Windows Event Log Analysis for Security: The Event IDs That Matter and How to Act on Them

Before Event IDs matter, audit policy must be configured to generate them. Windows default audit policy is insufficient for security monitoring — many critical event types are not logged by default.

Use Advanced Audit Policy, not Basic Audit Policy: Windows has two audit policy systems: the basic audit policy (9 categories in Security Settings) and the Advanced Audit Policy (53 subcategories). The two systems conflict — applying both produces unpredictable results. Use only the Advanced Audit Policy, configured via GPO at Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

Critical subcategories to enable:

Enable command line logging in Process Creation events: GPO: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events → Enabled. Without this, Event ID 4688 shows the process name but not the command line arguments — reducing detection value significantly.

Authentication events provide visibility into who is logging in, from where, using which method — and when those patterns deviate from baseline.

Event ID 4624 — Successful Logon: The most fundamental event. Key fields: Account Name, Logon Type, Workstation Name, Source Network Address, Authentication Package.

Logon Type values decode as:

• Type 2: Interactive (local console logon)
• Type 3: Network (SMB, file share, WMI)
• Type 4: Batch (scheduled tasks)
• Type 5: Service (service account logons)
• Type 7: Unlock (screen unlock)
• Type 10: RemoteInteractive (RDP)
• Type 11: CachedInteractive (cached credential logon — no DC contact)

Detection uses: Type 3 logons from workstations to other workstations (lateral movement via SMB), Type 10 logons from unusual source IPs (RDP-based lateral movement or external attacker), authentication with unusual logon types for a given account (service account logging on interactively).

Event ID 4625 — Failed Logon: Failed authentication. Key field: Failure Reason (Sub Status Code). Common sub-status codes:

• 0xC000006A: Wrong password
• 0xC0000064: Account does not exist
• 0xC000006D: Bad username or authentication information
• 0xC0000234: Account locked out

Detection uses: burst of 4625 events from one source against multiple accounts (password spray), burst against one account from one source (brute force), high rate of 0xC0000064 sub-status (username enumeration).

Event ID 4648 — Logon Using Explicit Credentials: Generated when a process attempts a logon using explicit credentials (e.g., using runas or passing alternate credentials). Frequently generated by lateral movement tools (Mimikatz, Impacket) attempting Pass-the-Hash or over-pass-the-hash attacks.

Event ID 4768 — Kerberos TGT Requested: Generated on domain controllers when a Kerberos Ticket-Granting Ticket is requested. Encryption type field (etype) reveals attack patterns: etype 23 (RC4) requested for modern accounts that should use AES is an indicator of Pass-the-Ticket or AS-REP roasting.

Event ID 4769 — Kerberos Service Ticket Requested: Generated on domain controllers when a service ticket is requested. Detection use: Kerberoasting generates 4769 events with Ticket Options 0x40810000 and Ticket Encryption Type 17 or 18 (AES) or 23 (RC4 — weaker and preferred by attackers for offline cracking).

Event ID 4771 — Kerberos Pre-Authentication Failed: AS-REP roasting targets accounts with pre-authentication disabled — 4771 is not generated for these accounts (which is itself a detection signal). When 4771 fires, it indicates a standard Kerberos authentication failure rather than roasting.

Process creation logging captures the execution of every process on the system — the single most valuable event source for detecting attacker tooling and post-exploitation activity.

Event ID 4688 — Process Creation: Key fields: Creator Process Name (parent), New Process Name (child), Command Line (if enabled), Token Elevation Type.

High-value detection patterns:

LOLBIN (Living-Off-the-Land Binary) abuse: Attackers use legitimate Windows binaries to execute malicious commands, bypassing application allowlisting. Key suspicious parent-child process relationships:

• winword.exe or excel.exe spawning powershell.exe, cmd.exe, or wscript.exe — malicious macro execution
• mshta.exe spawning any child process — HTA-based payload execution
• svchost.exe spawning powershell.exe or cmd.exe — service-based persistence mechanism
• explorer.exe spawning powershell.exe with encoded command — user-triggered malicious script

PowerShell encoded commands: 4688 events where Command Line contains EncodedCommand or -enc — attackers frequently encode PowerShell commands to evade simple signature detection. The presence of encoding alone is an indicator; the decoded content determines severity.

Suspicious process names: Processes with names misspelling legitimate system processes: svchost32.exe, lssas.exe, csrss32.exe. Also: processes executing from unusual paths (powershell.exe running from %TEMP% instead of System32).

Event ID 4103/4104 — PowerShell Module Logging and Script Block Logging: These events (in the Microsoft-Windows-PowerShell/Operational log, not Security log) capture PowerShell command input and output. Script block logging (4104) records the complete content of PowerShell script blocks as they execute — capturing obfuscated commands after deobfuscation. Enable via GPO: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

Attackers establishing persistence and escalating privileges leave forensic traces in specific event channels.

