Windows Security Events
Common entries
Some common entries (grouped by category) are:
Logon
| Keyword | Event ID | Description |
|---|---|---|
| Audit Success | 4624 | An account was successfully logged on |
| Audit Failure | 4625 | An account failed to log on |
| Audit Success | 4648 | A logon was attempted using explicit credentials |
Logoff
| Keyword | Event ID | Description |
|---|---|---|
| Audit Success | 4634 | An account was logged off |
User Account Management
| Keyword | Event ID | Description |
|---|---|---|
| Audit Success | 4722 | A user account was enabled |
| Audit Success | 4723 | An attempt was made to change an account’s password |
| Audit Success | 4725 | A user account was disabled |
| Audit Success | 4738 | A user account was changed |
| Audit Success | 4740 | A user account was locked out |
The User Account Management category should only be present on domain controllers
Useful custom query
A useful custom query that can’t be achieved simply through a filter is:
Get logon and logoff events for a specific user
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[
EventData[Data[@Name='TargetUserName']='{:Username:}']
and
System[ (EventID >= 4620 and EventID <= 4639) ]
]
</Select>
</Query>
</QueryList>