Intrusion Detection with Windows Event ID’s

Photo of author
Written By Jan Reilink

Windows Server systems administrator & enthusiast.

Found via This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document!

Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs

This is a paper by María del Carmen Prudente Tixteco, Lidia Prudente Tixteco, Gabriel Sánchez Pérez, Linda Karina Toscano Medina (keywords: indicators of compromise; windows event logs; intrusion detection), for the Eleventh International Conference on Internet Monitoring and Protection.

Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows® operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR.

The relevant pages are available for download from ThinkMind:

Windows Events log for IR/Forensics, Part 1

At the SANS InfoSec Handlers Diary Blog runs a series Windows Events log for DFIR:

In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .

Here is of the most useful events for Forensics/Incident response:

Read the full post (part 1) here:

Scan your network for vulnerabilities using Acunetix’s Online Network Security Scanner. How to use grep for forensic log parsing and analysis on Windows Server IIS.

Did you like: Intrusion Detection with Windows Event ID’s

Then please, take a second to support Sysadmins of the North and donate!

Your generosity helps pay for the ongoing costs associated with running this website like coffee, hosting services, library mirrors, domain renewals, time for article research, and coffee, just to name a few.

1 thought on “Intrusion Detection with Windows Event ID’s”

  1. Hello, I have a problem with all events 4624, 4634, 4648, 4672 … all events that are related to connections and disconnections are not registered at all in my event manager, since about 1 year, before everything go well but we! Does somebody have an idea ? when I activate the recordings with GPedit.msc, it works but when I restart my PC, it does not work anymore.


Hi! Join the discussion, leave a reply!

%d bloggers like this: