Windows Event IDs Cheat Sheet: The 31 That Matter
Windows event IDs cheat sheet for SOC analysts: 31 essential security event IDs covering auth, process execution, log tampering, and lateral movement.

A handful of Windows Event IDs carry most of the tier-1 signal. The authentication pair 4624 (successful logon) and 4625 (failed logon) anchor nearly every investigation; 4648 paired with a 4624 type 3 is the lateral-movement tell; 4688 or Sysmon 1 expose the process chains behind execution; 4768/4769 with RC4 encryption flag Kerberoasting; 7045 marks service-based persistence; and 1102 or 104 mean someone is clearing logs. Learn the story behind those and you cover the overwhelming majority of what a SIEM queue throws at you.
This cheat sheet maps all thirty-one IDs to the question each one answers in triage, with the exact fields to read and a few detection sketches you can adapt. Keep it open during your first months on shift; the recognition becomes automatic faster than you expect.
→ Jump to the master table below for the full reference.
The Master Table: 31 Windows Event IDs for SOC Analysts
The table below covers the Security channel (prefix 4xxx/5xxx), the System channel (7045, 104), and Sysmon events (vendor-provided, not built-in). For Sysmon to generate events, the Sysmon agent from Sysinternals must be deployed with a configuration such as the community SwiftOnSecurity Sysmon Config.
| Event ID | Log Channel | Event Name | Why It Matters in Triage |
|---|---|---|---|
| 4624 | Security | Successful logon | Baseline of all authentication; check logon type and source IP |
| 4625 | Security | Failed logon | Volume and pattern reveal brute-force or spray; check sub-status code |
| 4634 | Security | Account logoff | Paired with 4624 to measure session duration; short sessions are suspicious |
| 4647 | Security | User-initiated logoff | Complements 4634 for interactive sessions |
| 4648 | Security | Logon with explicit credentials | RunAs, WMI, and lateral movement tools generate this |
| 4672 | Security | Special privileges assigned at logon | Fires when SeDebugPrivilege or SeTakeOwnershipPrivilege is granted |
| 4688 | Security | Process created | Built-in process creation; requires audit policy; less detail than Sysmon 1 |
| 4697 | Security | Service installed in the system | Alternative to 7045; records the service file path |
| 4698 | Security | Scheduled task created | Persistence mechanism; check task action path |
| 4700 | Security | Scheduled task enabled | Re-enabling a disabled task can signal tampering |
| 4719 | Security | System audit policy changed | Disabling auditing is a defense-evasion indicator |
| 4720 | Security | User account created | New accounts outside provisioning workflows are suspicious |
| 4722 | Security | User account enabled | Re-enabling dormant accounts warrants investigation |
| 4724 | Security | Password reset attempt | Self-service vs. admin reset; check who performed it |
| 4728 | Security | Member added to global security group | Adding to Domain Admins is a critical escalation indicator |
| 4732 | Security | Member added to local group | Elevation to local Administrators on a server |
| 4756 | Security | Member added to universal security group | Same pattern as 4728 in universal scope |
| 4768 | Security | Kerberos TGT requested | Volume and RC4 encryption flag (0x17) signal AS-REP roasting |
| 4769 | Security | Kerberos service ticket requested | RC4 requests (0x17) for sensitive SPNs indicate Kerberoasting |
| 4771 | Security | Kerberos pre-authentication failed | Failed Kerberos logon; high volume = password spray on domain accounts |
| 4776 | Security | NTLM credential validation | NTLM still in use where Kerberos is expected is a downgrade signal |
| 5140 | Security | Network share accessed | Mapped drives and lateral movement via SMB; check share name |
| 5145 | Security | Share object access checked | Fine-grained file access on network shares |
| 7045 | System | New service installed | Persistence and lateral movement; check ImagePath for suspicious paths |
| 104 | System | Event log cleared | Any log channel cleared; outside maintenance = high suspicion |
| 1102 | Security | Audit log cleared | Security channel specifically cleared; almost always adversarial |
| Sysmon 1 | Microsoft-Windows-Sysmon/Operational | Process creation | Parent-child chains, command-line arguments, hashes |
| Sysmon 3 | Sysmon | Network connection | Process-level network telemetry; catches beaconing and lateral movement |
| Sysmon 7 | Sysmon | Image loaded | DLL loading; detect DLL hijacking and side-loading |
| 4103/4104 | Windows PowerShell | PS module/script-block logging | Captures deobfuscated PowerShell; essential for detecting encoded commands |
| 4740 | Security | User account locked out | Records the account locked and the source; high volume from one source = active brute-force or spray |
Authentication Events: Where Most Investigations Start
Event ID 4624 (Successful Logon) is the most frequently generated event in any Windows environment and the anchor for authentication triage. The most important field is LogonType. Type 2 is interactive (keyboard at the console). Type 3 is network (SMB, mapped drives). Type 10 is RemoteInteractive (RDP). Type 7 is unlock. A type 10 logon from an internal server IP to another internal server is not normal. That combination almost never appears in legitimate administrative workflows and is one of the clearest indicators of lateral movement via RDP.
