series Domain lookups Reference https://www.ultimatewindowssecurity.com/securitylog/encyclopedia /event.aspx?eventid=4733#fields -yuvaraj.Dhttps://in.linkedin.com/in/