Windows & Sysmon Event IDs Every Cybersecurity Analyst Must Know
Windows & Sysmon Event IDs Every Cybersecurity Analyst Must Know
For cybersecurity analysts, knowing which Event IDs to watch is the difference between spotting an intrusion early and discovering it after the damage is done. In this article, I’ll break down the Windows Event IDs every cybersecurity analyst must know, explaining why they matter and how they fit into real‑world detection, threat hunting, and incident response workflows.
4624 (Successful Logon)
Look for events with Logon Type 3 and 10 (Network and RDP logins) to detect suspicious RDP/network logins.
For most modern systems, the logon type will be 3 (since NLA is enabled by default)
For older or misconfigured systems, the logon type will be 10 (since NLA is not used)
4625 (Failed Logon)
Detect brute force, password spraying, or vulnerability scanning.
4720 / 4722 / 4738
A user account was created / enabled / changed.
4725 / 4726
A user account was disabled / deleted.
4723 / 4724
A user changed their password / User's password was reset.
4732 / 4733
A user was added to / removed from a security group.
4688
(Security Log: Process Creation)
Log an event every time a new process is launched, including its command line and parent process details.
1
(Sysmon: Process Creation)
Replace 4688 event code and provide more advanced fields like process hash and its signature.
11 / 13
(Sysmon: File Create / Registry Value Set)
3 / 22
(Sysmon: Network Connection / DNS Query)
This requires additional firewall and DNS configuration.
4697
Windows Security Event for Service creation.
7045
Sysmon Event: A new service was installed in the system.
4698
Windows Security Event for Scheduled task creation.