Windows Event Logs are the backbone of security monitoring in most enterprise environments. Knowing which Event IDs matter, what they actually mean in context, and when a specific event warrants escalation versus a quick close is one of the most practical skills a SOC analyst develops over time. This guide covers the essential Event IDs from 10 years of daily use in production SOC environments.

Prerequisites

EventCode 4688 requires Advanced Audit Policy — Process Creation with command line logging enabled. EventCode 4625 and 4624 require Audit Logon Events enabled. Most of the Event IDs below are enabled by default on Windows but verify your audit policy before building detections around any of them.

Quick Reference: The Essential Event IDs

Event ID Description Priority Location
4624Successful logonBaselineSecurity
4625Failed logonHighSecurity
4648Logon using explicit credentialsHighSecurity
4688Process creationCriticalSecurity
4698Scheduled task createdHighSecurity
4720User account createdHighSecurity
4732User added to privileged groupCriticalSecurity
4768Kerberos ticket requested (TGT)MediumSecurity
4769Kerberos service ticket requestedMediumSecurity
4776NTLM authentication attemptHighSecurity
7045New service installedHighSystem
4104PowerShell script block loggingCriticalPowerShell

Event ID 4624 — Successful Logon

4624
Baseline
An account was successfully logged on
Generated every time an account successfully authenticates to a Windows system. The most voluminous event in any Windows environment. Not useful as a standalone alert but essential as a baseline for detecting anomalies in authentication patterns.
Alert when: Logon Type 10 (Remote Interactive/RDP) to sensitive systems off hours. Logon Type 3 (Network) from unexpected source systems. First-time logon to a host with no 30-day baseline history.

Logon Type Reference

Event ID 4625 — Failed Logon

4625
High
An account failed to log on
Generated on every failed authentication attempt. Individual failed logons are noise. Patterns of failed logons are signal. The failure reason code in the event is essential context for understanding whether a pattern represents credential spraying, brute force, or legitimate user lockout.
Alert when: 10+ failures on a single account in 5 minutes. Failures spread across 20+ accounts from a single source (credential spraying). Failures against disabled or non-existent accounts at volume.

Key Failure Reason Codes

Event ID 4688 — Process Creation

4688
Critical
A new process has been created
The most valuable event in Windows security monitoring when command line logging is enabled. Records every process creation with the full command line and parent process. Without command line logging enabled this event is significantly less useful. Enabling it is the single most impactful audit policy change for a SOC that hasn't already done it.
Alert when: Scripting engines spawned from Office applications or browsers. LOLBins spawned from unexpected parents. PowerShell with encoded commands. Processes executing from user-writable paths.
index=win_* EventCode=4688 earliest=-7d latest=now
| eval image=lower(coalesce(New_Process_Name, Process_Name))
| eval parent=lower(coalesce(Creator_Process_Name, Parent_Process_Name))
| eval cmdline=coalesce(Process_Command_Line, CommandLine)
| where match(image, "powershell|wscript|cscript|mshta|certutil")
| where match(parent, "winword|excel|outlook|chrome|msedge|firefox")
| table _time host user parent image cmdline
| sort 0 -_time

Event ID 4698 — Scheduled Task Created

4698
High
A scheduled task was created
Scheduled task creation is one of the most common persistence mechanisms used by attackers because tasks survive reboots, run as the creating account's permissions, and are often overlooked during IR. The task content field contains the full XML definition of the task including the command it will run.
Alert when: Task created outside business hours. Task executes from AppData, Temp, or Downloads. Task created by a standard user account. Task name mimics a legitimate Windows task with slight variation.

Event ID 4732 — User Added to Privileged Group

4732
Critical
A member was added to a security-enabled local group
Any addition to Domain Admins, Enterprise Admins, or local Administrators groups should be treated as a high-priority alert. Privilege escalation to administrator level is typically the final step before the most damaging attacker actions including data exfiltration, ransomware deployment, and domain controller compromise.
Alert immediately when: Any account added to Domain Admins. Any account added to Enterprise Admins or Schema Admins. Account added to local Administrators group off hours without a corresponding change ticket.
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4732
| where TargetUserName in (
    "Domain Admins","Enterprise Admins",
    "Schema Admins","Administrators",
    "Account Operators","Backup Operators"
  )
| where SubjectUserName !endswith "$"
| project TimeGenerated, Computer,
    SubjectUserName, MemberName, TargetUserName
| order by TimeGenerated desc

Event ID 4776 — NTLM Authentication

4776
High
The domain controller attempted to validate credentials
Generated when NTLM authentication is used instead of Kerberos. In modern environments NTLM should be rare. Attackers specifically use NTLM for pass-the-hash attacks because NTLM authentication does not require the plaintext password, only the hash. High volume NTLM authentication from a single source is a strong lateral movement indicator.
Alert when: NTLM authentication volume significantly exceeds baseline. Single source making NTLM connections to multiple systems. NTLM authentication to domain controllers from non-admin accounts.

Event ID 7045 — New Service Installed

7045
High
A new service was installed in the system
Found in the System log rather than Security. New service installations outside of known software deployment windows should be investigated. Attackers install services for persistence and for lateral movement using remote service execution. The service binary path is the most important field for triage.
Alert when: Service binary path is in a user-writable location. Service installed off hours without a change ticket. Service name closely resembles a legitimate Windows service with minor variations.

Event ID 4104 — PowerShell Script Block Logging

4104
Critical
Creating Scriptblock text
Found in the Microsoft-Windows-PowerShell/Operational log. Script block logging captures the actual content of PowerShell scripts as they execute, including deobfuscated content after PowerShell has unpacked any encoded commands. This is the most powerful PowerShell visibility available and requires enabling via Group Policy or registry.
Alert when: Script blocks containing IEX, Invoke-Expression, or DownloadString. Script blocks that reference LSASS, mimikatz, or credential theft tools. Large script blocks executing immediately after a suspicious process creation event.
index=powershell EventCode=4104 earliest=-7d latest=now
| eval script=coalesce(ScriptBlockText, Message)
| eval risk=case(
    match(script, "(?i)(IEX|Invoke-Expression|DownloadString|WebClient)"), "critical",
    match(script, "(?i)(sekurlsa|mimikatz|lsass|dcsync|logonpasswords)"), "credential_theft",
    match(script, "(?i)(bypass|hidden|noprofile)"), "high",
    true(), "review"
  )
| where risk!="review"
| table _time host user script risk
| sort 0 -_time

Audit Policy Recommendations

If your environment is not logging all of the above events, these are the Group Policy settings to enable. Discuss with your Windows team before implementing as some generate significant log volume.

Intelligence Pack
Get the Windows Event ID quick reference card

The free SOC Alert Triage Checklist includes a desk-ready quick reference with the 8 most critical Windows Event IDs, what each means, and when to alert. Join the Intelligence Pack for weekly detection rules covering these events in production environments.

Join Intelligence Pack — $14.99/month Free Triage Checklist

Cancel anytime. 30-day money back guarantee.