[Winlogbeat] Event IDs to add to Security Module

[andrewkroh]

Microsoft has a recommend list of event IDs to monitor. We want ensure we have coverage of each of these events in our modules. The table below tracks the current state.

• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

In Security Module?	Current Windows Event ID	Potential Criticality	Event Summary
	4618	High	A monitored security event pattern has occurred.
	4649	High	A replay attack was detected. May be a harmless false positive due to misconfiguration error.
✅	4719	High	System audit policy was changed.
	4765	High	SID History was added to an account.
	4766	High	An attempt to add SID History to an account failed.
	4794	High	An attempt was made to set the Directory Services Restore Mode.
	4897	High	Role separation enabled:
	4964	High	Special groups have been assigned to a new logon.
	5124	High	A security setting was updated on the OCSP Responder Service
	N/A	Medium to High	Possible denial-of-service (DoS) attack
✅	1102	Medium to High	The audit log was cleared
	4621	Medium	Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
	4675	Medium	SIDs were filtered.
	4692	Medium	Backup of data protection master key was attempted.
	4693	Medium	Recovery of data protection master key was attempted.
	4706	Medium	A new trust was created to a domain.
	4713	Medium	Kerberos policy was changed.
	4714	Medium	Encrypted data recovery policy was changed.
	4715	Medium	The audit policy (SACL) on an object was changed.
	4716	Medium	Trusted domain information was modified.
	4724	Medium	An attempt was made to reset an account's password.
✅ 7.8	4727	Medium	A security-enabled global group was created.
✅	4735	Medium	A security-enabled local group was changed.
✅	4737	Medium	A security-enabled global group was changed.
	4739	Medium	Domain Policy was changed.
✅	4754	Medium	A security-enabled universal group was created.
✅	4755	Medium	A security-enabled universal group was changed.
✅	4764	Medium	A security-disabled group was deleted
✅	4764	Medium	A group's type was changed.
	4780	Medium	The ACL was set on accounts which are members of administrators groups.
	4816	Medium	RPC detected an integrity violation while decrypting an incoming message.
	4865	Medium	A trusted forest information entry was added.
	4866	Medium	A trusted forest information entry was removed.
	4867	Medium	A trusted forest information entry was modified.
	4868	Medium	The certificate manager denied a pending certificate request.
	4870	Medium	Certificate Services revoked a certificate.
	4882	Medium	The security permissions for Certificate Services changed.
	4885	Medium	The audit filter for Certificate Services changed.
	4890	Medium	The certificate manager settings for Certificate Services changed.
	4892	Medium	A property of Certificate Services changed.
	4896	Medium	One or more rows have been deleted from the certificate database.
	4906	Medium	The CrashOnAuditFail value has changed.
	4907	Medium	Auditing settings on object were changed.
	4908	Medium	Special Groups Logon table modified.
	4912	Medium	Per User Audit Policy was changed.
	4960	Medium	IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
	4961	Medium	IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
	4962	Medium	IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
	4963	Medium	IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
	4965	Medium	IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
	4976	Medium	During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
	4977	Medium	During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
	4978	Medium	During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
	4983	Medium	An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
	4984	Medium	An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
	5027	Medium	The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
	5028	Medium	The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
	5029	Medium	The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
	5030	Medium	The Windows Firewall Service failed to start.
	5035	Medium	The Windows Firewall Driver failed to start.
	5037	Medium	The Windows Firewall Driver detected critical runtime error. Terminating.
	5038	Medium	Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
	5120	Medium	OCSP Responder Service Started
	5121	Medium	OCSP Responder Service Stopped
	5122	Medium	A configuration entry changed in OCSP Responder Service
	5123	Medium	A configuration entry changed in OCSP Responder Service
	5376	Medium	Credential Manager credentials were backed up.
	5377	Medium	Credential Manager credentials were restored from a backup.
	5453	Medium	An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
	5480	Medium	IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
	5483	Medium	IPsec Services failed to initialize RPC server. IPsec Services could not be started.
	5484	Medium	IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
