5 min read
With most companies generating thousands of event logs every day, you need to make sure you know where to focus so that you can cut through the noise.
If you can focus on the right Event IDs, you can potentially reveal abuse of privileges, insider threats, or compromised user accounts.
In this blog, we catalogue some high-value Event IDs that you can focus on in your auditing, helping you to cut through the noise and get actionable insights to detect suspicious activity.
Event IDs for Detecting Suspicious Activity
To make this easier, we’ve grouped them into categories based on common attack patterns and administrative scenarios.
- User Logon and Authentication Events
- Account Management and Privilege Escalation
- File, Object, and Network Share Access
- Scheduled Tasks and Services – Signs of Persistence
- Audit Policy and Security Settings Changes
- Active Directory and Object-Level Activities
1. User Logon and Authentication Events
| Event ID | Category | Description |
|---|---|---|
| 4624 | Successful Logon | Tracks every successful login to a system. Useful when paired with login times, geolocation, or device info. Unexpected logons outside working hours or from unfamiliar devices? Always worth a closer look |
| 4625 | Failed Logon | Multiple failures in rapid succession may indicate brute-force, credentials stuffing, and other forms of malicious activity. |
| 4648 | Logon with Explicit Credentials | This is observed when an alternative credential is used to log on by a user. It is frequently seen when trying to pass-the-hash or in lateral movement. |
| 4771 | Kerberos Pre-Auth Failed | Can show password spraying or brute-force activities on a domain account. |
| 4776 | NTLM Authentication | Especially relevant in environments trying to phase out NTLM. Watch for legacy or fallback authentication. |
2. Account Management and Privilege Escalation
| Event ID | Category | Description |
|---|---|---|
| 4720 | User Account Created | A red flag should be raised when an account appears unexpectedly and with no known process of provisioning, especially when given administration rights. |
| 4726 | User Account Deleted | Attackers sometimes delete accounts to cover their tracks. This event helps you trace such actions. |
| 4732 | User Added to a Privileged Group | Adding users to high-privilege groups like Domain Admins or Server Operators is a classic method of escalation. |
| 4728 | Member Added to a Global Security Group | Useful for tracking sensitive security group changes. |
| 4740 | Account Locked Out | Often overlooked, but a pattern of account lockouts can reveal an attacker trying to guess passwords. |
3. File, Object, and Network Share Access
| Event ID | Category | Description |
|---|---|---|
| 4663 | Object Access | Occurs when somebody accesses a file or folder that is being audited. This assists in tracing theft of data and particularly sensitive shares. |
| 4656 | Handle to Object Requested | Precursor to 4663 indicates that one of the users attempted to work on a file or folder. |
| 5145 | A Network Share Was Accessed | Quite convenient when it comes to keeping track of internal transfer of files or transfer of data. |
4. Scheduled Tasks and Services – Signs of Persistence
| Event ID | Category | Description |
|---|---|---|
| 4697 | Service Installation | Installing persistent services is how many attackers can continue to have access. |
| 4698 | Scheduled Task Created | Look out for tasks that run PowerShell scripts or launch unexpected programs, especially if they execute during off-hours. |
5. Audit Policy and Security Settings Changes
| Event ID | Category | Description |
|---|---|---|
| 4719 | Audit Policy Changed | Changing the audit configurations is one of the tricks to conceal malicious activity. |
| 4739 | Domain Policy Changed | Incorporates modification of password complexity, account lockout specifications, etc. The security team should always verify this. |
6. Active Directory and Object-Level Activities
| Event ID | Category | Description |
|---|---|---|
| 4662 | Directory Object Permission Changed | In case access control lists (ACLs) are being tampered with by an attacker, this event will assist you in detecting it. |
| 4928 / 4929 | SID History Changes | SID history abuse is a sneaky method of getting inherited access. It itches, but it is dangerous. |
How Lepide Can Help You Audit These Event IDs Smarter
Lepide Auditor makes auditing simple, consolidating event logs across your Active Directory, file systems, and cloud platforms like Microsoft 365. It audits everything, including logon attempts, privilege escalations, group membership modifications, and file access- live and provides contextual information about who, when, how, and where in a single pane of glass. This helps you reduce noise, improve focus, and take action.
Lepide also lets you set custom alerts, spot anomalies, and generate compliance-ready reports with just a few clicks. Its behavior analytics and correlation engine help you detect threats faster, reduce noise, and focus on the events that matter, so your team can act before damage is done.
Conclusion
Suspicious activity usually begins as a hint of a whisper in your logs; it could be unusual logons, group modifications, password resets, and more. The gap between early warning and a full-blown intrusion all too frequently hinges on whether those whispers are heard or not.
When IT admins can orient on the correct Event IDs and leverage that visibility with an intelligent monitoring tool, such as Lepide, they will achieve faster and more effective threat detection and response.
Download free trial of Lepide Auditor today and see how effortless event log monitoring can be, and if you refer a personalized walkthrough, book a demo with our experts.
Group Policy Examples and Settings for Effective Administration
15 Most Common Types of Cyber Attack and How to Prevent Them
Why AD Account Keeps Getting Locked Out Frequently and How to Resolve It
