Important Windows Event IDs for SIEM Monitoring

What are Windows Event IDs?

Windows Event IDs are unique codes that represent specific activities or changes that occur within a Windows operating system. These events are recorded in the Windows Event Viewer and are generated by the operating system or applications whenever something noteworthy happens — such as a user logging in, a process being created, or an account being locked out. Each Event ID corresponds to a particular type of activity, making it easier for system administrators and security analysts to quickly identify what occurred and when.

What are Windows Event IDs used for?

Windows Event IDs are used to track user actions, system operations and security-related activities across an IT environment. For security teams, these IDs are vital for detecting anomalies, identifying suspicious activity and supporting forensic investigations. They provide visibility into authentication attempts, privilege escalations, process executions and even log-clearing events that could indicate an attacker’s attempt to cover their tracks. When integrated with a Security Information and Event Management (SIEM) system, these Event IDs become a powerful tool for real-time monitoring, correlation and alerting.

Common / Important Windows Event IDs for SIEM Monitoring

• 4624 – Successful Logon
• Tracks all successful login attempts.
• Useful for spotting unusual logon times, locations, or accounts.
• Image Example: Screenshot of Event Viewer showing a 4624 logon entry.
• 4625 – Failed Logon
• Records failed login attempts.
• High volumes may indicate brute-force or password spraying attacks.
• Image Example: Multiple 4625 events showing repeated login failures.
• 4648 – Logon Using Explicit Credentials
• Logged when ‘Run As’ or alternate credentials are used.
• Helpful in detecting credential misuse and lateral movement.
• 4672 – Special Privileges Assigned to New Logon
• It indicates that an account logged in with administrator or system-level privileges.
• Useful for detecting privilege escalation or suspicious admin activity.
• 4688 – Process Creation
• Logged when a new process starts.
• Crucial for spotting malware execution or unusual scripts.
• Image Example: Event Viewer entry for 4688 showing suspicious PowerShell activity.
• 4740 – Account Lockout
• Triggered when an account is locked after failed login attempts.
• Useful for tracking brute-force attempts.
• 4768 – Kerberos TGT Requested
• Logged when a Kerberos Ticket Granting Ticket (TGT) is requested.
• Helps detect unusual authentication activity.
• 4769 – Kerberos Service Ticket Requested
• Logged when a service ticket is requested.
• Can indicate lateral movement or Golden Ticket attacks.
• 4771 – Kerberos Pre-Authentication Failed
• Logged when Kerberos pre-authentication fails.
• Detects password spraying or brute-force attacks.
• 1102 – Audit Log Cleared
• Triggered when security logs are cleared.
• Often an indicator of attacker activity attempting to hide evidence.
• Image Example: Event Viewer screenshot showing 1102 audit log cleared entry.

How are these Windows Event IDs helpful in SIEM Monitoring?

• Provide real-time visibility into authentication attempts, privilege escalations, and account lockouts.
• Help correlate multiple suspicious activities (e.g., failed logins followed by privilege escalation).
• Enable proactive detection of brute-force, lateral movement, and malware execution.
• Support compliance reporting by tracking critical user and system activities.
• Improve incident response through centralized monitoring and alerting.

Universal vs Specialized Event IDs

• Not every Windows Event ID carries the same weight in every environment. Some are universally important and should always be monitored, while others may be more relevant depending on infrastructure (e.g., Active Directory, Kerberos, or VPN usage).
• Universal / High-Priority IDs
• (track everywhere)
• 4624 – Successful Logon
• 4625 – Failed Logon
• 4672 – Privileged Logon
• 4688 – Process Creation
• 1102 – Audit Log Cleared
• Specialized / Context-Specific IDs (track if environment requires)
• 4648 – Logon Using Explicit Credentials
• 4740 – Account Lockout
• 4768 – Kerberos TGT Requested
• 4769 – Kerberos Service Ticket Requested
• 4771 – Kerberos Pre-Authentication Failed

Why it’s essential to know the Important Windows Event IDs for SIEM Monitoring!

Understanding and monitoring critical Windows Event IDs is essential for building a strong defense against cyber threats. Without this knowledge, organizations risk missing the early warning signs of brute-force attacks, privilege misuse, or malicious software execution. By focusing on high-value Event IDs in SIEM, security teams can not only detect threats faster but also investigate incidents more effectively. In short, Event IDs act as the fingerprints of system activity — knowing how to recognize them is a fundamental skill for every security analyst.