Getting Data In

Is there a good list of Windows Event IDs pertaining to security out there?


I am looking to create searches that follow a "User \ Group" lifecycle, and want to know if anyone has a good list of Windows Security Event IDs. I want to create searches for:

New User Created
New Group Created
User Added to Group
User Deleted from Group
Share Rights Assigned to Group
Share Rights Assigned to User
User Deleted
Group Deleted
User Locked Out
User Unlocked


I was hoping there was a good list to start with somewhere, the Splunk for Windows has a few, but it is very light.

Tags (4)


This Quick Reference Cheat Sheet is quite useful. Posting for Reference


One of the 2015 conference discussions was Finding Advanced Attacks and Malware With Only 6 Windows EventID’s
This presenter provides cheat sheets and here is the Splunk specific windows cheat sheet (at the time of writing this was updated in Feb 2016, refer to the cheat sheets link for the main page)

Alerts for Splunk Admins
Version Control for Splunk


Check out the Windows Security Operations Center app in the Splunk store. There are several pre-built panels and you can check the queries you the Event Codes that are monitored to generate them. This app also may help you from having to "reinvent the wheel."

0 Karma

Path Finder

While it hasn't been updated since 2013 there haven't been too many changes to the Windows event logs to make it significant enough to be outdated but this NSA document does help a lot: (Page 8 for Overall list; Page 24-34 for in depth info in each category)

Then with the various types of Logon Types for a login event; e.g. Logon Type 7 is Unlock, 10 Interactive, etc... Try this SANS white paper:

0 Karma


I've got two lists for you, one is legible and the other is off Microsoft's site.
From WindowsITPro
From Microsoft

The IT Pro link was drafted from Microsoft's page, but they cleaned it up a bit. Hope it helps

0 Karma


You could install the Windows Event Codes Lookup app to have all your event codes in your Windows Security Logs looked up into a human readable format automatically:
Windows Event Code Lookup App

0 Karma

Splunk Employee
Splunk Employee
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!