Identify Windows security-related events for changes in group account settings:
index=wineventlog source="*:Security" (EventCode=4727 OR EventCode=4729 OR EventCode=4733)
Detect Windows account logon events with expired or disabled passwords:
index=wineventlog source="*:Security" EventCode=4625 Failure_Reason="Expired Password" OR Failure_Reason="Disabled Account"
Monitor Windows account password changes made by remote systems:
index=wineventlog source="*:Security" (EventCode=4784 OR EventCode=4785) Workstation_Name!="*LOCAL*"
Identify Windows security-related events for changes in audit policy category settings:
index=wineventlog source="*:Security" (EventCode=4717 OR EventCode=4906)
Active Directory Reports
Member Added/Removed
host="*" index="wineventlog" EventCode=4761 OR EventCode=4762 OR EventCode=4728 OR EventCode=4729 |eval time = strftime(_time,"%c") |table time,name,MemberName,Group_Name,src_user |rename time as "Time" , name as "Action" , MemberName as "Member Name Added/Removed" , Group_Name as "Group Name" , src_user as "Member Added/Removed By :"
Security Group mgmt changed:
host="*" index="wineventlog" EventCode=4735 OR EventCode=4737 |eval time = strftime(_time,"%c") |table time,name,src_user,TargetUserName,dest,session_id |rename time as "Time" , name as "Action" , src_user as "Source User", TargetUserName as " Target Group " , dest as " Destination DC" , session_id as "Session ID"
User Enabled/Disabled:
host="*" index="wineventlog" EventCode=4722 OR EventCode=4725 |eval time = strftime(_time,"%c") |table time,name,user,src_user |rename time as "Time" , name as "Action" , user as "Target User" , src_user as "Account Enabled/Disabled By"
UserAccount Locked/Unlocked:
host="*" index="wineventlog" signature="A user account was locked out" OR signature="A user account was unlocked" |eval time = strftime(_time,"%c") |table time,dest_nt_domain,Group_Name,name,src_user |rename time as "Time" , Group_Name as "User Name" , dest_nt_domain as "Hostname", name as "Action" , src_user as "Locked/Unlocked By"
UserAccount Changed:
host="*" index="wineventlog" signature="A user account was changed" |eval time = strftime(_time,"%c") |table time,name,user,src_user,dest |rename time as "Time" , name as "Action" , user as " Target User" , src_user as "Changed By" , dest as "Destination DC"
User Created:
host="*" index="wineventlog" EventCode=4720 |eval time = strftime(_time,"%c") |table time,name,user,Logon_ID,src_user,dest |rename time as "Time" , name as "Action" , user as "Created User" , Logon_ID as "Session ID" ,src_user as "User Created By :", dest as "Destination DC"
AdminActions:
host="*" index="wineventlog" EventCode!=4624 AND EventCode!=4634 user="" OR user="Administrator" |eval time = strftime(_time,"%c") | transaction name maxspan=30s |table time,name,user,src,dest |rename time as "Time" , name as "Action" , user as "Admin User" , dest as "Destination DC", src as "Device"
Domain Policy Changed/Reset Passowrd:
host="*" index="wineventlog" signature="An attempt was made to change an account's password" OR signature="An attempt was made to reset an accounts password" |eval time = strftime(_time,"%c") |table time,name,user,src_user |rename time as "Time" , name as "Action" , user as "Target User" , src_user as "Password Changed/Reset By"
HelpDesk Actions:
host="*" index="wineventlog" EventCode!=4624 AND EventCode!=4634 user="A.B" OR user="A.B" OR user="A.B"|eval time = strftime(_time,"%c") | transaction name maxspan=1m |table time,name,user,src,dest |rename time as "Time" , name as "Action" , user as "Help Desk User" , dest as " Destination DC", src as "Device"
Network User Login:
host="*" index="wineventlog" LogonType=3 | eval time = strftime(_time,"%c") | transaction name, user maxspan=1m |table time,name,src_ip,user |rename time as "Time" , name as "Action" , src_ip as "Destination IP Address" , user as "User Name"
User Deleted:
host="*" index="wineventlog" EventCode=4726 |eval time = strftime(_time,"%c") |table time,name,src_user,dest |rename time as "Time" , name as "Action" , src_user as "Deleted By : " , dest as "Destination DC"
User Deleted By Admin:
host="*" index="wineventlog" EventCode=4726 |eval time = strftime(_time,"%c") |table time,name,src_user,user,dest |rename time as "Time" , name as "Action" , src_user as "Deleted By : ", user as "Deleted User: " , dest as "Destination DC"
Windows Event ID
Event Summary
4720
A user account was created
4722
A user account was enabled
4723
An attempt was made to change an account's password
4724
An attempt was made to reset an accounts password
4725
A user account was disabled
4726
A user account was deleted
4738
A user account was changed
4781
The name of an account was changed
4782
The password hash an account was accessed
4624
An account was successfully logged on
4740
A user account was locked out
4634
An account was logged off
4625
An account failed to log on
4648
A logon was attempted using explicit credentials
4732
A member was added to a security-enabled local group
4728
A member was added to a security-enabled global group
4756
A member was added to a security-enabled universal group
4733
A member was removed from a security-enabled local group
4729
A member was removed from a security-enabled global group
4757
A member was removed from a security-enabled universal group