Top 50 Windows SIEM Use Cases & Event IDs

Listen to this Post

Windows SIEM helps detect cyber threats by monitoring critical events:

Authentication & Account Security

  • Failed Login Attempts – Event ID 4625
  • Account Lockouts – Event ID 4740
  • Successful Login Outside Business Hours – Event ID 4624
  • New User Creation – Event ID 4720
  • Privileged Account Usage – Event ID 4672
  • User Account Changes – Event IDs 4722, 4723, 4724, 4725, 4726
  • Logon from Unusual Locations – Event ID 4624 (with geolocation analysis)
  • Password Changes – Event IDs 4723, 4724
  • Group Membership Changes – Event IDs 4727, 4731, 4735, 4737
  • Suspicious Logon Patterns – Event ID 4624
  • Excessive Logon Failures – Event ID 4625
  • Disabled Account Activity – Event ID 4725
  • Dormant Account Usage – Event ID 4624

System & Network Monitoring

  • Service Account Activity – Event IDs 4624, 4672
  • RDP Access Monitoring – Event ID 4624 (with RDP-specific filtering)
  • Lateral Movement Detection – Event ID 4648
  • File and Folder Access – Event ID 4663
  • Unauthorised File Sharing – Event IDs 5140, 5145
  • Registry Changes – Event ID 4657
  • Application Installation and Removal – Event IDs 11707, 1033
  • USB Device Usage – Event IDs 20001, 20003
  • Windows Firewall Changes – Event IDs 4946, 4947, 4950, 4951
  • Scheduled Task Creation – Event ID 4698
  • Process Execution Monitoring – Event ID 4688
  • System Restart or Shutdown – Event IDs 6005, 6006, 1074

Threat Detection & Incident Response

  • Event Log Clearing – Event ID 1102
  • Malware Execution or Indicators – Event IDs 4688, 1116
  • Active Directory Changes – Event IDs 5136, 5141
  • Shadow Copy Deletion – Event ID 524
  • Network Configuration Changes – Event IDs 4254, 4255, 10400
  • Execution of Suspicious Scripts – Event ID 4688 (with script interpreter analysis)
  • Service Installation or Modification – Event ID 4697
  • Clearing of Audit Logs – Event ID 1102
  • Software Restriction Policy Violation – Event ID 865
  • Excessive Account Enumeration – Event IDs 4625, 4776
  • Attempt to Access Sensitive Files – Event ID 4663
  • Unusual Process Injection – Event ID 4688 (with EDR or Sysmon data)
  • Driver Installation – Event ID 7045
  • Modification of Scheduled Tasks – Event ID 4699
  • Unauthorised GPO Changes – Event ID 5136

Advanced Threat Hunting

  • Suspicious PowerShell Activity – Event ID 4104
  • Unusual Network Connections – Event ID 5156
  • Unauthorised Access to Shared Files – Event ID 5145
  • DNS Query for Malicious Domains – Event ID 5158
  • LDAP Search Abuse – Event ID 4662
  • Process Termination Monitoring – Event ID 4689
  • Failed Attempts to Start a Service – Event ID 7041
  • Audit Policy Changes – Event IDs 4719, 1102
  • Time Change Monitoring – Event IDs 4616, 520
  • BitLocker Encryption Key Changes – Event ID 5379

By monitoring these Event IDs in SIEM, security teams can detect and respond to cyber threats more effectively.

What Undercode Say

Windows SIEM is a critical tool for cybersecurity professionals, enabling the detection of threats through Event ID monitoring. By leveraging these Event IDs, teams can identify anomalies such as unauthorized logins, suspicious PowerShell activity, or unusual network connections. For instance, Event ID 4625 (Failed Login Attempts) can be used to detect brute force attacks, while Event ID 4688 (Process Execution Monitoring) helps identify malicious processes.

To enhance your SIEM setup, consider using the following commands and tools:

1. PowerShell Commands for Event Log Analysis:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} 
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} 

These commands extract specific Event IDs for analysis.

2. Sysmon for Advanced Monitoring:

Sysmon can be configured to log detailed process creation, network connections, and file access. Example configuration:

<Sysmon schemaversion="4.90">
<EventFiltering>
<ProcessCreate onmatch="exclude"/>
<NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
</NetworkConnect>
</EventFiltering>
</Sysmon>

3. Linux Commands for SIEM Integration:

If you’re integrating Linux logs with SIEM, use `rsyslog` or `syslog-ng` to forward logs:

sudo apt install rsyslog 
sudo systemctl enable rsyslog 
sudo systemctl start rsyslog 

4. Windows Firewall Logging:

Enable logging for dropped packets and successful connections:

netsh advfirewall set allprofiles logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log 
netsh advfirewall set allprofiles logging droppedconnections enable 

5. Threat Hunting with EDR Tools:

Use tools like Microsoft Defender for Endpoint or CrowdStrike to correlate Event IDs with advanced threat data.

For further reading, refer to Microsoft’s official documentation on Event IDs:
Windows Security Event IDs
Sysmon Documentation

By combining these tools and techniques, you can build a robust SIEM strategy to protect your environment from evolving cyber threats.

References:

Hackers Feeds, Undercode AIFeatured Image