Getting Data In

Is there a good list of Windows Event IDs pertaining to security out there?

kgriffen
Engager

I am looking to create searches that follow a "User \ Group" lifecycle, and want to know if anyone has a good list of Windows Security Event IDs. I want to create searches for:

New User Created
New Group Created
User Added to Group
User Deleted from Group
Share Rights Assigned to Group
Share Rights Assigned to User
User Deleted
Group Deleted
User Locked Out
User Unlocked

etc.

I was hoping there was a good list to start with somewhere, the Splunk for Windows has a few, but it is very light.

Tags (4)

ssadh
Engager

This Quick Reference Cheat Sheet is quite useful. Posting for Reference
https://www.ultimatewindowssecurity.com/securitylog/quickref/downloads/quickref.zip

gjanders
SplunkTrust
SplunkTrust

One of the 2015 conference discussions was Finding Advanced Attacks and Malware With Only 6 Windows EventID’s
This presenter provides cheat sheets and here is the Splunk specific windows cheat sheet (at the time of writing this was updated in Feb 2016, refer to the cheat sheets link for the main page)

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

jd0323fhl
Explorer

Check out the Windows Security Operations Center app in the Splunk store. There are several pre-built panels and you can check the queries you the Event Codes that are monitored to generate them. This app also may help you from having to "reinvent the wheel."

0 Karma

lmaclean
Path Finder

While it hasn't been updated since 2013 there haven't been too many changes to the Windows event logs to make it significant enough to be outdated but this NSA document does help a lot: (Page 8 for Overall list; Page 24-34 for in depth info in each category)

https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf

Then with the various types of Logon Types for a login event; e.g. Logon Type 7 is Unlock, 10 Interactive, etc... Try this SANS white paper:

https://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

0 Karma

jcaffero
Explorer

I've got two lists for you, one is legible and the other is off Microsoft's site.
From WindowsITPro
http://www.windowsitpro.com/article/reporting2/where-are-the-security-event-id-s-listed-
From Microsoft
http://support.microsoft.com/kb/174074

The IT Pro link was drafted from Microsoft's page, but they cleaned it up a bit. Hope it helps

0 Karma

ftk
Motivator

You could install the Windows Event Codes Lookup app to have all your event codes in your Windows Security Logs looked up into a human readable format automatically:
Windows Event Code Lookup App

0 Karma

gkanapathy
Splunk Employee
Splunk Employee
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!