0% found this document useful (0 votes)

6 views4 pages

AD Event ID Reference Guide

Uploaded by

knix.stha

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

6 views4 pages

AD Event ID Reference Guide

Uploaded by

knix.stha

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Active Directory (AD) Event ID Reference Guide

Account and Authentication Events

Event ID 4624: Successful logon

Event ID 4625: Failed logon

Event ID 4647: User initiated logoff

Event ID 4648: Logon with explicit credentials

Event ID 4675: SIDs were filtered

User Account Changes

Event ID 4720: User account created

Event ID 4722: User account enabled

Event ID 4723: Attempt to change password

Event ID 4724: Attempt to reset password

Event ID 4725: User account disabled

Event ID 4726: User account deleted

Event ID 4738: User account changed

Event ID 4740: Account locked out

Event ID 4767: Account unlocked

Group Membership & Permission Changes

Active Directory (AD) Event ID Reference Guide

Event ID 4727: Security-enabled global group created

Event ID 4728: Member added to security-enabled global group

Event ID 4729: Member removed from security-enabled global group

Event ID 4730: Security-enabled global group deleted

Event ID 4731: Security-enabled local group created

Event ID 4732: Member added to security-enabled local group

Event ID 4733: Member removed from security-enabled local group

Event ID 4734: Security-enabled local group deleted

Event ID 4735: Security-enabled local group changed

Event ID 4756: Member added to a universal group

Event ID 4757: Member removed from a universal group

Event ID 4758: Universal group deleted

Event ID 4759: Universal group changed

Privilege Use and Escalation

Event ID 4670: Permissions on an object were changed

Event ID 4672: Special privileges assigned to new logon

Event ID 4673: A privileged service was called

Active Directory (AD) Event ID Reference Guide

Event ID 4674: An operation was attempted on a privileged object

Kerberos & Ticket Activity

Event ID 4768: TGT was requested

Event ID 4769: TGS was requested

Event ID 4770: TGT was renewed

Event ID 4771: Kerberos pre-authentication failed

Event ID 4776: NTLM authentication attempt

Event ID 4778: Remote desktop session reconnected

Event ID 4779: Remote desktop session disconnected

Changes to Security Settings / Audit Policy

Event ID 4719: System audit policy was changed

Event ID 4902: The Per-user audit policy table was created

Event ID 4907: Auditing settings on an object were changed

Group Policy & Directory Service Changes

Event ID 4739: Domain policy was changed

Event ID 4737: Domain local group changed

Event ID 5132: Security descriptor was changed

Active Directory (AD) Event ID Reference Guide

Event ID 5136: Directory object modified

Event ID 5137: Directory object created

Event ID 5138: Directory object undeleted

Event ID 5139: Directory object moved

Event ID 5141: Directory object deleted

Service and Task Creation

Event ID 4697: A service was installed in the system

Event ID 4698: A scheduled task was created

Event ID 4702: A scheduled task was updated

Lateral Movement & Remote Commands

Event ID 7045: New service was installed (from Sysmon/System logs)

