Windows Event Filtering - JCSC-JE/Graylog-IR GitHub Wiki

The tables blow show which Windows Event ID's are filtered by the drop rules in the pipelines.

Log Source : Security

Windows Event ID Description
1001 The audit log was cleared
1102 The security Log is now full
1104 eventlog deleted
1106 eventlog service error
4624 An account was successfully logged on
4625 An account failed to log on
4634 An account was logged off
4648 A logon was attempted using explicit credentials
4657 A registry value was modified
4661 attempt to access an object
4662 object permissions accessed
4672 Special privileges assigned to new logon
4689 A service was installed in the system
4698 A scheduled task was created
4699 A scheduled task was deleted
4700 A scheduled task was enabled
4701 A scheduled task was disabled
4702 A scheduled task was updated
4720 A user account was created
4722 A user account was enabled
4728 A member was added to a security-enabled global group
4732 A member was added to a security-enabled local group
4738 A user account was changed
4740 A user account was locked out
4756 A member was added to a security-enabled universal group
4767 A user account was unlocked
4768 A kerberos authentication ticket was requested
4769 A Kerberos service ticket was requested
4771 Kerberos pre-authentication failed
4772 Kerberos authentication ticket request failed
4773 A Kerberos authentication ticket request failed.
4778 user reconnected to RDP session
4779 user disconnected from RDP session
4907 Auditing settings on object were changed
5140 Network share accessed
5141 Directory service deleted
5142 Network Share Created
5143 Network share Modified
5144 Network Share Deleted
6416 external attached to system
9009 user intiated RDP logoff

Log Source : System

Windows Event ID Description
6 Driver loaded
19 WUA Update Installation
104 Event Log was Cleared
219 Failed Kernel Driver Loading
1125 Internal Error
1126 Generic Internal Error
1129 Group Policy Application Failed due to Connectivity
7022 Service Start failure or crash
7023 Service Start failure or crash
7024 Service Start failure or crash
7026 Service Start failure or crash
7031 Service Start failure or crash
7032 Service Start failure or crash
7033 The Service Control Manager did not initialize successfully.
7034 Service Start failure or crash
7045 New windows service

Log Source : Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Windows Event ID Description
21 RDP user successfully authenticated
22 Remote Desktop Services: Shell start notification received
23 RDP logoff
24 RDP user has disconnected
24 RDP user connection succeeded
39 Session A has been disconnected from session b
40 Sessions A reason code B

Log Source : Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

Windows Event ID Description
1149 Established connection to RDP server from client

Log Source : Microsoft-Windows-Sysmon/Operational

Windows Event ID Description
All Sysmon events are not filtered

Log Source : Microsoft-Windows-Windows Defender/Operational

Windows Event ID Description

Log Source : Microsoft-Windows-TaskScheduler/Operational

Windows Event ID Description
100 Task registration: Task registered in Task Scheduler.
101 Task started: Task execution started.
102 Task completed: Task execution completed.
106 Task triggered by user: Task triggered manually by a user.
107 Task triggered by time: Task triggered at a specific time according to the scheduled time configuration.
110 Task triggered on idle: Task triggered when the system goes idle, based on the idle conditions specified in the task configuration.
111 Task triggered on power: Task triggered when a specific power event occurs, such as the system being powered on or off.
140 Task registration updated: Task registration was modified or updated in Task Scheduler.
200 Task failed to start: Task failed to start execution.
201 Task stopped: Task execution was stopped or terminated.
203 Task terminated: Task execution was forcibly terminated.
301 Task missed its start time: Task did not start execution at its scheduled time.
400 Task registration deleted: Task registration was deleted from Task Scheduler.
404 Task registration disabled: Task registration was disabled and will not be triggered for execution.
410 Task registration enabled: Task registration was enabled and will be triggered for execution according to the configured schedule.
413 Task suspended: Task execution was suspended or paused.
414 Task resumed: Task execution was resumed after being suspended.

Log Source : Microsoft-Windows-WinRM/Operational

Windows Event ID Description
6 Creating WSMan session on client
81 Processing client request for operation CreateShell
82 Entering the plugin for operation CreateShell with a ResourceURI
134 Sending response for operation CreateShell
169 Creating WSMan session on server

Log Source : Microsoft-Windows-WMI-Activity/Operational

Windows Event ID Description
5857 Operation_StartedOperational
5858 Operation_ClientFailure