Event ID 4672 — Special Logon (Admin Equivalent): Generated when a privileged logon occurs — when a user logs on with a token including sensitive privileges (SeDebugPrivilege, SeTakeOwnershipPrivilege, etc.) or administrative group membership. Correlate with 4624 for the same logon session. An account generating 4672 that has not done so before, or from an unusual workstation, warrants investigation.

Event ID 4673/4674 — Sensitive Privilege Use: Records when a sensitive privilege is used. SeDebugPrivilege used by non-system processes is a Mimikatz indicator (required for LSASS memory access). SeTcbPrivilege use outside of expected service accounts warrants review.

Event ID 4720 — User Account Created: A new local or domain user account was created. Attackers create backdoor accounts for persistent access. Alert on account creation outside of change control hours or by accounts not in the approved provisioning group.

Event ID 4728/4732/4756 — Member Added to Security Group: 4728: Member added to global security group 4732: Member added to local security group 4756: Member added to universal security group

Alert specifically on additions to Domain Admins, Enterprise Admins, Schema Admins, and Administrators. Any account added to these groups outside of a change window should be treated as a priority alert.

Event ID 7045 — Service Installed (System Log): A new service was installed on the system. Attackers install services for persistence and privilege escalation. Key fields: Service Name, Service File Name (path to the executable). Services installed from temp directories, user profile paths, or with names that do not match standard Windows service naming conventions are high-suspicion.

Scheduled Task Creation (Event IDs 4698/4702): 4698: Scheduled task was created 4702: Scheduled task was modified

Key field: Task Content (XML representation of the task). Alert on scheduled tasks created outside business hours, created by non-administrative accounts, or pointing to executables in temp or user profile directories.

Windows Event Forwarding (WEF) provides agentless event log collection using native Windows functionality. All Windows systems (endpoints and servers) can forward events to Windows Event Collector (WEC) servers, which then forward to your SIEM.

WEF architecture:

• Source computers: All Windows systems you want to collect from. No agent required. Configure via GPO.
• Event Collector (WEC) server: Windows Server running the Windows Event Collector service. Receives events from source computers.
• SIEM: Ingests from WEC via syslog, Winlogbeat, NXLog, or a native connector.

Collector-initiated vs. Source-initiated subscriptions:

• Source-initiated: Each source computer pushes events to the collector. Better for large environments. Source computers query Active Directory to find the collector endpoint.
• Collector-initiated: The collector pulls events from specified source computers. Better for small/controlled environments where you can enumerate all sources.

GPO configuration for source-initiated WEF:

1. Computer Configuration > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager → Set to Server=http://[WEC-SERVER]:5985/wsman/SubscriptionManager/WEC
2. Configure the WEC service: wecutil qc on the WEC server
3. Create a subscription on the WEC server specifying which Event IDs to collect

Subscription filter for security-relevant events (XPath):

<QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4648 or EventID=4672 or EventID=4688 or EventID=4698 or EventID=4720 or EventID=4728 or EventID=4732 or EventID=4756 or EventID=4768 or EventID=4769 or EventID=4771)]]</Select>
    <Select Path="System">*[System[(EventID=7045)]]</Select>
    <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104)]]</Select>
  </Query>
</QueryList>

Once logs are flowing to your SIEM, these query patterns detect common attacker behaviors. Examples use Splunk SPL; adapt field names for your SIEM.

Password spray detection:

index=windows EventCode=4625 Status=0xC000006A
| bucket _time span=5m
| stats dc(Account_Name) as unique_accounts, count as attempts by _time, Source_Network_Address
| where unique_accounts > 10 AND attempts > 30
| sort -attempts

Trigger: more than 10 unique accounts attempted with wrong password from one source in 5 minutes.

Lateral movement via SMB (Type 3 logon from workstation to workstation):

index=windows EventCode=4624 Logon_Type=3
| lookup workstations hostname as Computer OUTPUT is_workstation
| lookup workstations hostname as Workstation_Name OUTPUT is_source_workstation
| where is_workstation=true AND is_source_workstation=true
| table _time, Account_Name, Computer, Workstation_Name, Source_Network_Address

Kerberoasting detection:

index=windows EventCode=4769 Ticket_Encryption_Type=0x17
| stats count by Account_Name, Client_Address, Service_Name
| where count > 5

Type 0x17 = RC4 encryption — the attacker-preferred weak encryption type for offline cracking.

Suspicious PowerShell encoded command:

index=windows EventCode=4688 Process_Command_Line="*-enc*" OR Process_Command_Line="*EncodedCommand*"
| table _time, Computer, Account_Name, Creator_Process_Name, Process_Command_Line
| sort -_time

Privileged group modification:

index=windows (EventCode=4728 OR EventCode=4732 OR EventCode=4756)
| eval group_name=coalesce('Group_Name', 'Target_Group_Name')
| where group_name IN ("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators")
| table _time, Computer, Subject_Account_Name, Member_Security_ID, group_name