Event ID 4625 (Failed Logon) carries its own diagnostic field: SubStatus. The value 0xC000006A means the correct username but wrong password. The value 0xC0000064 means the username does not exist. A wave of 0xC000006A failures across many accounts from one source IP is a password spray. A wave of 0xC0000064 failures suggests the attacker is enumerating accounts. Microsoft's documentation on 4625 SubStatus codes maps every value.
Below is a realistic 4625 XML payload as it would appear in a Splunk SIEM raw event view. Each field is annotated:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{...}" />
<EventID>4625</EventID> <!-- Failed logon -->
<TimeCreated SystemTime="2026-06-12T02:47:18.334Z" />
<Computer>CORPDC01.corp.internal</Computer> <!-- Target: Domain Controller -->
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data> <!-- Null SID = no prior session -->
<Data Name="TargetUserName">j.hartley</Data> <!-- Account being attacked -->
<Data Name="TargetDomainName">CORP</Data>
<Data Name="Status">0xC000006E</Data> <!-- Account restriction -->
<Data Name="SubStatus">0xC000006A</Data> <!-- Wrong password -->
<Data Name="LogonType">3</Data> <!-- Network logon (SMB/WMI) -->
<Data Name="WorkstationName">-</Data> <!-- Empty = remote, no workstation -->
<Data Name="IpAddress">185.220.101.47</Data> <!-- Source IP: Tor exit node -->
<Data Name="IpPort">49218</Data>
<Data Name="ProcessName">-</Data>
<Data Name="AuthenticationPackageName">NTLM</Data> <!-- NTLM used, not Kerberos -->
</EventData>
</Event>Reading from the bottom up: NTLM authentication was used (not Kerberos), the source IP 185.220.101.47 has no legitimate relationship to the corporate domain, the logon type is 3 (network), and the SubStatus confirms the password was wrong. A single occurrence of this is noise. Twenty occurrences against twenty different accounts from the same IP in a three-minute window is a confirmed password spray.
Event ID 4648 (Logon with Explicit Credentials) fires whenever a process passes credentials other than those of the current session: RunAs, WMI remote execution, PsExec, and most lateral movement tools. The key correlation is 4648 on the source machine paired with 4624 (type 3) on the destination. That sequence in sequence is lateral movement.
Event ID 4672 (Special Privileges Assigned) fires immediately after a successful 4624 when the logon grants sensitive privileges including SeDebugPrivilege, SeTakeOwnershipPrivilege, and SeLoadDriverPrivilege. It does not fire for standard user logons, so its presence is meaningful. An attacker who has compromised an account that holds these privileges will generate 4672 consistently.