Event ID 5140: A network share was accessed

Event ID 5145: Detailed file share access

Windows Event Logging for Incident Response
No ratings yet
Windows Event Logging for Incident Response
55 pages
Common Windows Event IDs Guide
No ratings yet
Common Windows Event IDs Guide
5 pages
Active Directory Audit Policies Overview
No ratings yet
Active Directory Audit Policies Overview
38 pages
Key Windows Event IDs Explained
No ratings yet
Key Windows Event IDs Explained
24 pages
Active Directory Audit Overview
100% (1)
Active Directory Audit Overview
7 pages
Windows Event ID Reference Guide
No ratings yet
Windows Event ID Reference Guide
3 pages
Critical Windows Security Event IDs
No ratings yet
Critical Windows Security Event IDs
6 pages
Detecting Unmanaged Shell SOC
No ratings yet
Detecting Unmanaged Shell SOC
6 pages
Authentication & Credential Abuse: Windows Event ID's Categorized by Threats
No ratings yet
Authentication & Credential Abuse: Windows Event ID's Categorized by Threats
8 pages
Critical Windows Security Event IDs
No ratings yet
Critical Windows Security Event IDs
6 pages
Windows Security Audit Policy Guide
No ratings yet
Windows Security Audit Policy Guide
9 pages
Windows Event IDs for SOC Analysts
No ratings yet
Windows Event IDs for SOC Analysts
2 pages
Critical Windows Event IDs for Security
No ratings yet
Critical Windows Event IDs for Security
2 pages
Event Log CheatSheet
No ratings yet
Event Log CheatSheet
2 pages
Key Windows Security Event IDs Guide
No ratings yet
Key Windows Security Event IDs Guide
16 pages
Active Directory Security For SOC Analysts
No ratings yet
Active Directory Security For SOC Analysts
10 pages
Key Event IDs for Account Management
No ratings yet
Key Event IDs for Account Management
278 pages
Wazuh AD Config Before After
No ratings yet
Wazuh AD Config Before After
7 pages
Windows Security Log Event IDs Guide
No ratings yet
Windows Security Log Event IDs Guide
7 pages
Threat Hunting with Sysmon Events
No ratings yet
Threat Hunting with Sysmon Events
26 pages
Windows Event Log Viewer
No ratings yet
Windows Event Log Viewer
18 pages
Description of Security Events in Windows 7 and in Windows Server 2008 R2
No ratings yet
Description of Security Events in Windows 7 and in Windows Server 2008 R2
21 pages
Eventid, Soc
No ratings yet
Eventid, Soc
11 pages
Active Directory Monitoring & Troubleshooting Guide
No ratings yet
Active Directory Monitoring & Troubleshooting Guide
29 pages
Active Directory Monitoring with OpManager
No ratings yet
Active Directory Monitoring with OpManager
8 pages
Common Event IDs for Forensic Analysis
No ratings yet
Common Event IDs for Forensic Analysis
12 pages
Active Directory Troubleshooting Guide
No ratings yet
Active Directory Troubleshooting Guide
459 pages
Windows Event 4911: Resource Attribute Change
No ratings yet
Windows Event 4911: Resource Attribute Change
10 pages
Understanding Active Directory Concepts
100% (1)
Understanding Active Directory Concepts
21 pages
Analyzing EVTX Malicious Activity Logs
No ratings yet
Analyzing EVTX Malicious Activity Logs
14 pages
Detecting Suspicious Activity in Windows Logs
No ratings yet
Detecting Suspicious Activity in Windows Logs
5 pages
Track Cyber Threats with Event IDs
No ratings yet
Track Cyber Threats with Event IDs
9 pages
DNS Client Events Analysis 8020
No ratings yet
DNS Client Events Analysis 8020
5 pages
Windows Event Codes Overview
No ratings yet
Windows Event Codes Overview
102 pages
Analyzing Sysmon Logs for Threat Detection
No ratings yet
Analyzing Sysmon Logs for Threat Detection
17 pages
Active Directory Auditing in 2008
No ratings yet
Active Directory Auditing in 2008
24 pages
Impacket Execution Command Cheat Sheet
No ratings yet
Impacket Execution Command Cheat Sheet
1 page
Log Management for Windows Security
No ratings yet
Log Management for Windows Security
13 pages
Impacket Exec Commands Cheat Sheet
No ratings yet
Impacket Exec Commands Cheat Sheet
1 page
Windows Reference
No ratings yet
Windows Reference
30 pages
Active Directory Security Monitoring Guide
No ratings yet
Active Directory Security Monitoring Guide
41 pages
Active Directory Auditing Best Practices
No ratings yet
Active Directory Auditing Best Practices
16 pages
Event ID 1740880319
No ratings yet
