Top 5 Windows Security logs everyone should collect

With thousands of events, it is essential to carefully consider and select the right ones for your security needs. To increase the signal-to-noise ratio of the Windows logs to be used for security monitoring, you need two things:

It is impossible to collect all of the important security logs and guess your business needs in a short article, but at NXLog, our experience has shown that the following logs provide a good starting point for collecting a meaningful set of events worthy of analysis.

Authentication events need to be monitored, regardless of success or failure. In the case of a successful logon, a non-administrative account may unexpectedly have been assigned special privileges. Normally, this should raise a red flag that something is amiss. When all logon events in an organization are forwarded in real time to a centralized log collection host, brute force attacks, or even pass the hash attacks, can be quickly detected that might otherwise go unnoticed.

Event IDs to look out for: 4624, 4625, 4648, and 4672.

These logs show attempts to access resources over a system. Whenever a user tries to access a file, an event is logged. Any suspicious modification of tasks or files might indicate that a malware has infected the system. If so, the consequences can be severe. Intruders could hold valuable, sensitive data ransom or they could use privilege escalation to gain administrator privileges and thus take control of the entire network.

Event IDs to look out for: 4660, 4663, 4670, and 5136.

Since there is rarely ever a need to manually clear the Windows Security audit log, this can be a valuable indicator of suspicious activity. Hackers are keen on covering their tracks, so whenever the The audit log was cleared event cannot be accounted for, your security analysts should immediately investigate who or what triggered this event.

Event ID to look out for: 1102.

All changes to firewall policies are logged. Hackers attempt to change firewall rules to permit unwanted connections to unauthorized sites or use a special kind of cyberattack known as a man-in-the-middle attack which is a kind of network "wiretapping" technique to intercept confidential data sent between two endpoints. When successfully implemented, neither party will have any indication that their transmissions are being recorded.

Event IDs to look out for: 4946, 4947, 4948, 4950, and 5025.

This log provides information regarding when the system was shut down or restarted. If a system restarts unexpectedly, an event will be logged. This type of event should always be followed up by a security investigation since hackers may have initiated a restart in order to install and initiate malware, undetected, while the system was still restarting.

Event IDs to look out for: 4608 and 4616.

Businesses should include log collection in their security audit policy to proactively ensure that security remains a core focus of their operations. With the ever-increasing number of cyberattacks, the Windows Security audit log continues to monitor what really needs protecting while providing security analysts with valuable information for tracking suspicious, as well as malicious activity.