105 Event IDs de Windows esenciales para la monitorización en el SIEM.
Este listado de eventos, repartidos en diversas categorías, cubren aspectos cruciales de la seguridad de Windows, desde intentos de inicio de sesión fallidos hasta actividades relacionadas con privilegios.
1.Failed Login Attempts – Event ID: 4625
2.Account Lockouts – Event ID: 4740
3.Successful Login Outside Business Hours – Event ID: 4624
4.New User Creation – Event ID: 4720
5.Privileged Account Usage – Event ID: 4672
6.User Account Changes – Event IDs: 4722, 4723, 4724, 4725, 4726
7.Logon from Unusual Locations – Event ID: 4624 (with geolocation analysis)
8.Password Changes – Event ID: 4723 (change attempt), 4724 (successful reset)
9.Group Membership Changes – Event IDs: 4727, 4731, 4735, 4737
10.Suspicious Logon Patterns – Event ID: 4624 (anomalous logons)
11.Excessive Logon Failures – Event ID: 4625
12.Disabled Account Activity – Event ID: 4725
13.Dormant Account Usage – Event ID: 4624 (rarely used accounts)
14.Service Account Activity – Event IDs: 4624, 4672
15.RDP Access Monitoring – Event ID: 4624 (with RDP-specific filtering)
16.Lateral Movement Detection – Event ID: 4648 (network logons)
17.File and Folder Access – Event ID: 4663
18.Unauthorised File Sharing – Event IDs: 5140, 5145
19.Registry Changes – Event IDs: 4657
20.Application Installation and Removal – Event IDs: 11707, 1033
21.USB Device Usage – Event IDs: 20001, 20003 (from Device Management logs)
22.Windows Firewall Changes – Event IDs: 4946, 4947, 4950, 4951
23.Scheduled Task Creation – Event ID: 4698
24.Process Execution Monitoring – Event ID: 4688
25.System Restart or Shutdown – Event IDs: 6005, 6006, 1074
26.Event Log Clearing – Event ID: 1102
27.Malware Execution or Indicators – Event IDs: 4688, 1116 (from Windows Defender)
28.Active Directory Changes – Event IDs: 5136, 5141
29.Shadow Copy Deletion – Event ID: 524 (with VSSAdmin logs)
30.Network Configuration Changes – Event IDs: 4254, 4255, 10400
31.Execution of Suspicious Scripts – Event ID: 4688 (process creation with script interpreter)
32.Service Installation or Modification – Event ID: 4697
33.Clearing of Audit Logs – Event ID: 1102
34.Software Restriction Policy Violation – Event ID: 865
35.Excessive Account Enumeration – Event IDs: 4625, 4776
36.Attempt to Access Sensitive Files – Event ID: 4663
37.Unusual Process Injection – Event ID: 4688 (with EDR or Sysmon data)
38.Driver Installation – Event IDs: 7045 (Service Control Manager)
39.Modification of Scheduled Tasks – Event ID: 4699
40.Unauthorised GPO Changes – Event ID: 5136
41.Suspicious PowerShell Activity – Event ID: 4104 (from PowerShell logs)
42.Unusual Network Connections – Event ID: 5156 (network filtering platform)
43.Unauthorised Access to Shared Files – Event ID: 5145
44.DNS Query for Malicious Domains – Event ID: 5158 (DNS logs required)
45.LDAP Search Abuse – Event ID: 4662
46.Process Termination Monitoring – Event ID: 4689
47.Failed Attempts to Start a Service – Event ID: 7041
48.Audit Policy Changes – Event IDs: 4719, 1102
49.Time Change Monitoring – Event IDs: 4616, 520
50.BitLocker Encryption Key Changes – Event ID: 5379
51. Windows Defender Threat Detections – Event ID: 1116
52. SMB Session Monitoring – Event ID: 5140
53. Account Expiry Notification – Event ID: 4725
54. Locked File Deletion Attempts – Event ID: 4660
55. Abnormal CPU Usage by Process – Event ID: 4688 (with additional monitoring tools)
56. Security Group Deletion – Event ID: 4730
57. System Privileges Escalation Attempts – Event ID: 4673
58. Account Delegation Changes – Event ID: 4765
59. Printer Configuration Changes – Event IDs: 307, 805
60. IP Address Configuration Changes – Event IDs: 4200, 4201
61. Network Share Permission Changes – Event ID: 5141
62. Removable Device Access – Event IDs: 20001, 20003
63. Unusual WMI Activity – Event ID: 4688 (with WMI filters)
64. Firewall Rules Deleted – Event IDs: 4946, 4947
65. Suspicious COM Object Access – Event ID: 4688 (Sysmon Event ID 10)
66. Changes to Registry Autoruns – Event ID: 4657
67. Unusual Service Startup Parameters – Event ID: 4697
68. Unauthorised Software Use – Event IDs: 4688, 1033
69. Shared Drive Mounting by Remote Host – Event ID: 5140
70. Unauthorised Access to Admin Shares – Event ID: 5145
71. Abnormal Usage of Built-in Administrator Account – Event ID: 4624
72. Modification of System Files – Event ID: 4663
73. Changes to Critical Windows Services – Event ID: 7040
74. Failed Attempt to Modify Group Policy Object – Event ID: 5136
75. Suspicious Account Activity on Domain Controller – Event IDs: 4624, 4672
76. Abuse of Debugging Privileges – Event ID: 4673
77. Firewall Port Scanning Detection – Event IDs: 5156, 5157
78. Unauthorised RDP Session Termination – Event ID: 4634
79. Data Exfiltration via USB Devices – Event IDs: 20001, 20004
80. Mass File Deletion – Event ID: 4660
81. Execution of Suspicious Binary – Event ID: 4688
82. Changes to Time Synchronisation Settings – Event ID: 4616
83. Unusual Account Unlock Activity – Event ID: 4767
84. Suspicious PowerShell Encoding Activity – Event ID: 4104
85. Disabled Audit Logs – Event ID: 4719
86. Sensitive File Permission Changes – Event ID: 4670
87. Abuse of Kerberos Ticket Granting – Event ID: 4768
88. Duplicate IP Address Detection – Event IDs: 4199, 4198
89. Suspicious Account Removal – Event ID: 4726
90. Changes to Audit Policy Subcategories – Event ID: 4715
91. Clearing Security Group Memberships – Event ID: 4735
92. Failed Certificate Validation – Event ID: 4797
93. Unauthorised Driver Updates – Event IDs: 7045, 20001
94. Exploitation of Windows Task Scheduler – Event ID: 4698
95. Unauthorised Usage of Remote Shells – Event ID: 4104
96. Unexpected Device Installation – Event IDs: 20003, 7045
97. Suspicious Token Privilege Escalation – Event ID: 4673
98. Misuse of NTLM Authentication – Event IDs: 4776, 4624
99. Suspicious Registry Key Changes – Event ID: 4657
100. Detection of Golden Ticket Attacks – Event IDs: 4769, 4770
101. Excessive Lockout Attempts on a Single Account – Event ID: 4740
102. Unusual File Copy Activity – Event ID: 4663
103. Changes to Network Policies – Event ID: 4907
104. Suspicious Process Command Line Arguments – Event ID: 4688
105. Unauthorised File Decryption Attempts – Event ID: 4672