Event ID 1740880319
1 page
Windows Event Codes Reference Guide
No ratings yet
Windows Event Codes Reference Guide
4 pages
Auditing Kerberos Authentication Events
No ratings yet
Auditing Kerberos Authentication Events
33 pages
Windows Server Audit Policy Best Practices
No ratings yet
Windows Server Audit Policy Best Practices
6 pages
Windows Logs Events Quick References
No ratings yet
Windows Logs Events Quick References
1 page
RDP Event ID 1149 Analysis
No ratings yet
RDP Event ID 1149 Analysis
1 page
Windows Security Event ID Reference
No ratings yet
Windows Security Event ID Reference
8 pages
Acctinfo.dll in Windows 2003 Tools
No ratings yet
Acctinfo.dll in Windows 2003 Tools
26 pages
100 SIEM Rules for Client Onboarding
No ratings yet
100 SIEM Rules for Client Onboarding
41 pages
Critical Events Indicating Compromise
No ratings yet
Critical Events Indicating Compromise
9 pages
Top 25 Windows Event IDs for SOC Analysts
No ratings yet
Top 25 Windows Event IDs for SOC Analysts
10 pages
AD Issues & Solutions
No ratings yet
AD Issues & Solutions
90 pages
Diagnóstico del Domain Controller Corimon
No ratings yet
Diagnóstico del Domain Controller Corimon
11 pages
Active Directory Auditing Guide
No ratings yet
Active Directory Auditing Guide
1 page
Windows Admin Security Commands Guide
No ratings yet
Windows Admin Security Commands Guide
6 pages
DOAC Renal Dosing Guidelines
No ratings yet
DOAC Renal Dosing Guidelines
1 page
Venipuncture Pain in Children: PR vs. CBIP
No ratings yet
Venipuncture Pain in Children: PR vs. CBIP
7 pages
101 Essential Books to Read Before You Die
89% (9)
101 Essential Books to Read Before You Die
2 pages
Understanding Fructose and Metabolic Health
No ratings yet
Understanding Fructose and Metabolic Health
31 pages
Basics of German Grammar Explained
No ratings yet
Basics of German Grammar Explained
3 pages
Introduction to Business Consulting
No ratings yet
Introduction to Business Consulting
87 pages
Decline of the Western Roman Empire
No ratings yet
Decline of the Western Roman Empire
19 pages
SAVE Act: Ensuring Voter Citizenship
No ratings yet
SAVE Act: Ensuring Voter Citizenship
1 page
Selecting a Qualitative Research Topic
No ratings yet
Selecting a Qualitative Research Topic
11 pages
Savage Worlds Character Sheet Guide
100% (1)
Savage Worlds Character Sheet Guide
1 page
Top Informatica Interview Questions
No ratings yet
Top Informatica Interview Questions
8 pages
Odontogenic Keratocyst Case Study
No ratings yet
Odontogenic Keratocyst Case Study
22 pages
Analyzing "The Tyger" by William Blake
No ratings yet
Analyzing "The Tyger" by William Blake
4 pages
Law of Torts Semester 1 Notes
No ratings yet
Law of Torts Semester 1 Notes
79 pages
Acute Coronary Syndrome Overview
No ratings yet
Acute Coronary Syndrome Overview
53 pages
Adjectives and Adverbs Test Papers
No ratings yet
Adjectives and Adverbs Test Papers
15 pages
Personal Journeys in Writing Skills
No ratings yet
Personal Journeys in Writing Skills
71 pages
Blomstedt Conducts Beethoven & Nielsen
No ratings yet
Blomstedt Conducts Beethoven & Nielsen
13 pages
My Father's Dragon (Chapter Eight)
No ratings yet
My Father's Dragon (Chapter Eight)
2 pages
Understanding Social Control in Sociology
100% (5)
Understanding Social Control in Sociology
7 pages
Superado's Bonus Dilemma Amid Crisis
No ratings yet
Superado's Bonus Dilemma Amid Crisis
4 pages
Zakes Mda: Art and Activism Explored
67% (6)
Zakes Mda: Art and Activism Explored
15 pages
MCQs on Monoclonal Antibodies
75% (4)
MCQs on Monoclonal Antibodies
5 pages
Mathematics 1 Student Groups List
No ratings yet
Mathematics 1 Student Groups List
26 pages
Taxation Course Overview for BMS Students
No ratings yet
Taxation Course Overview for BMS Students
7 pages
Importance of Archives in Kenya's Development
No ratings yet
Importance of Archives in Kenya's Development
5 pages
Data Communication Tutorial PDF
No ratings yet
Data Communication Tutorial PDF
2 pages
Understanding Business in a Global Context
No ratings yet
Understanding Business in a Global Context
23 pages
Al-Ameen Islamic Active Allocation Plan
No ratings yet
Al-Ameen Islamic Active Allocation Plan
1 page
Teacher Performance Evaluation Report
No ratings yet
Teacher Performance Evaluation Report
33 pages

