Windows Event Logs are the backbone of security monitoring in most enterprise environments. Knowing which Event IDs matter, what they actually mean in context, and when a specific event warrants escalation versus a quick close is one of the most practical skills a SOC analyst develops over time. This guide covers the essential Event IDs from 10 years of daily use in production SOC environments.
EventCode 4688 requires Advanced Audit Policy — Process Creation with command line logging enabled. EventCode 4625 and 4624 require Audit Logon Events enabled. Most of the Event IDs below are enabled by default on Windows but verify your audit policy before building detections around any of them.
Quick Reference: The Essential Event IDs
| Event ID | Description | Priority | Location |
|---|---|---|---|
| 4624 | Successful logon | Baseline | Security |
| 4625 | Failed logon | High | Security |
| 4648 | Logon using explicit credentials | High | Security |
| 4688 | Process creation | Critical | Security |
| 4698 | Scheduled task created | High | Security |
| 4720 | User account created | High | Security |
| 4732 | User added to privileged group | Critical | Security |
| 4768 | Kerberos ticket requested (TGT) | Medium | Security |
| 4769 | Kerberos service ticket requested | Medium | Security |
| 4776 | NTLM authentication attempt | High | Security |
| 7045 | New service installed | High | System |
| 4104 | PowerShell script block logging | Critical | PowerShell |
Event ID 4624 — Successful Logon
Logon Type Reference
- Type 2 — Interactive. User physically at the keyboard
- Type 3 — Network. Access to shared resources, common for lateral movement
- Type 4 — Batch. Scheduled task execution
- Type 5 — Service. Windows service startup
- Type 7 — Unlock. Screen unlock after lock
- Type 10 — Remote Interactive. RDP session
- Type 11 — Cached Interactive. Logon with cached credentials, no domain controller contact
Event ID 4625 — Failed Logon
Key Failure Reason Codes
- 0xC000006A — Wrong password, account exists. Legitimate brute force or user error
- 0xC000006D — Generic logon failure. Often credential spraying
- 0xC0000064 — Unknown username. Account enumeration or typo
- 0xC0000234 — Account locked out. May indicate active brute force
- 0xC000006F — Outside allowed hours. Policy violation or compromised account
Event ID 4688 — Process Creation
index=win_* EventCode=4688 earliest=-7d latest=now
| eval image=lower(coalesce(New_Process_Name, Process_Name))
| eval parent=lower(coalesce(Creator_Process_Name, Parent_Process_Name))
| eval cmdline=coalesce(Process_Command_Line, CommandLine)
| where match(image, "powershell|wscript|cscript|mshta|certutil")
| where match(parent, "winword|excel|outlook|chrome|msedge|firefox")
| table _time host user parent image cmdline
| sort 0 -_time
Event ID 4698 — Scheduled Task Created
Event ID 4732 — User Added to Privileged Group
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4732
| where TargetUserName in (
"Domain Admins","Enterprise Admins",
"Schema Admins","Administrators",
"Account Operators","Backup Operators"
)
| where SubjectUserName !endswith "$"
| project TimeGenerated, Computer,
SubjectUserName, MemberName, TargetUserName
| order by TimeGenerated desc
Event ID 4776 — NTLM Authentication
Event ID 7045 — New Service Installed
Event ID 4104 — PowerShell Script Block Logging
index=powershell EventCode=4104 earliest=-7d latest=now
| eval script=coalesce(ScriptBlockText, Message)
| eval risk=case(
match(script, "(?i)(IEX|Invoke-Expression|DownloadString|WebClient)"), "critical",
match(script, "(?i)(sekurlsa|mimikatz|lsass|dcsync|logonpasswords)"), "credential_theft",
match(script, "(?i)(bypass|hidden|noprofile)"), "high",
true(), "review"
)
| where risk!="review"
| table _time host user script risk
| sort 0 -_time
Audit Policy Recommendations
If your environment is not logging all of the above events, these are the Group Policy settings to enable. Discuss with your Windows team before implementing as some generate significant log volume.
- Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy > Account Logon: Audit Credential Validation — Success and Failure
- Logon/Logoff: Audit Logon — Success and Failure
- Detailed Tracking: Audit Process Creation — Success. Then enable command line auditing at HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled
- Account Management: Audit Security Group Management — Success. Audit User Account Management — Success and Failure
- PowerShell: Enable Script Block Logging via Group Policy under Administrative Templates > Windows Components > Windows PowerShell
The free SOC Alert Triage Checklist includes a desk-ready quick reference with the 8 most critical Windows Event IDs, what each means, and when to alert. Join the Intelligence Pack for weekly detection rules covering these events in production environments.
Join Intelligence Pack — $14.99/month Free Triage ChecklistCancel anytime. 30-day money back guarantee.