Windows Event Log Reference

Event ID 4624 records a successful logon event in the Windows Security Log. The logon type field distinguishes how the user authenticated: Type 2 is interactive (local console logon), Type 3 is network (accessing a file share or mapping a drive), Type 5 is service (a Windows service starting), Type 7 is unlock (workstation unlock), and Type 10 is RemoteInteractive (RDP session). Correlate with Event ID 4634/4647 using the Logon ID to track the full session lifecycle.

Monitor Event ID 4625 (failed logon) for patterns indicating brute force attacks. Look for multiple 4625 events from the same source IP in a short time window. Failure reasons include 0xC0000064 (nonexistent user), 0xC000006A (wrong password), and 0xC0000234 (account locked). Event ID 4740 (account lockout) with Caller Computer Name identifies where the lockout originated. Use PowerShell: Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4625; StartTime=(Get-Date).AddHours(-1)} to query recent failures.

Get-WinEvent is the modern PowerShell cmdlet for querying Windows event logs. Use -FilterHashtable for efficient server-side filtering: Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4624; StartTime=(Get-Date).AddDays(-7)}. For complex queries, use -FilterXml with XPath. Export results with Export-Csv: Get-WinEvent -LogName Security -MaxEvents 1000 | Select-Object TimeCreated, Id, Message | Export-Csv "events.csv". FilterHashtable is significantly faster than Where-Object filtering.

Event ID 7045 (Source: Service Control Manager) records new service installations, including the service name, executable path, and start type. This is critical for detecting malware that installs itself as a service. Event ID 4697 in the Security Log provides additional detail including the service account. Compare the service file path against known-good baselines. Sysmon Event ID 1 with ParentImage as services.exe also helps identify service-launched processes.

Event ID 4688 records new process creation, including the process name and creator (parent) process. Enable command-line process auditing via Group Policy (Admin Templates > System > Audit Process Creation) to capture full command-line arguments. Event ID 4689 records process termination. Together, these events enable parent-child process tree reconstruction. Sysmon Event ID 1 provides richer data including file hashes, making it preferred for threat detection.

Sysmon (System Monitor) is a Microsoft Sysinternals tool that extends Windows event logging with detailed security-relevant events. Key Event IDs: 1 (process creation with file hash), 3 (network connection with source/destination), 7 (image/DLL load), 11 (file creation), 8 (CreateRemoteThread for injection detection), and 13 (registry modification). Sysmon logs to the Microsoft-Windows-Sysmon/Operational log and is configurable via XML policies to control what gets logged.

Event ID 1102 (Source: Microsoft-Windows-Eventlog) is logged in the Security Log when someone clears the Security Log, recording the account that performed the action. This event itself survives the log clear. Additionally, monitor Event ID 104 for other log clears. Sudden gaps in event sequence numbers also indicate tampering. Forward critical events to a centralized SIEM using Windows Event Forwarding (WEF) with wecutil to maintain an unalterable copy.

Use Windows Event Forwarding (WEF) with the Windows Event Collector service. Create subscription XML files defining which events to collect from which source computers, then apply with "wecutil cs subscription.xml". Configure source computers via Group Policy to forward events to the collector. Set log retention with "wevtutil sl Security /ms:1073741824" for 1GB. For enterprise environments, forward to a SIEM platform for correlation, alerting, and long-term retention.