Kerberos Events: Detecting AS-REP Roasting and Kerberoasting
Event ID 4768 (Kerberos Authentication Service Request) records every request for a Ticket Granting Ticket. The encryption type field is the key indicator: value 0x17 means RC4-HMAC, which is a weaker cipher that Kerberos tickets can be requested with even from modern environments. AS-REP Roasting targets accounts with Kerberos pre-authentication disabled, and the resulting TGT is encrypted with the account's password hash. A burst of 4768 events with EncryptionType=0x17 across multiple accounts from one workstation is a strong Kerberoasting precursor.
Event ID 4769 (Kerberos Service Ticket Request) records requests for service tickets. Kerberoasting requests service tickets for accounts with Service Principal Names (SPNs), then cracks them offline. The signature is EncryptionType=0x17 combined with service account targets (accounts ending in svc, service, sql, or similar naming conventions). Microsoft's Kerberoasting detection guidance recommends alerting on any RC4 service ticket requests in environments that have been configured to prefer AES.
Event ID 4771 (Kerberos Pre-Authentication Failed) is the Kerberos equivalent of 4625 for domain accounts. High volume from one source indicates a password spray targeting Kerberos directly. This event only fires on the domain controller, so correlation requires collecting DC logs into your SIEM.
Account Manipulation Events
Event IDs 4720, 4722, 4724, 4728, 4732, 4740, 4756 all describe changes to the account landscape.
Event ID 4740 (User Account Locked Out) fires on the domain controller when an account reaches the lockout threshold defined in the domain password policy. The event records the source workstation that triggered the lockout, which is the critical field for triage. A single 4740 on one account is typically a user who has mistyped their password. Ten 4740 events across ten different accounts from the same source workstation within a two-minute window is an active password spray. Correlating 4740 with 4625 (failed logon) from the same source IP provides the full picture of the attempt: how many passwords were tried, which sub-status code the failures carried, and whether any lockout was followed by a successful 4624 (suggesting a password was found before the threshold was hit on some accounts). The highest-priority among these is any addition to privileged groups. Event 4728 fires when a member is added to a global security group such as Domain Admins. Event 4732 fires for local groups such as Administrators on a workstation or server. Event 4756 covers universal groups.
Warning
An addition to Domain Admins (group SID S-1-5-21-*-512) outside a documented change control window is one of the highest-confidence attack indicators in Windows telemetry. Correlate the performing account in the SubjectUserName field: if the account performing the addition is not a privileged identity management system or a known admin, treat it as active threat activity.
Event ID 4719 (System Audit Policy Changed) deserves special mention. Attackers who understand Windows auditing will disable the specific audit subcategories that generate the events listed in this article. A 4719 event showing any audit category being disabled during an active investigation is a clear defense-evasion indicator.
Process and Execution Events
Event ID 4688 (Process Created) is the built-in Windows equivalent of Sysmon 1. It requires enabling the "Audit Process Creation" policy and the "Include command line in process creation events" setting. Without that setting, the command line field is blank and the event loses most of its detection value. CISA's Windows Event Log guidance explicitly recommends enabling command-line logging as a baseline requirement.
Sysmon Event ID 1 (Process Creation) provides all the same information as 4688 plus the process hash, the parent command line, and a more reliable process GUID for correlation. If Sysmon is deployed, it replaces 4688 as the primary process creation source. The single most valuable detection in Sysmon 1 is suspicious parent-child process chains. Legitimate Word processes do not spawn cmd.exe. Legitimate browsers do not spawn powershell.exe. MITRE ATT&CK technique T1059 maps the common execution chains that generate these events.
A minimal detection logic sketch using SPL for suspicious parent-child chains in Sysmon data:
index=sysmon EventCode=1
| eval parent_child=ParentImage." -> ".Image
| search parent_child IN (
"*.doc -> *\\cmd.exe",
"*.docx -> *\\cmd.exe",
"*\\winword.exe -> *\\powershell.exe",
"*\\excel.exe -> *\\powershell.exe",
"*\\outlook.exe -> *\\cmd.exe",
"*\\mshta.exe -> *\\powershell.exe"
)
| table _time, Computer, User, ParentImage, Image, CommandLine
| sort -_timeThis query catches the most common malicious document macro and living-off-the-land execution patterns. Tune the IN list to your environment; a developer using Word macros for automation will need an exclusion. The SIGMA rule project maintains community-maintained detection rules in this format that you can translate to your SIEM's query language.
