Windows events logs are rich source of information on the occurrence of any incidents , proactive motioning of specific events will provide you more information on the clients environment. Investigate such events to stop threats before it reaches your network and keep monitoring a important events of active directory and improve insights on specific event actions apart from correlated rules.
| Event ID List | Threat Actor Behavior |
| 5447 | Windows Filtering Platform Policy was Changed |
| 5147 | Suspicious activity detected for which Windows Filtering Platform Blocked a packet |
| 5155 | Suspicious incoming connection for specific application or service listening on a port ,Windows Filtering Platform has blocked |
| 5153 | Attacker tried to access a network,user, a group, a computer, an application, a printer, or a shared folder for which Windows Filtering Platform has dropped a packet and blocked |
| 5152 | Suspicious incoming connection for specific application or service listening on a port ,Windows Filtering Platform has blocked |
| 5031 | Specific application or service on windows trying to get suspicious packets as inbound packets to the system for which Windows Filtering Platform has blocked |
| 5025 | Windows firewall service has been stopped |
| 4954 | Windows Firewall Group Policy settings has been changed. The new settings have been applied |
| 4950 | Windows firewall settings has been changed |
| 4947 | Windows Firewall Exception list was updated successfully which may allow a new connection which will bypass the windows firewall policies |
| 4946 | Windows Firewall Exception list was updated successfully which may allow a new connection which will bypass the windows firewall policies |
| 4698 | Scheduled task has been created to run specific jobs |
| 4699 | Previously Scheduled task was deleted successfully |
| 4700 | Scheduled task was enabled successfully |
| 4701 | Previously Scheduled task was deleted successfully |
| 4702 | Scheduled task was updated successfully |
| 4697 | Suspicious service was installed by Threat actor or Legitimate service installed by windows admin |
| 4657 | Possible changes made in registry to be persistence on system |
| 4616 | System time was changed |
| 4782 | Suspicious access of the password hash of an account |
| 4777 | The domain controller failed to validate the credentials for an account |
| 4772 | A Kerberos authentication ticket request failed |
| 4755 | Access granted under universal group to trust domain |
| 4737 | Access granted under global to access in any trusting domain but it should have members from its own domain. |
| 4735 | Access granted under domain local group means the group can only be granted access to objects within its domain but can have members from any trusted domain. |
| 4767 | A user account was unlocked |
| 4740 | A user account was locked out |
| 4738 | User account ACL ( Access Control List ) changed |
| 4725 | A user account was disabled |
| 4723 | An attempt was made to change the password of an account |
| 4722 | A user account was enabled |
| 4720 | A user account was created |
| 1102 | Audit logs was cleared |
| 4648 | User account logged in with domain credentials and another programs was accessed using different credentials., Example : Sharepoint |
| 4625 | Failed account log on |
Conclusion
Monitor such events with high priority as this may be the critical indicator of attacks which may compromise your organization in next few minutes !