	5485	Medium	IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
	6145	Medium	One or more errors occurred while processing security policy in the Group Policy objects.
	6273	Medium	Network Policy Server denied access to a user.
	6274	Medium	Network Policy Server discarded the request for a user.
	6275	Medium	Network Policy Server discarded the accounting request for a user.
	6276	Medium	Network Policy Server quarantined a user.
	6277	Medium	Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
	6278	Medium	Network Policy Server granted full access to a user because the host met the defined health policy.
	6279	Medium	Network Policy Server locked the user account due to repeated failed authentication attempts.
	6280	Medium	Network Policy Server unlocked the user account.
	-	Medium	General account database changed
	-	Medium	Quality of Service Policy changed
	24586	Medium	An error was encountered converting volume
	24592	Medium	An attempt to automatically restart conversion on volume %2 failed.
	24593	Medium	Metadata write: Volume %2 returning errors while trying to modify metadata. If failures continue, decrypt volume
	24594	Medium	Metadata rebuild: An attempt to write a copy of metadata on volume %2 failed and may appear as disk corruption. If failures continue, decrypt volume.
	4608	Low	Windows is starting up.
	4609	Low	Windows is shutting down.
	4610	Low	An authentication package has been loaded by the Local Security Authority.
	4611	Low	A trusted logon process has been registered with the Local Security Authority.
	4612	Low	Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
	4614	Low	A notification package has been loaded by the Security Account Manager.
	4615	Low	Invalid use of LPC port.
	4616	Low	The system time was changed.
	4622	Low	A security package has been loaded by the Local Security Authority.
✅	4624	Low	An account was successfully logged on.
✅	4625	Low	An account failed to log on.
✅	4634	Low	An account was logged off.
	4646	Low	IKE DoS-prevention mode started.
✅	4647	Low	User initiated logoff.
✅	4648	Low	A logon was attempted using explicit credentials.
	4650	Low	An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
	4651	Low	An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
	4652	Low	An IPsec Main Mode negotiation failed.
	4653	Low	An IPsec Main Mode negotiation failed.
	4654	Low	An IPsec Quick Mode negotiation failed.
	4655	Low	An IPsec Main Mode security association ended.
	4656	Low	A handle to an object was requested.
	4657	Low	A registry value was modified.
	4658	Low	The handle to an object was closed.
	4659	Low	A handle to an object was requested with intent to delete.
	4660	Low	An object was deleted.
	4661	Low	A handle to an object was requested.
	4662	Low	An operation was performed on an object.
	4663	Low	An attempt was made to access an object.
	4664	Low	An attempt was made to create a hard link.
	4665	Low	An attempt was made to create an application client context.
	4666	Low	An application attempted an operation:
	4667	Low	An application client context was deleted.
	4668	Low	An application was initialized.
	4670	Low	Permissions on an object were changed.
	4671	Low	An application attempted to access a blocked ordinal through the TBS.
✅	4672	Low	Special privileges assigned to new logon.
	4673	Low	A privileged service was called.
	4674	Low	An operation was attempted on a privileged object.
✅	4688	Low	A new process has been created.
✅	4689	Low	A process has exited.
	4690	Low	An attempt was made to duplicate a handle to an object.
	4691	Low	Indirect access to an object was requested.
	4694	Low	Protection of auditable protected data was attempted.
	4695	Low	Unprotection of auditable protected data was attempted.
	4696	Low	A primary token was assigned to process.
	4697	Low	Attempt to install a service
	4698	Low	A scheduled task was created.
	4699	Low	A scheduled task was deleted.
	4700	Low	A scheduled task was enabled.
	4701	Low	A scheduled task was disabled.
	4702	Low	A scheduled task was updated.
	4704	Low	A user right was assigned.
	4705	Low	A user right was removed.
	4707	Low	A trust to a domain was removed.
	4709	Low	IPsec Services was started.
	4710	Low	IPsec Services was disabled.
	4711	Low	May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. PAStore Engine applied Active Directory storage IPsec policy on the computer. PAStore Engine applied local registry storage IPsec policy on the computer. PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. PAStore Engine failed to apply local registry storage IPsec policy on the computer. PAStore Engine failed to apply some rules of the active IPsec policy on the computer. PAStore Engine failed to load directory storage IPsec policy on the computer. PAStore Engine loaded directory storage IPsec policy on the computer. PAStore Engine failed to load local storage IPsec policy on the computer. PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.
