I am looking to create searches that follow a "User \ Group" lifecycle, and want to know if anyone has a good list of Windows Security Event IDs. I want to create searches for:
New User Created
New Group Created
User Added to Group
User Deleted from Group
Share Rights Assigned to Group
Share Rights Assigned to User
User Locked Out
I was hoping there was a good list to start with somewhere, the Splunk for Windows has a few, but it is very light.
One of the 2015 conference discussions was Finding Advanced Attacks and Malware With Only 6 Windows EventID’s
This presenter provides cheat sheets and here is the Splunk specific windows cheat sheet (at the time of writing this was updated in Feb 2016, refer to the cheat sheets link for the main page)
Check out the Windows Security Operations Center app in the Splunk store. There are several pre-built panels and you can check the queries you the Event Codes that are monitored to generate them. This app also may help you from having to "reinvent the wheel."
While it hasn't been updated since 2013 there haven't been too many changes to the Windows event logs to make it significant enough to be outdated but this NSA document does help a lot: (Page 8 for Overall list; Page 24-34 for in depth info in each category)
Then with the various types of Logon Types for a login event; e.g. Logon Type 7 is Unlock, 10 Interactive, etc... Try this SANS white paper:
I've got two lists for you, one is legible and the other is off Microsoft's site.
The IT Pro link was drafted from Microsoft's page, but they cleaned it up a bit. Hope it helps