AD Event ID Reference Guide

Uploaded by

AD Event ID Reference Guide

Uploaded by

Active Directory (AD) Event ID Reference Guide

Account and Authentication Events

Event ID 4624: Successful logon

Event ID 4625: Failed logon

Event ID 4647: User initiated logoff

Event ID 4648: Logon with explicit credentials

Event ID 4675: SIDs were filtered

User Account Changes

Event ID 4720: User account created

Event ID 4722: User account enabled

Event ID 4723: Attempt to change password

Event ID 4724: Attempt to reset password

Event ID 4725: User account disabled

Event ID 4726: User account deleted

Event ID 4738: User account changed

Event ID 4740: Account locked out

Event ID 4767: Account unlocked

Group Membership & Permission Changes

Event ID 4727: Security-enabled global group created

Event ID 4728: Member added to security-enabled global group

Event ID 4729: Member removed from security-enabled global group

Event ID 4730: Security-enabled global group deleted

Event ID 4731: Security-enabled local group created

Event ID 4732: Member added to security-enabled local group

Event ID 4733: Member removed from security-enabled local group

Event ID 4734: Security-enabled local group deleted

Event ID 4735: Security-enabled local group changed

Event ID 4756: Member added to a universal group

Event ID 4757: Member removed from a universal group

Event ID 4758: Universal group deleted

Event ID 4759: Universal group changed

Privilege Use and Escalation

Event ID 4670: Permissions on an object were changed

Event ID 4672: Special privileges assigned to new logon

Event ID 4673: A privileged service was called

Event ID 4674: An operation was attempted on a privileged object

Kerberos & Ticket Activity

Event ID 4768: TGT was requested

Event ID 4769: TGS was requested

Event ID 4770: TGT was renewed

Event ID 4771: Kerberos pre-authentication failed

Event ID 4776: NTLM authentication attempt

Event ID 4778: Remote desktop session reconnected

Event ID 4779: Remote desktop session disconnected

Changes to Security Settings / Audit Policy

Event ID 4719: System audit policy was changed

Event ID 4902: The Per-user audit policy table was created

Event ID 4907: Auditing settings on an object were changed

Group Policy & Directory Service Changes

Event ID 4739: Domain policy was changed

Event ID 4737: Domain local group changed

Event ID 5132: Security descriptor was changed

Event ID 5136: Directory object modified

Event ID 5137: Directory object created

Event ID 5138: Directory object undeleted

Event ID 5139: Directory object moved

Event ID 5141: Directory object deleted

Service and Task Creation

Event ID 4697: A service was installed in the system

Event ID 4698: A scheduled task was created

Event ID 4702: A scheduled task was updated

Lateral Movement & Remote Commands

Event ID 7045: New service was installed (from Sysmon/System logs)

Event ID 5140: A network share was accessed

Event ID 5145: Detailed file share access

You might also like