I have found SecureWork's document very useful for security event best practice.
`
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = winevents
#based on SecureWorks Windows Log Monitoring Best Practices for Security and Compliance
whitelist = 517,520,529,530,531,532,533,534,535,536,537,539,540,560,565,566, 601,608,609,610,611,612,617,620,621,622,624,626,627, 628,629,630,631,632,633,634,635,636,637,638,639,641,642,643,644,645,646,647,648,649,650,651,652,653, 654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,671,672,673,675,676,680,681,685, 1102,4616, 4624,4625,4656,4661,4662,4688,4697,4704,4705,4706,4707,4708,4713,4716,4717,4718,4719,4720, 4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4739,4740, 4741,4742,4743,4744,4745,4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4758, 4759,4760,4761,4762, 4763,4764,4767,4768,4769,4771,4776,4781,4906
`
... View more