topic Re: Is there a good list of Windows Event IDs pertaining to security out there? in Getting Data In

Is there a good list of Windows Event IDs pertaining to security out there?

kgriffen — Fri, 29 Apr 2011 23:14:50 GMT

I am looking to create searches that follow a "User \ Group" lifecycle, and want to know if anyone has a good list of Windows Security Event IDs. I want to create searches for:

New User Created
New Group Created
User Added to Group
User Deleted from Group
Share Rights Assigned to Group
Share Rights Assigned to User
User Deleted
Group Deleted
User Locked Out
User Unlocked

etc.

I was hoping there was a good list to start with somewhere, the Splunk for Windows has a few, but it is very light.

Re: Is there a good list of Windows Event IDs pertaining to security out there?

gkanapathy — Sat, 30 Apr 2011 00:11:32 GMT

This one seems pretty comprehensive: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Re: Is there a good list of Windows Event IDs pertaining to security out there?

ftk — Thu, 11 Aug 2011 13:38:18 GMT

You could install the Windows Event Codes Lookup app to have all your event codes in your Windows Security Logs looked up into a human readable format automatically:
Windows Event Code Lookup App

Re: Is there a good list of Windows Event IDs pertaining to security out there?

jcaffero — Tue, 02 Oct 2012 17:38:30 GMT

I've got two lists for you, one is legible and the other is off Microsoft's site.
From WindowsITPro
http://www.windowsitpro.com/article/reporting2/where-are-the-security-event-id-s-listed-
From Microsoft
http://support.microsoft.com/kb/174074

The IT Pro link was drafted from Microsoft's page, but they cleaned it up a bit. Hope it helps

Re: Is there a good list of Windows Event IDs pertaining to security out there?

lmaclean — Tue, 26 Apr 2016 01:41:22 GMT

While it hasn't been updated since 2013 there haven't been too many changes to the Windows event logs to make it significant enough to be outdated but this NSA document does help a lot: (Page 8 for Overall list; Page 24-34 for in depth info in each category)

https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

Then with the various types of Logon Types for a login event; e.g. Logon Type 7 is Unlock, 10 Interactive, etc... Try this SANS white paper:

https://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

Re: Is there a good list of Windows Event IDs pertaining to security out there?

jd0323fhl — Fri, 30 Sep 2016 18:43:54 GMT

Check out the Windows Security Operations Center app in the Splunk store. There are several pre-built panels and you can check the queries you the Event Codes that are monitored to generate them. This app also may help you from having to "reinvent the wheel."

Re: Is there a good list of Windows Event IDs pertaining to security out there?

gjanders — Sat, 01 Oct 2016 06:21:43 GMT

One of the 2015 conference discussions was Finding Advanced Attacks and Malware With Only 6 Windows EventID’s
This presenter provides cheat sheets and here is the Splunk specific windows cheat sheet (at the time of writing this was updated in Feb 2016, refer to the cheat sheets link for the main page)

Re: Is there a good list of Windows Event IDs pertaining to security out there?

ssadh — Thu, 13 Apr 2017 06:19:26 GMT

This Quick Reference Cheat Sheet is quite useful. Posting for Reference
https://www.ultimatewindowssecurity.com/securitylog/quickref/downloads/quickref.zip