INDEX
Windows Security Events
event.code Name Description
4624 Logon Success User successfully logged on
4625 Logon Failure Failed logon attempt
4634 Logoff Logoff event
4648 Explicit Credential Logon Logon using explicit credentials (e.g., runas)
4672 Privileged Logon Logon with administrative privileges
4688 Process Creation New process was created
4689 Process Termination Process ended
4697 Service Installed New service was installed
4720 User Created New user account created
4722 User Enabled User account was enabled
4723 Password Change (self) User changed their own password
4724 Password Reset (other) Password reset by another user
4725 User Disabled User account was disabled
4726 User Deleted User account was deleted
4768 Kerberos TGT Request Request for Ticket Granting Ticket
4769 Kerberos Service Ticket Request for Service Ticket
4776 NTLM Authentication NTLM authentication request
Sysmon Events
event.code Name Description
1 Process Creation New process executed (very detailed)
2 File Creation Time Changed Change to file creation time
3 Network Connection Outbound network connection
4 Sysmon Service State Changed Sysmon service started or stopped
5 Process Terminated Process ended
6 Driver Loaded Driver was loaded
7 Image Loaded DLL or image loaded by a process
8 CreateRemoteThread Remote thread created in another process
9 Raw Access Read Raw access to disk (forensics, malware)
10 ProcessAccess Access from one process to another (possible injection)
11 File Created File was created
12 Registry Object Created/Deleted Key created or deleted in registry
13 Registry Value Set Value set in registry
14 Registry Object Renamed Registry key renamed
15 FileStream Created Alternate Data Stream created
22 DNS Query DNS lookup performed by a process
Other Notable Events
event.code Source Description
800 PowerShell Logging Execution of PowerShell command
4104 PowerShell ScriptBlock Script block logging (full content)
7045 System New service installed
CONTACT