I am looking to create searches that follow a "User \ Group" lifecycle, and want to know if anyone has a good list of Windows Security Event IDs. I want to create searches for:
New User Created
New Group Created
User Added to Group
User Deleted from Group
Share Rights Assigned to Group
Share Rights Assigned to User
User Deleted
Group Deleted
User Locked Out
User Unlocked
etc.
I was hoping there was a good list to start with somewhere, the Splunk for Windows has a few, but it is very light.
... View more