Free forever · No credit card
Train on real alerts, with zero consequences
Practice triage on realistic alert volume in a live SOC console. Free forever — no credit card.
Event ID 7045 (New Service Installed) appears in the System log rather than Security. Attackers install services for persistence and for lateral movement via tools like PsExec (which drops a temporary service on the target). The critical field is ImagePath: legitimate services point to known system directories. A service with an ImagePath pointing to C:\Users\Public\, C:\Temp\, or a network UNC path is almost always malicious.
Log Tampering Events
Event ID 1102 and Event ID 104 are short events with an outsized triage priority.
Event ID 1102 (Audit Log Cleared) fires in the Security channel when that specific log is cleared. It records the account that performed the action. The NSA's event log monitoring guide treats 1102 as a tier-1 alert with no tuning exceptions: the Security log is cleared legitimately only in specific decommissioning and compliance workflows, and even those should generate a change ticket.
Event ID 104 (Event Log Cleared) fires in the System log and covers the clearing of any event log channel. An attacker who clears Sysmon's Microsoft-Windows-Sysmon/Operational channel, for example, generates a 104 rather than a 1102. Monitoring 104 across all channels catches comprehensive log-tampering attempts.
Lateral Movement Patterns
Lateral movement rarely generates a single obvious event. It generates a sequence. The most common sequence uses Events 4648, 4624, and 5140.
The attacker on the source machine executes a remote command via WMI or PsExec. The source machine generates Event 4648 (logon with explicit credentials, because the attacker is passing a harvested credential, not the current user's token). The destination machine generates Event 4624 type 3 (network logon) from the same credential. If the attacker then accesses file shares, the destination machine also generates Event 5140 (network share accessed). The combination of these three events in a short time window, with source and destination being peer workstations rather than a workstation and a server, is lateral movement with high confidence.
Event 5145 (Share Object Access Checked) provides the file-level detail behind 5140. It is extremely noisy in environments with active file server access, so most teams apply it only to high-value shares (containing credentials, financial data, or source code) rather than enabling it globally.
PowerShell Events
Event IDs 4103 and 4104 live in the Windows PowerShell or Microsoft-Windows-PowerShell/Operational channels, not the Security channel. They require enabling PowerShell Script Block Logging via Group Policy.
Event 4103 (Module Logging) records each module that PowerShell loads. Event 4104 (Script Block Logging) is the more valuable of the two: it captures the deobfuscated content of every script block that PowerShell executes, regardless of how the attacker encoded it on disk. An attacker who uses Invoke-Expression with a base64-encoded payload will have the decoded payload captured in 4104. The PowerShell security guidance from the NSA and CISA recommends both module logging and script block logging as baseline requirements.
The events to watch within 4104: Invoke-Mimikatz, Invoke-Bloodhound, Net.WebClient with a DownloadString or DownloadFile method, and any use of -EncodedCommand. These strings in 4104 payloads are direct matches for known post-exploitation frameworks.
Putting It Together: Building the Habit
Knowing these event IDs by number matters less than understanding the story each one tells. When you see a 4625, you ask about volume, sub-status, and the target account's sensitivity. When you see a 4728, you ask who performed the action and whether there is a change ticket. When you see a 1102, you escalate.
The practical workflow is to keep this table open during your first months of shift work. Over time, the IDs become pattern recognition rather than lookup. What turns the lookup into instinct is repetition: seeing 4625 in volume, 4648 chained to a 4624 type 3, a stray 7045 with a suspicious ImagePath — in context and in combination — until the shape of an attack reads as fast as the shape of a word. Training operations provides realistic Windows event queues where these exact IDs appear in live investigation scenarios, which is the fastest way to build that recognition without waiting for a production incident.