	4712	Low	IPsec Services encountered a potentially serious failure.
	4717	Low	System security access was granted to an account.
	4718	Low	System security access was removed from an account.
✅	4720	Low	A user account was created.
✅	4722	Low	A user account was enabled.
✅	4723	Low	An attempt was made to change an account's password.
✅	4725	Low	A user account was disabled.
✅	4726	Low	A user account was deleted.
✅	4728	Low	A member was added to a security-enabled global group.
✅	4729	Low	A member was removed from a security-enabled global group.
✅	4730	Low	A security-enabled global group was deleted.
✅	4731	Low	A security-enabled local group was created.
✅	4732	Low	A member was added to a security-enabled local group.
✅	4733	Low	A member was removed from a security-enabled local group.
✅	4734	Low	A security-enabled local group was deleted.
✅	4738	Low	A user account was changed.
✅	4740	Low	A user account was locked out.
✅	4741	Low	A computer account was changed.
✅	4742	Low	A computer account was changed.
✅	4743	Low	A computer account was deleted.
✅	4744	Low	A security-disabled local group was created.
✅	4745	Low	A security-disabled local group was changed.
✅	4746	Low	A member was added to a security-disabled local group.
✅	4747	Low	A member was removed from a security-disabled local group.
✅	4748	Low	A security-disabled local group was deleted.
✅	4749	Low	A security-disabled global group was created.
✅	4750	Low	A security-disabled global group was changed.
✅	4751	Low	A member was added to a security-disabled global group.
✅	4752	Low	A member was removed from a security-disabled global group.
✅	4753	Low	A security-disabled global group was deleted.
✅	4756	Low	A member was added to a security-enabled universal group.
✅	4757	Low	A member was removed from a security-enabled universal group.
✅	4758	Low	A security-enabled universal group was deleted.
✅	4759	Low	A security-disabled universal group was created.
✅	4760	Low	A security-disabled universal group was changed.
✅	4761	Low	A member was added to a security-disabled universal group.
✅	4762	Low	A member was removed from a security-disabled universal group.
✅	4767	Low	A user account was unlocked.
	4768	Low	A Kerberos authentication ticket (TGT) was requested.
	4769	Low	A Kerberos service ticket was requested.
	4770	Low	A Kerberos service ticket was renewed.
	4771	Low	Kerberos pre-authentication failed.
	4772	Low	A Kerberos authentication ticket request failed.
	4774	Low	An account was mapped for logon.
	4775	Low	An account could not be mapped for logon.
✅ 7.8	4776	Low	The domain controller attempted to validate the credentials for an account.
	4777	Low	The domain controller failed to validate the credentials for an account.
	4778	Low	A session was reconnected to a Window Station.
	4779	Low	A session was disconnected from a Window Station.
✅	4781	Low	The name of an account was changed:
	4782	Low	The password hash an account was accessed.
	4783	Low	A basic application group was created.
	4784	Low	A basic application group was changed.
	4785	Low	A member was added to a basic application group.
	4786	Low	A member was removed from a basic application group.
	4787	Low	A nonmember was added to a basic application group.
	4788	Low	A nonmember was removed from a basic application group.
	4789	Low	A basic application group was deleted.
	4790	Low	An LDAP query group was created.
	4793	Low	The Password Policy Checking API was called.
	4800	Low	The workstation was locked.
	4801	Low	The workstation was unlocked.
	4802	Low	The screen saver was invoked.
	4803	Low	The screen saver was dismissed.
	4864	Low	A namespace collision was detected.
	4869	Low	Certificate Services received a resubmitted certificate request.
	4871	Low	Certificate Services received a request to publish the certificate revocation list (CRL).
	4872	Low	Certificate Services published the certificate revocation list (CRL).
	4873	Low	A certificate request extension changed.
	4874	Low	One or more certificate request attributes changed.
	4875	Low	Certificate Services received a request to shut down.
	4876	Low	Certificate Services backup started.
	4877	Low	Certificate Services backup completed.
	4878	Low	Certificate Services restore started.
	4879	Low	Certificate Services restore completed.
	4880	Low	Certificate Services started.
	4881	Low	Certificate Services stopped.
	4883	Low	Certificate Services retrieved an archived key.
	4884	Low	Certificate Services imported a certificate into its database.
	4886	Low	Certificate Services received a certificate request.
	4887	Low	Certificate Services approved a certificate request and issued a certificate.
	4888	Low	Certificate Services denied a certificate request.
	4889	Low	Certificate Services set the status of a certificate request to pending.
	4891	Low	A configuration entry changed in Certificate Services.
	4893	Low	Certificate Services archived a key.
