When triaging security events in Windows environments, speed matters. Knowing which Event IDs are high signal can save a lot of time during investigation.
Here are 15 Event IDs worth keeping in your daily checklist, plus quick query examples.
Authentication and access
- 4624 – Successful logon
- 4625 – Failed logon
- 4768 – Kerberos TGT request
- 4769 – Kerberos service ticket request
- 4771 – Kerberos pre-authentication failed
- 4740 – User account locked out
Account and group changes
- 4720 – User account created
- 4726 – User account deleted
- 4732 – Member added to security-enabled local group
- 4733 – Member removed from security-enabled local group
Execution and system changes
- 4688 – A new process has been created
- 7045 – A service was installed
- 5140 – A network share object was accessed
- 1102 – The audit log was cleared
- 1116 – Malware detected (Defender)
Quick PowerShell queries
# Failed logons in last 12 hours
Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=4625
StartTime=(Get-Date).AddHours(-12)
} | Select-Object TimeCreated, Id, Message -First 50# Account lockouts in last 24 hours
Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=4740
StartTime=(Get-Date).AddDays(-1)
} | Select-Object TimeCreated, Id, Message# Process creation events (requires proper audit policy)
Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=4688
StartTime=(Get-Date).AddHours(-6)
} | Select-Object TimeCreated, Id, Message -First 40# Malware detections from Defender Operational log
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-Windows Defender/Operational'
Id=1116
StartTime=(Get-Date).AddDays(-7)
} | Select-Object TimeCreated, Id, MessageTip: Create saved filters for these IDs and review trends weekly instead of only during incidents.
Reminder: Run queries only where you are authorized.