Monitoring Windows Activity
Windows stores detailed records of system, application, and security activity in the Event Log.
Key Event Logs
- Application Log: Events logged by applications (e.g., an application error).
- Security Log: Contains audit records related to authentication (logins/logouts) and object access (file opens/changes).
- System Log: Events logged by the Windows OS components (e.g., driver failures, boot events).
Critical Events to Monitor (Security Log)
| Event ID | Description |
|---|---|
| 4624 | Account successfully logged on. |
| 4625 | Account failed to log on (often indicates brute force). |
| 4720 | A new user account was created. |
| 4732/4733 | Security group membership changed (Privilege Escalation indicator). |
For security monitoring, these logs are forwarded to the SIEM system for analysis.