	4894	Low	Certificate Services imported and archived a key.
	4895	Low	Certificate Services published the CA certificate to Active Directory Domain Services.
	4898	Low	Certificate Services loaded a template.
	4902	Low	The Per-user audit policy table was created.
	4904	Low	An attempt was made to register a security event source.
	4905	Low	An attempt was made to unregister a security event source.
	4909	Low	The local policy settings for the TBS were changed.
	4910	Low	The Group Policy settings for the TBS were changed.
	4928	Low	An Active Directory replica source naming context was established.
	4929	Low	An Active Directory replica source naming context was removed.
	4930	Low	An Active Directory replica source naming context was modified.
	4931	Low	An Active Directory replica destination naming context was modified.
	4932	Low	Synchronization of a replica of an Active Directory naming context has begun.
	4933	Low	Synchronization of a replica of an Active Directory naming context has ended.
	4934	Low	Attributes of an Active Directory object were replicated.
	4935	Low	Replication failure begins.
	4936	Low	Replication failure ends.
	4937	Low	A lingering object was removed from a replica.
	4944	Low	The following policy was active when the Windows Firewall started.
	4945	Low	A rule was listed when the Windows Firewall started.
	4946	Low	A change has been made to Windows Firewall exception list. A rule was added.
	4947	Low	A change has been made to Windows Firewall exception list. A rule was modified.
	4948	Low	A change has been made to Windows Firewall exception list. A rule was deleted.
	4949	Low	Windows Firewall settings were restored to the default values.
	4950	Low	A Windows Firewall setting has changed.
	4951	Low	A rule has been ignored because its major version number was not recognized by Windows Firewall.
	4952	Low	Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
	4953	Low	A rule has been ignored by Windows Firewall because it could not parse the rule.
	4954	Low	Windows Firewall Group Policy settings have changed. The new settings have been applied.
	4956	Low	Windows Firewall has changed the active profile.
	4957	Low	Windows Firewall did not apply the following rule:
	4958	Low	Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
	4979	Low	IPsec Main Mode and Extended Mode security associations were established.
	4980	Low	IPsec Main Mode and Extended Mode security associations were established.
	4981	Low	IPsec Main Mode and Extended Mode security associations were established.
	4982	Low	IPsec Main Mode and Extended Mode security associations were established.
	4985	Low	The state of a transaction has changed.
	5024	Low	The Windows Firewall Service has started successfully.
	5025	Low	The Windows Firewall Service has been stopped.
	5031	Low	The Windows Firewall Service blocked an application from accepting incoming connections on the network.
	5032	Low	Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
	5033	Low	The Windows Firewall Driver has started successfully.
	5034	Low	The Windows Firewall Driver has been stopped.
	5039	Low	A registry key was virtualized.
	5040	Low	A change has been made to IPsec settings. An Authentication Set was added.
	5041	Low	A change has been made to IPsec settings. An Authentication Set was modified.
	5042	Low	A change has been made to IPsec settings. An Authentication Set was deleted.
	5043	Low	A change has been made to IPsec settings. A Connection Security Rule was added.
	5044	Low	A change has been made to IPsec settings. A Connection Security Rule was modified.
	5045	Low	A change has been made to IPsec settings. A Connection Security Rule was deleted.
	5046	Low	A change has been made to IPsec settings. A Crypto Set was added.
	5047	Low	A change has been made to IPsec settings. A Crypto Set was modified.
	5048	Low	A change has been made to IPsec settings. A Crypto Set was deleted.
	5050	Low	An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile.FirewallEnabled(False)
	5051	Low	A file was virtualized.
	5056	Low	A cryptographic self test was performed.
	5057	Low	A cryptographic primitive operation failed.
	5058	Low	Key file operation.
	5059	Low	Key migration operation.
	5060	Low	Verification operation failed.
	5061	Low	Cryptographic operation.
	5062	Low	A kernel-mode cryptographic self test was performed.
	5063	Low	A cryptographic provider operation was attempted.
	5064	Low	A cryptographic context operation was attempted.
	5065	Low	A cryptographic context modification was attempted.
	5066	Low	A cryptographic function operation was attempted.
	5067	Low	A cryptographic function modification was attempted.
	5068	Low	A cryptographic function provider operation was attempted.
	5069	Low	A cryptographic function property operation was attempted.
	5070	Low	A cryptographic function property modification was attempted.
	5125	Low	A request was submitted to the OCSP Responder Service
