10 critical event IDs to monitor

Randy Franklin Smith (CISA, SSCP, Security MVP) has in its arsenal a very useful document telling about what events (event IDs) must be monitored as part of ensuring Windows information security. This document provides extremely useful information that will allow you to “squeeze” the maximum out of a regular audit system. We have prepared a translation of this material. Interested parties are welcome to cat.

To learn how to set up auditing, we have already thoroughly written in one of our posts. But of all the event id that occur in the event logs, it is necessary to focus on several critical ones. Which ones is up to everyone to decide. However, Randy Franklin Smith suggests focusing on 10 important Windows security events.

Domain controllers

Event ID - (Category) - Description

1) 675 or 4771
(Audit of logon events)
Event 675/4771 on the domain controller indicates an unsuccessful attempt to enter through Kerberos on a workstation with a domain account. Usually the reason for this is an inappropriate password, but the error code indicates why authentication was unsuccessful. The Kerberos error code table is shown below.

2) 676, or Failed 672 or 4768
(Audit logon events)
Event 676/4768 is logged for other types of failed authentication. The Kerberos code table is shown below.
ATTENTION: In Windows 2003 Server, a failure event is recorded as 672 instead of 676.

3) 681 or Failed 680 or 4776
(Audit of logon events)
Event 681/4776 on a domain controller indicates a failed login attempt through
NTLM with a domain account. The error code indicates why authentication was unsuccessful.
NTLM error codes are listed below.
ATTENTION: In Windows 2003 Server, a failure event is recorded as 680 instead of 681.

4) 642 or 4738
(Account Management Audit)
Event 642/4738 indicates changes to the specified account, such as resetting a password or activating an account that was previously deactivated. The description of the event is specified in accordance with the type of change.

5) 632 or 4728; 636 or 4732; 660 or 4756
(Account Management Audit)
All three events indicate that the specified user has been added to a specific group. Global, Local, and Universal are designated respectively for each ID.

6) 624 or 4720
(Account Management Audit)
A new user account was created

7) 644 or 4740
(Account Management Audit)
The specified user account was blocked after several login attempts

8) 517 or 1102
(System Event Audit)
Specified user cleared security log

Logging in and out (Logon / Logoff)

Event Id - Description

528 or 4624 - Successfully logged in
529 or 4625 - Logon failure - Unknown username or invalid password
530 or 4625 Logon failure - Logon failed for the indicated time period
531 or 4625 - Logon refusal - Account temporarily deactivated
532 or 4625 - Logon refusal - The specified account has expired
533 or 4625 - Logon refusal - The user is not allowed to log on to this computer
534 or 4625 or 5461 - Refusal in yes to the system - The user was not allowed the requested login type on this computer
535 or 4625 - Logon refusal - The specified account password has expired
539 or 4625 - Logon refusal - The account is blocked
540 or 4624 - Successful network logon (Windows 2000, XP, 2003 only)

Logon Types

Logon type - Description

2 - Interactive (logging on from the keyboard or the system screen)
3 - Network (for example, connecting to a shared folder on this computer from anywhere on the network or IIS login - Never logged in 528 on Windows Server 2000 and above. See event 540)
4 - Batch (e.g. scheduled task)
5 - Service (Service start)
7 - Unlock (e.g. unattended workstation with password-protected screensaver)
8 - NetworkCleartext (Login with credentials sent) in plain text, often signifies IIS login with “basic authentication” action ”)
9 - NewCredentials
10- RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 - CachedInteractive (login with cached domain permissions, for example, logging on to a workstation that is offline)

Kerberos Failure Codes

Error code - Reason

6 - Username does not exist
12 - Restriction of the working machine; login time limit
18 - The account has been deactivated, blocked, or expired
23 - The user password has expired
24 - Pre-authentication failed; Usually the reason is an incorrect password
32 - The application has expired. This is a normal event, which is logged in by computer accounts
37 - The time on the working machine has not been synchronized with the time on the domain controller for a long time

NTLM Error Codes

Error code (decimal system) - Error code (hexadecimal system) - Description

3221225572 - C0000064 - This username does not exist
3221225578 - C000006A - The username is valid but the password is incorrect
3221226036 - C0000234 - The user account is locked
3221225586 - C0000072 - Account the record is deactivated
3221225583 - C000006F - The user is trying to log in outside the designated time period (working time)
3221225584 - C0000070 - Workstation limitation
3221225875 - C0000193 - Account has expired
3221225585 - C0000071 - Password has
expired 3221226020 - C0000224 - The user must change the password at the next login

Once again, duplicate the link to download the document on Randy Franklin Smith's website www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx . You will need to fill out a short form to get access to it.

PS Do you want to fully automate the work with event logs? Try the new version of NetWrix Event Log Manager 4.0 , which collects and archives event logs, builds reports, and generates real-time alerts. The program collects data from numerous computers on the network, warns you of critical events and centrally stores data on all events in a compressed format for the convenience of analyzing archived log data. A free version of the program is available for 10 domain controllers and 100 computers.