Bookmark this page as a reference. When you need the frameworks for turning raw event data into a verdicted ticket, alert triage covers them in full, and SOC analyst interview questions includes the event-based scenarios hiring managers lean on at the tier-1 level.
Frequently Asked Questions
- What is event ID 4624?
- Event ID 4624 is the Windows Security log event for a successful account logon. It records the account name, logon type, source IP address, workstation name, and authentication package used. SOC analysts use it to establish baseline logon patterns and detect anomalies such as logons from unusual source IPs, off-hours authentication, or unexpected logon types like type 10 (RemoteInteractive) from internal hosts.
- Which event IDs indicate an attack?
- Several event IDs are strong attack indicators depending on context. Event 4625 (failed logon) in high volume suggests a brute-force or password spray. Event 4648 (explicit credential logon) combined with lateral movement destinations signals credential misuse. Sysmon Event ID 1 (process creation) with suspicious parent-child chains such as Word spawning PowerShell is a common malware indicator. Event 7045 (service installed) is used heavily in persistence and lateral movement. Events 4103 and 4104 capture PowerShell activity that bypasses script-block restrictions.
- What is the difference between event ID 4624 and 4625?
- Event ID 4624 records a successful logon; event ID 4625 records a failed logon attempt. Both share similar fields including the target account, logon type, source IP, and failure reason code. The critical difference for triage is that 4624 confirms access was granted while 4625 shows access was denied. A pattern of many 4625 events from one source IP followed by a 4624 from the same IP is a classic indicator of a successful brute-force or password spray attack.
- What event ID shows log clearing?
- Event ID 1102 in the Security log records the clearing of the Security audit log and includes the identity of the account that performed the action. Event ID 104 in the System log records the clearing of any Windows event log and is used to detect tampering with the Application, System, or other channel logs. Seeing either of these events outside an authorized maintenance window is a high-priority alert; attackers clear logs after gaining access to erase evidence of their activity.
- What event ID is account lockout?
- Event ID 4740 records a user account lockout in the Windows Security log. It captures the locked account name, the source workstation or caller computer name that triggered the lockout, and the domain controller that recorded the event. From a SOC perspective, 4740 is a high-signal event when it fires in volume across multiple accounts from a single source within a short window, which is the fingerprint of an active password spray attack. A single 4740 on one account is often just a user mistyping their password; a burst of 4740 events across many accounts in under five minutes demands immediate attention.
- Which Windows event IDs are most important for a SOC analyst?
- The tier-1 priority set for SOC analysts centers on authentication and execution events. For authentication: 4624 (successful logon) and 4625 (failed logon) form the baseline pair, with 4648 (explicit credential logon) and 4740 (account lockout) as the escalation indicators. For execution: 4688 or Sysmon Event ID 1 (process creation) with command-line logging enabled, and 4104 (PowerShell script-block logging). For persistence and lateral movement: 7045 (new service installed), 4698 (scheduled task created), and 5140 (network share accessed). For defense evasion: 1102 and 104 (log clearing). Analysts who can read these 12 to 15 event IDs fluently cover the detection surface of the majority of common intrusion techniques.
Field notes
New walkthroughs and detections, in your inbox
A short email when we publish something worth your time. No spam, unsubscribe in one click.
Community
Continue the conversation
Discuss this with analysts who are actively training and working in the field.
Related Articles

Cyber Threat Hunting Tools: 13 SOC Analysts Use (2026)
Cyber threat hunting tools every SOC analyst needs: Sigma, YARA, KQL, Velociraptor, Wireshark, Zeek, MISP and more — grouped by layer with code examples.

SIEM Use Cases: 10 Every SOC Runs (With Detection Logic)
SIEM use cases explained with detection logic sketches, data sources, and tuning notes for the 10 detections every SOC team operates.

Best SIEM Tools in 2026: 10 Platforms Ranked
Best SIEM tools ranked for 2026: Splunk, Microsoft Sentinel, IBM QRadar, Elastic Security, and more — reviewed from a SOC analyst training perspective.