Important Windows Event Logs

Windows event logs are special logs that show operating system errors, warnings, and information. windows logs are important to cybersecurity.  Some window events can give a lot of detail that can be useful to security analysts and security engineers. Information from windows events can also be helpful when troubleshooting common computer problems. The windows event logs can be found in the windows applications called event viewer. You can easily find this application when using the search function.  For cybersecurity, these are my five personal top event logs to monitor: User rights changes, account lockouts, event log clearing, firewall rule changes, and new software installation.

1.       User rights changes- Event ID 4670

User right changes show when user accounts are added, deleted, or if any rights change. This is something to monitor routinely. Rights change can possibly be a result of privilege escalation.  A nefarious actor could also add and delete an account to provide anonymity.

2.       Account lockouts- Event ID 4740

Account lockouts can happen from hackers trying to perform password spraying or a brute force attack on a particular account. Also, this can mean that a user simply forgot their password.

3.       Event log clearing- Event ID 1102

Event log clearing most likely means someone is trying to “cover their tracks”. If you notice event logs are cleared, you most likely need to contact your incident management team. This is one of the most important windows event logs. 

4.       Firewall rule changes-Event ID 4946

The firewall is especially important to network security. Insecure ports should almost be closed unless you have an exception in place. Having an insecure port open can leave you vulnerable to more attacks. If you see a firewall change event you needed to lose into it immediately.

5.       New software installation-Event ID 11707

Employees sometimes need certain software to help them work more efficiently. All software should always be downloaded from a trusted website. Hackers can disguise malicious software as safe software. Once a malicious piece of software is installed it can open you up to dangerous attacks.

In conclusion, windows event logs are great at finding more information about operating system issues. As we grow as a society more and more cybercriminals are attacking our computer systems. The event viewer is another tool that can keep us safe digitally. These five windows event logs are some of the windows event logs I feel need to be monitored closely. Thank you for visiting my blog.