	5126	Low	Signing Certificate was automatically updated by the OCSP Responder Service
	5127	Low	The OCSP Revocation Provider successfully updated the revocation information
	5136	Low	A directory service object was modified.
	5137	Low	A directory service object was created.
	5138	Low	A directory service object was undeleted.
	5139	Low	A directory service object was moved.
	5140	Low	A network share object was accessed.
	5141	Low	A directory service object was deleted.
	5152	Low	The Windows Filtering Platform blocked a packet.
	5153	Low	A more restrictive Windows Filtering Platform filter has blocked a packet.
	5154	Low	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
	5155	Low	The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
	5156	Low	The Windows Filtering Platform has allowed a connection.
	5157	Low	The Windows Filtering Platform has blocked a connection.
	5158	Low	The Windows Filtering Platform has permitted a bind to a local port.
	5159	Low	The Windows Filtering Platform has blocked a bind to a local port.
	5378	Low	The requested credentials delegation was disallowed by policy.
	5440	Low	The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
	5441	Low	The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
	5442	Low	The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
	5443	Low	The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
	5444	Low	The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started.
	5446	Low	A Windows Filtering Platform callout has been changed.
	5447	Low	A Windows Filtering Platform filter has been changed.
	5448	Low	A Windows Filtering Platform provider has been changed.
	5449	Low	A Windows Filtering Platform provider context has been changed.
	5450	Low	A Windows Filtering Platform sublayer has been changed.
	5451	Low	An IPsec Quick Mode security association was established.
	5452	Low	An IPsec Quick Mode security association ended.
	5456	Low	PAStore Engine applied Active Directory storage IPsec policy on the computer.
	5457	Low	PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
	5458	Low	PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
	5459	Low	PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
	5460	Low	PAStore Engine applied local registry storage IPsec policy on the computer.
	5461	Low	PAStore Engine failed to apply local registry storage IPsec policy on the computer.
	5462	Low	PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
	5463	Low	PAStore Engine polled for changes to the active IPsec policy and detected no changes.
	5464	Low	PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
	5465	Low	PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
	5466	Low	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
	5467	Low	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
	5468	Low	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
	5471	Low	PAStore Engine loaded local storage IPsec policy on the computer.
	5472	Low	PAStore Engine failed to load local storage IPsec policy on the computer.
	5473	Low	PAStore Engine loaded directory storage IPsec policy on the computer.
	5474	Low	PAStore Engine failed to load directory storage IPsec policy on the computer.
	5477	Low	PAStore Engine failed to add quick mode filter.
	5479	Low	IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
	5632	Low	A request was made to authenticate to a wireless network.
	5633	Low	A request was made to authenticate to a wired network.
	5712	Low	A Remote Procedure Call (RPC) was attempted.
	5888	Low	An object in the COM+ Catalog was modified.
	5889	Low	An object was deleted from the COM+ Catalog.
	5890	Low	An object was added to the COM+ Catalog.
	6008	Low	The previous system shutdown was unexpected
	6144	Low	Security policy in the Group Policy objects has been applied successfully.
	6272	Low	Network Policy Server granted access to a user.
	N/A	Low	A handle to an object was requested.
	N/A	Low	Object open for delete
	N/A	Low	User Account Type Changed
	N/A	Low	IPsec policy agent started
	N/A	Low	IPsec policy agent disabled
	N/A	Low	IPsec policy agent
	N/A	Low	IPsec policy agent encountered a potential serious failure
	24577	Low	Encryption of volume started
	24578	Low	Encryption of volume stopped
	24579	Low	Encryption of volume completed
	24580	Low	Decryption of volume started
	24581	Low	Decryption of volume stopped
	24582	Low	Decryption of volume completed
	24583	Low	Conversion worker thread for volume started
	24584	Low	Conversion worker thread for volume temporarily stopped
	24588	Low	The conversion operation on volume %2 encountered a bad sector error. Please validate the data on this volume
	24595	Low	Volume %2 contains bad clusters. These clusters will be skipped during conversion.
	24621	Low	Initial state check: Rolling volume conversion transaction on %2.
	5049	Low	An IPsec Security Association was deleted.
	5478	Low	IPsec Services has started successfully.

