In today’s digital age, monitoring and analyzing events is crucial for ensuring the security and stability of IT systems. Security Information and Event Management (SIEM) systems provide real-time monitoring and analysis of security-related events to identify and mitigate potential threats. One of the primary components of a SIEM system is the ability to monitor Event IDs generated by different applications and systems within the IT environment.
Event IDs are unique identifiers assigned to different events and activities that occur within a system or application. By monitoring specific Event IDs, SIEM systems can identify and alert IT personnel of potential security threats or system errors. In this article, we will discuss some of the most commonly monitored Event IDs by SIEM systems and their potential significance.
Event ID 4624 – Account Logon
Event ID 4624 is generated when a user successfully logs into a system or application. This Event ID is commonly monitored by SIEM systems to identify unauthorized access attempts or suspicious login patterns. SIEM systems can analyze the source IP address, user account, and other relevant information to determine if the login is legitimate or not. If the login is suspicious, the SIEM system can alert IT personnel to investigate further.
Event ID 4625 – Failed Logon Attempt
Event ID 4625 is generated when a user fails to log into a system or application. This Event ID is also commonly monitored by SIEM systems to identify potential security threats or brute-force login attempts. SIEM systems can analyze the source IP address, user account, and other relevant information to determine if the login attempt is legitimate or not. If the login attempt is suspicious, the SIEM system can alert IT personnel to investigate further.
Event ID 4688 – Process Creation
Event ID 4688 is generated when a new process is created on a system or application. This Event ID is commonly monitored by SIEM systems to identify potential malware or unauthorized program execution. SIEM systems can analyze the process name, location, and other relevant information to determine if the process is legitimate or not. If the process is suspicious, the SIEM system can alert IT personnel to investigate further.
Event ID 4719 – System Audit Policy Change
Event ID 4719 is generated when the system audit policy is changed on a system or application. This Event ID is commonly monitored by SIEM systems to identify potential security policy violations. SIEM systems can analyze the policy change and other relevant information to determine if the change is authorized or not. If the policy change is suspicious, the SIEM system can alert IT personnel to investigate further.
Event ID 4768 – Kerberos Authentication Ticket Request
Event ID 4768 is generated when a Kerberos authentication ticket is requested on a system or application. This Event ID is commonly monitored by SIEM systems to identify potential security breaches or unauthorized access attempts. SIEM systems can analyze the source IP address, user account, and other relevant information to determine if the request is legitimate or not. If the request is suspicious, the SIEM system can alert IT personnel to investigate further.
Event ID 7045 – Service Installation
Event ID 7045 is generated when a new service is installed on a system or application. This Event ID is commonly monitored by SIEM systems to identify potential malware or unauthorized service installation. SIEM systems can analyze the service name, location, and other relevant information to determine if the service is legitimate or not. If the service is suspicious, the SIEM system can alert IT personnel to investigate further.
The below table contains only a few event IDs and potential issues. There are many more event IDs that can be monitored, and the potential issues may vary depending on the system configuration and use case. It is important to have a thorough understanding of the system and its potential risks to select the appropriate event IDs to monitor.
| ID | Event Description | Potential Issues |
|---|---|---|
| 4624 | An account was successfully logged on | Unauthorized access, security breach |
| 4625 | An account failed to log on | Failed login attempts, potential security breach |
| 4634 | An account was logged off | User activity monitoring |
| 4648 | A logon was attempted using explicit credentials | Attempts to access restricted resources |
| 4688 | A new process has been created | Suspicious or unauthorized program execution |
| 4698 | A scheduled task was created | Unauthorized or suspicious task creation |
| 4699 | A scheduled task was deleted | Unauthorized or suspicious task deletion |
| 4700 | A scheduled task was enabled | Suspicious or unauthorized task modification |
| 4701 | A scheduled task was disabled | Suspicious or unauthorized task modification |
| 4719 | System audit policy was changed | Potential security policy violation |
| 4720 | A user account was created | New user account creation monitoring |
| 4722 | A user account was enabled | Suspicious or unauthorized account modification |
| 4723 | An attempt was made to change an account’s password | Potential security breach |
| 4724 | An attempt was made to reset an account’s password | Potential security breach |
| 4725 | A user account was disabled | Suspicious or unauthorized account modification |
| 4726 | A user account was deleted | Suspicious or unauthorized account deletion |
| 4738 | A user account was changed | Suspicious or unauthorized account modification |
| 4740 | A user account was locked out | Failed login attempts or potential security breach |
| 4768 | A Kerberos authentication ticket was requested | Potential security breach |
| 4769 | A Kerberos service ticket was requested | Potential security breach |
| 4776 | The domain controller attempted to validate the credentials for an account | Failed login attempts or potential security breach |
| 4798 | A user’s local group membership was enumerated | User activity monitoring |
| 4946 | A rule was added to the Windows Firewall exception list | Unauthorized or suspicious firewall rule addition |
| 5152 | The Windows Filtering Platform blocked a packet | Potential security breach |
| 5156 | The Windows Filtering Platform has permitted a connection | User activity monitoring |
| 7045 | A service was installed in the system | Unauthorized or suspicious service installation |
| 7035 | The Windows Modules Installer service entered the stopped state | Potential system instability or service malfunction |
| 7036 | The Windows Modules Installer service entered the running state | Potential system instability or service malfunction |
In conclusion, monitoring Event IDs is a critical component of any SIEM system. By monitoring specific Event IDs, SIEM systems can identify potential security threats, system errors, and policy violations. The Event IDs discussed in this article are just a few examples of the many Event IDs that can be monitored by SIEM systems.
You may also like:- How To Fix the Crowdstrike/BSOD Issue in Microsoft Windows
- MICROSOFT is Down Worldwide – Read Full Story
- Windows Showing Blue Screen Of Death Error? Here’s How You Can Fix It
- A Guide to SQL Operations: Selecting, Inserting, Updating, Deleting, Grouping, Ordering, Joining, and Using UNION
- Top 10 Most Common Software Vulnerabilities
- Essential Log Types for Effective SIEM Deployment
- How to Fix the VMware Workstation Error: “Unable to open kernel device ‘.\VMCIDev\VMX'”
- Top 3 Process Monitoring Tools for Malware Analysis
- CVE-2024-6387 – Critical OpenSSH Unauthenticated RCE Flaw ‘regreSSHion’ Exposes Millions of Linux Systems
- 22 Most Widely Used Testing Tools
