Event Lens

Important Windows Event Log IDs, Sysmon Event IDs and Logon Types for security monitoring

Windows Security Event Logs

Critical security-related event IDs from the Windows Security event log (Event ID range: 4600-7200)

Sysmon Event Logs

Important event IDs from Sysmon (System Monitor), a Windows system service that provides detailed logging

Critical System Events

Important system event IDs (20-4400) that may indicate security issues

Logon Type Codes

Understanding logon types helps identify how accounts are accessing systems (referenced in Event ID 4624)

Event Sources & Providers

Key Windows event providers that generate security-relevant logs

More Event IDs

Finding Important Security Event Log Codes

To find additional important security event log codes:

  1. Consult the SANS Institute resources:
  2. Reference Microsoft's official documentation:
  3. Check 13 cubed (a comprehensive Windows logging reference):
  4. For Sysmon events, refer to:

Contribute To Event Lens

// To add new event IDs, extend these arrays in the events.js:
const securityEvents = [
    {id: 4624, title: "Successful Logon", description: "An account was successfully logged on.", severity: "low"},
    // Add more events here
];

const sysmonEvents = [
    {
        id: 1,
        title: "Process Creation",
        description: "Fires when a process starts, capturing details like command line, and user.",
        severity: "medium"
    },
    // Add more Sysmon events here
];

SIEM Query Examples

Microsoft Sentinel (KQL)

// Multiple high severity events
SecurityEvent
| where EventID in (4625, 4672, 4697, 4720, 4728, 4732, 4741, 4768)
| summarize count() by EventID, Activity

// Suspicious process creation patterns
Sysmon
| where EventID == 1
| where ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd"
| where ProcessCommandLine contains "-nop" or ProcessCommandLine contains "-enc"

Splunk SPL

# Failed logons from multiple sources
index=wineventlog EventCode=4625
| stats count by src_ip, user
| where count > 5

# Sysmon process creation with suspicious parent processes
index=wineventlog source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 
| search ParentImage="*\\cmd.exe" OR ParentImage="*\\powershell.exe" 
| table _time, host, user, Image, CommandLine, ParentImage

ELK (Kibana)

// Account manipulation events
event.code:(4720 OR 4728 OR 4732 OR 4741 OR 4742 OR 4767)
AND event.module:security

// Sysmon network connections to suspicious ports
event.dataset:windows.sysmon AND event.code:3 
AND (network.destination.port:(22 OR 4444 OR 5555 OR 6666 OR 7777 OR 8080) 
OR destination.port:(>= 49152 AND <= 65535))

Pro Tip:

When creating SIEM queries, always:

  • Filter by time range to improve your accuracy during Threat Hunting
  • Include relevant fields in your output (timestamp, host, user, process, etc)
  • Use field extraction where possible instead of raw text searches
  • Consider adding thresholds to reduce noise (e.g., count > 5)