Thanks to @magnuslarsen for putting together the data for the table.

[nicpenning]

Event ID 4776 - The domain controller attempted to validate the credentials for an account.

This Event ID from Domain Controllers can be very useful for tracking down user account lockouts per system.

Sometimes a user might have 2 or 3 systems and they change their password and try to change it on all devices but might miss that device or script that uses the bad credentials and locks them out.

Then it is up to IT to figure out what keeps locking their account out.

Would love to have this event processed!

[nicpenning]

Looks like this is on the roadmap for 7.8 :) I can wait until then.

[janniten]

Hi @andrewkroh
From the above list the following events were added to Winlogbeat's security module
4724 ( #13530),
4964,4673,4674,4697,4698,4699,4700 ,4701,4702,4768,4769,4770,4771,4778,4779 (#17517)

I was thinking in order to enhance the set of events we already have to work with this ones:

• In order to complete events regarding to Logon information: 4772,4774,4777
• Applications Groups Events: 4783 - 4790 (we already have the Security and Distribution Groups)
• Add events in order to detect configuration and audit changes: 4713,4714,4715,4739,4906,4907,4908,4912,4616,4902
• Events that can keep track to file changes. I'm already using some events from Netapp (logs are in the same format that Windows) and it is useful not only to keep track to file changes but also to use Canaries for ransomware activity detection.

I can also add the event.risk_score for all the events in the security module according to the table https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

What do you think?
Thank you!

[andrewkroh]

@janniten, Those improvements sound great! Especially the file audit events. I know I've heard requests for these events.

The risk score sounds good too. event.risk_score is a float so you'll have to do an arbitrary mapping to assign values to low, medium, high.

And thanks for the reminder to update the list above. I will do that soon.

[janniten]

Hi @andrewkroh , I'll start to work today with those events.
Regarding to the risk_score I'll do some research in order the mapping match something standard.
I've noticed something related to the mapping of the event.outcome. I think it is important, but it is not clear to me how to solve it from the security module. If I can, I'll do it...

https://discuss.elastic.co/t/event-outcome-and-winlog-keywords-possible-bug/242353

I do not understand why appears the winlog.keywords in spanish, in the winmeta.go code the mapping is like this

var winMeta = &publisherMetadataStore{
	Keywords: map[int64]string{
		0:                "AnyKeyword",
		0x1000000000000:  "Response Time",
		0x4000000000000:  "WDI Diag",
		0x8000000000000:  "SQM",
		0x10000000000000: "Audit Failure",
		0x20000000000000: "Audit Success",
		0x40000000000000: "Correlation Hint",
		0x80000000000000: "Classic",
	},

Maybe because it takes the mapping from the publisherMetaData?

func enrichRawValuesWithNames(publisherMeta *publisherMetadataStore, event *sys.Event) {
	// Keywords. Each bit in the value can represent a keyword.
	rawKeyword := int64(event.KeywordsRaw)
	isClassic := keywordClassic&rawKeyword > 0
	for mask, keyword := range winMeta.Keywords {
		if rawKeyword&mask > 0 {
			event.Keywords = append(event.Keywords, keyword)
			rawKeyword -= mask
		}
	}
	for mask, keyword := range publisherMeta.Keywords {
		if rawKeyword&mask > 0 {
			event.Keywords = append(event.Keywords, keyword)
			rawKeyword -= mask
		}
	}

Thank you!

[janniten]

@andrewkroh I Have created a PR (#20684) taht adds support for auidt and authorization Policy Change Events
Regards

[nicpenning]

Here are some other useful Security logs from Windows that would be helpful.

Microsoft Windows Defender (2016 and newer)

Microsoft Antimalware (Older Windows servers - 2012 R2)

Sample events
Channel - Windows Defender/Operational
Event ID - 1116 and 1117

Channel - System
Provider - Microsoft Antimalware
Event ID - 1116 and 1117

Extensive Windows Defender Event list here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

[nicpenning]

Hey everyone, just wanted to check in on the progress for these additions and more specifically the Windows Defender events I previously posted. Would it be better to spin up a separate FR/Issue to get Defender events parsed? Lots of good information in these events that would translate to excellent Kibana Detections.

[andrewkroh]

Would it be better to spin up a separate FR/Issue to get Defender events parsed?

I think it's not sustainable to keep the table updated in this issue. My recommendation is to open specific issues (or PRs 😄 ) https://github.com/elastic/integrations for events that need handling. The logs-system.security pipeline is roughly what gets incorporated into Winlogbeat 8.x.