The Ultimate Windows Security Event ID Cheatsheet for Blue Teams & DFIR

If you work in Digital Forensics and Incident Response (DFIR) or manage a Security Operations Center (SOC), you already know the truth: Windows Event Logs are your ultimate source of truth.

When an incident hits, drawing an accurate timeline depends entirely on your ability to parse these logs. But let's be honest — nobody memorizes thousands of event codes. And if you are jumping between legacy systems and modern enterprise environments, the shifting taxonomy can slow you down when every second counts.

This quick-reference cheatsheet bridges the gap. Derived from real-world digital forensics workflows, this guide covers the critical modern Event IDs you need to know for threat hunting, plus the formula to translate legacy logs on the fly.

The Core Blueprint: Modern vs. Legacy Event IDs

If you are investigating modern environments (Windows 10/11, Windows Server 2016/2019/2022), you are looking at standard 4-digit Event IDs. However, if you occasionally bump into legacy systems (Windows XP or Server 2003), you will see older 3-digit Event IDs.

There is a simple math trick to convert them: Add 4096 to the legacy ID to find its modern equivalent.

Example:_ On Windows XP, a user-initiated logoff is Event ID 551. On modern Windows machines, add 4096 and you get Event ID 4647._

Below are the most critical Event IDs categorized by the exact activity type you will look for during an investigation.

1. Authentication, Logons, and Lateral Movement

Tracking how and when accounts log on is the fastest way to map out unauthorized lateral movement or brute-force attempts.

Event ID 4624 (Legacy 528 / 540) — Successful Account Logon
Context: Look closely at the "Logon Type" inside the log (e.g., Type 3 for network, Type 10 for RDP) to see how the connection was made.
Event ID 4625 (Legacy 529–537 / 539) — Account Failed to Log On
Context: High volumes of this ID indicate active brute-force or credential-stuffing attacks.
Event ID 4634 (Legacy 538) — Account Logged Off
Context: Helps establish the exact duration of a user session.
Event ID 4647 (Legacy 551) — User-Initiated Logoff
Context: Confirms the user explicitly ended the session themselves.
Event ID 4648 (Legacy 552) — Logon Attempt with Explicit Credentials
Context: Triggered when a user logs on using runas or alternative admin credentials—highly relevant for privilege escalation hunts.

2. Evidence Destruction & Log Tampering

Adversaries love to cover their tracks. When an attacker gains administrative privileges, one of their first steps is often to clear or stop the logging services.

Event ID 1100 — Event Logging Service Shut Down
Context: Indicates the logging service was intentionally stopped. Treat this as highly suspicious.
Event ID 1102 (Legacy 517) — The Audit Log Was Cleared
Context: A massive red flag. This tracks exactly when a log was wiped and which user account did it.
Event ID 4616 (Legacy 520) — System Time Was Changed
Context: Attackers change system time to confuse forensic timelines and evade security controls ("Timestomping").

3. Account Management & Persistence

Once inside a network, malicious actors frequently create new accounts, modify group memberships, or alter domain policies to maintain access.

Event ID 4720 (Legacy 624) — User Account Created
Context: Rogue local or domain accounts are classic persistence mechanisms.
Event ID 4722 (Legacy 626) — User Account Enabled
Context: Watch for previously dormant or disabled default accounts suddenly being activated.
Event ID 4724 (Legacy 628 / 642) — Attempt to Reset an Account Password
Context: Tracks unauthorized password changes across the environment.
Event ID 4732 (Legacy 636) — Member Added to Security-Enabled Local Group
Context: Look for users unexpectedly added to highly privileged groups like "Administrators".
Event ID 4740 (Legacy 644) — User Account Locked Out
Context: Essential for spotting widespread brute-force lockouts or HTML-based password spraying.

4. Process Creation, Services, and Execution

Detecting how malware executes or how administrative tools are weaponized requires visibility into process spawns and service installations.

Event ID 4688 (Legacy 592) — A New Process Has Been Created
Context: If command-line logging is enabled, this reveals exactly what commands an attacker executed.
Event ID 4689 (Legacy 593) — A Process Has Exited
Context: Helps map the precise lifetime of a malicious execution.
Event ID 4697 (Legacy 601) — A Service Was Installed
Context: Threat actors install malicious tools as system services to achieve persistent access.
Event ID 4698 (Legacy 602) — A Scheduled Task Was Created
Context: Tracks persistence via task schedulers (a very common technique for APTs).

5. Object Access & Active Directory Changes

Monitoring access to sensitive files, registry keys, or changes to core security policies.

Event ID 4656 (Legacy 560) — A handle to an object (File, Registry, etc.) was requested
Event ID 4657 — A registry value was modified (Crucial for tracking boot-execution malware and persistence keys)
Event ID 4660 (Legacy 564) — An object was deleted
Event ID 4663 (Legacy 567) — An attempt was made to access an object
Event ID 4719 (Legacy 612) — System audit policy was changed

Summary Takeaways for Defenders

To make the most of this data, ensure your enterprise logging strategies are optimized:

Enable Command Line Auditing: Event ID 4688 is twice as valuable if you configure Group Policy to log the exact process command lines.
Centralize Your Logs: Event ID 1102 (Log Cleared) won't hurt your investigation if those logs have already been shipped in real-time to a secure, remote SIEM.
Watch the Ratios: A high ratio of 4625 (Failed Logon) to 4624 (Successful Logon) on a single host is your earliest indicator of an active credential attack.

Resource link for further reading and original technical reference: https://andreafortuna.org/2019/06/12/windows-security-event-logs-my-own-cheatsheet