4 min read
With most companies generating thousands of event logs every day, you need to make sure you know where to focus so that you can cut through the noise.
If you can focus on the right Event IDs, you can potentially reveal abuse of privileges, insider threats, or compromised user accounts.
In this blog, we catalogue some high-value Event IDs that you can focus on in your auditing, helping you to cut through the noise and get actionable insights to detect suspicious activity.
Event IDs for Detecting Suspicious Activity
To make this easier, we’ve grouped them into categories based on common attack patterns and administrative scenarios.
User Logon and Authentication Events
| Event ID | Description |
|---|---|
| 4624 Successful Logon |
Tracks every successful login to a system. Useful when paired with login times, geolocation, or device info. Unexpected logons outside working hours or from unfamiliar devices? Always worth a closer look |
| 4625 Failed Logon |
Multiple failures in rapid succession may indicate brute-force, credentials stuffing, and other forms of malicious activity. |
| 4648 Logon with Explicit Credentials |
This is observed when an alternative credential is used to log on by a user. It is frequently seen when trying to pass-the-hash or in lateral movement. |
| 4771 Kerberos Pre-Auth Failed |
Can show password spraying or brute-force activities on a domain account. |
| 4776 NTLM Authentication |
Especially relevant in environments trying to phase out NTLM. Watch for legacy or fallback authentication. |
Account Management and Privilege Escalation
| Event ID | Description |
|---|---|
| 4720 User Account Created |
A red flag should be raised when an account appears unexpectedly and with no known process of provisioning, especially when given administration rights. |
| 4726 User Account Deleted |
Attackers sometimes delete accounts to cover their tracks. This event helps you trace such actions. |
| 4732 User Added to a Privileged Group |
Adding users to high-privilege groups like Domain Admins or Server Operators is a classic method of escalation. |
| 4728 Member Added to a Global Security Group |
Useful for tracking sensitive security group changes. |
| 4740 Account Locked Out |
Often overlooked, but a pattern of account lockouts can reveal an attacker trying to guess passwords. |
File, Object, and Network Share Access
| Event ID | Description |
|---|---|
| 4663 Object Access |
Occurs when somebody accesses a file or folder that is being audited. This assists in tracing theft of data and particularly sensitive shares. |
| 4656 Handle to Object Requested |
Precursor to 4663 indicates that one of the users attempted to work on a file or folder. |
| 5145 A Network Share Was Accessed |
Quite convenient when it comes to keeping track of internal transfer of files or transfer of data. |
Scheduled Tasks and Services – Signs of Persistence
| Event ID | Description |
|---|---|
| 4697 Service Installation |
Installing persistent services is how many attackers can continue to have access. |
| 4698 Scheduled Task Created |
Look out for tasks that run PowerShell scripts or launch unexpected programs, especially if they execute during off-hours. |
Audit Policy and Security Settings Changes
| Event ID | Description |
|---|---|
| 4719 Audit Policy Changed |
Changing the audit configurations is one of the tricks to conceal malicious activity. |
| 4739 Domain Policy Changed |
Incorporates modification of password complexity, account lockout specifications, etc. The security team should always verify this. |
Active Directory and Object-Level Activities
| Event ID | Description |
|---|---|
| 4662 Directory Object Permission Changed |
In case access control lists (ACLs) are being tampered with by an attacker, this event will assist you in detecting it. |
| 4928 / 4929 SID History Changes |
SID history abuse is a sneaky method of getting inherited access. It itches, but it is dangerous. |
How Lepide Can Help You Audit These Event IDs Smarter
Lepide Auditor makes auditing simple, consolidating event logs across your Active Directory, file systems, and cloud platforms like Microsoft 365. It audits everything, including logon attempts, privilege escalations, group membership modifications, and file access- live and provides contextual information about who, when, how, and where in a single pane of glass. This helps you reduce noise, improve focus, and take action.
Lepide also lets you set custom alerts, spot anomalies, and generate compliance-ready reports with just a few clicks. Its behavior analytics and correlation engine help you detect threats faster, reduce noise, and focus on the events that matter, so your team can act before damage is done.
Conclusion
Suspicious activity usually begins as a hint of a whisper in your logs; it could be unusual logons, group modifications, password resets, and more. The gap between early warning and a full-blown intrusion all too frequently hinges on whether those whispers are heard or not.
When IT admins can orient on the correct Event IDs and leverage that visibility with an intelligent monitoring tool, such as Lepide, they will achieve faster and more effective threat detection and response.
Download free trial of Lepide Auditor today and see how effortless event log monitoring can be, and if you refer a personalized walkthrough, book a demo with our experts.
Group Policy Examples and Settings for Effective Administration
15 Most Common Types of Cyber Attack and How to Prevent Them
Why AD Account Keeps Getting Locked Out Frequently and How to Resolve It
