10 critical event ID to monitor

Randy Franklin Smith (CISA, SSCP, Security MVP) has a very useful document in his arsenal that tells about which event IDs should be monitored as part of Windows information security. This document contains extremely useful information that will allow you to “squeeze” the maximum out of the standard audit system. We have prepared a translation of this material. We invite interested persons under cat.

We already wrote about how to set up an audit in one of our posts. But of all the event id that are found in the event logs, you need to stop your attention on several critical important. On what exactly - to decide each. However, Randy Franklin Smith suggests focusing on 10 important security events in Windows.

Domain Controllers

Event ID - (Category) - Description

1) 675 or 4771
(Audit event logon)
Event 675/4771 on a domain controller indicates an unsuccessful attempt to log in via Kerberos on a workstation with a domain account. This is usually caused by an inappropriate password, but the error code indicates why the authentication was unsuccessful. The Kerberos error code table is shown below.
')
2) 676, or Failed 672 or 4768
(Audit event logon)
Event 676/4768 logs for other types of failed authentication. The Kerberos code table is shown below.
ATTENTION: In Windows 2003 Server, a failure event is recorded as 672 instead of 676.

3) 681 or Failed 680 or 4776
(Audit event logon)
Event 681/4776 on a domain controller indicates a failed login attempt through
NTLM with a domain account. The error code indicates why authentication was unsuccessful.
NTLM error codes are listed below.
ATTENTION: In Windows 2003 Server, a failure event is recorded as 680 instead of 681.

4) 642 or 4738
(Account Management Audit)
Event 642/4738 indicates changes to the specified account, such as resetting a password or activating a previously deactivated account. The event description is updated according to the type of change.

5) 632 or 4728; 636 or 4732; 660 or 4756
(Account Management Audit)
All three events indicate that the specified user has been added to a specific group. Global (Local) and Local (Local) and Universal (Universal) are indicated for each ID, respectively.

6) 624 or 4720
(Account Management Audit)
A new user account has been created.

7) 644 or 4740
(Account Management Audit)
The specified user account has been blocked after several login attempts.

8) 517 or 1102
(Audit system events)
The specified user has cleared the security log

Login and Logout (Logon / Logoff)

Event Id - Description

528 or 4624 - Successful Login
529 or 4625 - Failure to login - Unknown username or invalid password
530 or 4625 Login failed - The login was not completed within the specified time period.
531 or 4625 - Failure to login - Account temporarily deactivated
532 or 4625 - Login failed - The specified account has expired.
533 or 4625 - Failure to enter the system - The user is not allowed to log into the system on this computer
534 or 4625 or 5461 - Failure to login - User was not allowed the requested type of login on this computer
535 or 4625 - Login failed - The specified account password has expired
539 or 4625 - Login failed - Account locked out
540 or 4624 - Successful Network Login (Only Windows 2000, XP, 2003)

Types of Logins (Logon Types)

Login Type - Description

2 - Interactive (input from the keyboard or system screen)
3 - Network (for example, connecting to a shared folder on this computer from anywhere on the network or IIS login - Never logged on 528 on Windows Server 2000 or higher. See event 540)
4 - Package (batch) (for example, scheduled task)
5 - Service (Start service)
7 - Unlock (for example, a maintenance-free workstation with password-protected screensaver)
8 - NetworkCleartext (Login with credentials sent as plain text. Often indicates login to IIS with “basic authentication”)
9 - NewCredentials
10 - RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 - CachedInteractive (login with cached domain permissions, for example, login to a workstation that is not online)

Kerberos Fault Codes

Error Code - Reason

6 - Username does not exist
12 - Restriction of the working machine; login time limit
18 - Account is deactivated, blocked or expired
23 - Expired user password
24 - Pre-authentication failed; usually the reason is the wrong password
32 - Application expired. This is a normal event that is logged by computer accounts.
37 - Time on a working machine has not been synchronized with time on a domain controller for a long time.

NTLM Error Codes

Error code (decimal system) - Error code (hex system) - Description

3221225572 - C0000064 - This username does not exist
3221225578 - C000006A - The correct username, but the password is incorrect
3221226036 - C0000234 - User account is locked
3221225586 - C0000072 - Account deactivated
3221225583 - C000006F - The user is trying to log in to the system outside the designated period of time (working time)
3221225584 - C0000070 - Restriction of the workstation
3221225875 - C0000193 - The account has expired
3221225585 - C0000071 - The password has expired
3221226020 - C0000224 - The user must change the password at the next logon

Once again let's duplicate the link to download the document on the Randy Franklin Smith website www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx . You will need to fill out a small form to access it.

PS Do you want to fully automate work with event logs? Try a new version of NetWrix Event Log Manager 4.0 , which collects and archives event logs, builds reports and generates alerts in real time. The program collects data from numerous computers on the network, alerts you about critical events and centrally stores data about all events in a compressed format for the convenience of analyzing archived log data. A free version of the program is available for 10 domain controllers and 100 computers.