This is my personal project to prepare a list of Windows Security Event IDs and use cases around these event IDs. It is still under development and as I progress I will keep adding more content in it.
4724 — An attempt was made to reset an account’s password.
4719 — System audit policy was changed.
4674 — An operation was attempted on a privileged object.
4624 — An account was successfully logged on.
4725 — A user account was disabled.
4673 — A privileged service was called.
5140 — A network share object was accessed.
4778 — A session was reconnected to a Window Station.
5145 — A network share object was checked to see whether client can be granted desired access.
4648 — A logon was attempted using explicit credentials.
4771 — Kerberos pre-authentication failed.
5157 — The Windows Filtering Platform has blocked a connection.
4726 — A user account was deleted.
4723 — An attempt was made to change an account’s password.
4672 — Special privileges assigned to new logon
4742 — A computer account was changed.
4722 — A user account was enabled.
4662 — An operation was performed on an object.
4740 — A user account was locked out.
4625 — An account failed to log on.
4769 — A Kerberos service ticket was requested.
5141 — A directory service object was deleted.
5137 — A directory service object was created.
4697 — A service was installed in the system.
5136 — A directory service object was modified.
4698 — A scheduled task was created.
4720 — A user account was created.
4688 — A new process has been created.
4663 — An attempt was made to access an object.
4770 — A Kerberos service ticket was renewed.
4800 — The workstation was locked.
4801 — The workstation was unlocked.
4779 — A session was disconnected from a Window Station.
