Knowing which Windows Event IDs matter most helps security teams triage faster and reduce noise. This guide highlights 15 high-value IDs used frequently in detection and incident response.
Account authentication and logon events
- 4624 – Successful logon
- 4625 – Failed logon
- 4634 – Logoff
- 4648 – Logon attempt with explicit credentials
- 4672 – Special privileges assigned (admin-level token)
Account and group change events
- 4720 – User account created
- 4722 – User account enabled
- 4723 – Password change attempt
- 4724 – Password reset attempt
- 4728 – User added to privileged global group
- 4732 – User added to privileged local group
Process and policy events
- 4688 – New process created
- 4697 – Service installed on system
- 4719 – System audit policy changed
Kerberos and ticket abuse indicators
- 4768 – Kerberos TGT requested
- 4769 – Kerberos service ticket requested
How to use this list in practice
- Baseline normal frequency per server role
- Alert on unusual spikes (4625, 4688, 4728/4732, 4719)
- Correlate IDs by user, host, and time window
- Feed into SIEM detection rules with suppression tuning
Quick triage workflow
- Start with account events (4624/4625/4672)
- Check privilege/group change path (4728/4732)
- Pivot to process execution (4688)
- Validate policy tampering or persistence (4719/4697)
This event set gives a strong daily baseline for Windows-focused security monitoring.
