Top 50 Windows SIEM Use Cases & Event IDs 

Windows SIEM helps detect cyber threats by monitoring critical events:

Authentication & Account Security

• -> Failed Login Attempts – Event ID 4625
  -> Account Lockouts – Event ID 4740
  -> Successful Login Outside Business Hours – Event ID 4624
  -> New User Creation – Event ID 4720
  -> Privileged Account Usage – Event ID 4672
  -> User Account Changes – Event IDs 4722, 4723, 4724, 4725, 4726
  -> Logon from Unusual Locations – Event ID 4624 
  -> Password Changes – Event IDs 4723, 4724
  -> Group Membership Changes – Event IDs 4727, 4731, 4735, 4737
  -> Suspicious Logon Patterns – Event ID 4624
  -> Excessive Logon Failures – Event ID 4625
  -> Disabled Account Activity – Event ID 4725
  -> Dormant Account Usage – Event ID 4624

System & Network Monitoring

• -> Service Account Activity – Event IDs 4624, 4672
  -> RDP Access Monitoring – Event ID 4624
  -> Lateral Movement Detection – Event ID 4648
  -> File and Folder Access – Event ID 4663
  -> Unauthorized File Sharing – Event IDs 5140, 5145
  -> Registry Changes – Event ID 4657
  -> Application Installation and Removal – Event IDs 11707, 1033
  -> USB Device Usage – Event IDs 20001, 20003
  -> Windows Firewall Changes – Event IDs 4946, 4947, 4950, 4951
  -> Scheduled Task Creation – Event ID 4698
  -> Process Execution Monitoring – Event ID 4688
  -> System Restart or Shutdown – Event IDs 6005, 6006, 1074

Threat Detection & Incident Response

• -> Event Log Clearing – Event ID 1102
  -> Malware Execution or Indicators – Event IDs 4688, 1116
  -> Active Directory Changes – Event IDs 5136, 5141
  -> Shadow Copy Deletion – Event ID 524
  -> Network Configuration Changes – Event IDs 4254, 4255, 10400
  -> Execution of Suspicious Scripts – Event ID 4688 
  -> Service Installation or Modification – Event ID 4697
  -> Clearing of Audit Logs – Event ID 1102
  -> Software Restriction Policy Violation – Event ID 865
  -> Excessive Account Enumeration – Event IDs 4625, 4776
  -> Attempt to Access Sensitive Files – Event ID 4663
  -> Unusual Process Injection – Event ID 4688 (With EDR or data Sysmon)
  -> Driver Installation – Event ID 7045
  -> Modification of Scheduled Tasks – Event ID 4699
  -> Unauthorized GPO Changes – Event ID 5136

Advanced Threat Hunting

• -> Suspicious PowerShell Activity – Event ID 4104
  -> Unusual Network Connections – Event ID 5156
  -> Unauthorized Access to Shared Files – Event ID 5145
  -> DNS Query for Malicious Domains – Event ID 5158
  -> LDAP Search Abuse – Event ID 4662
  -> Process Termination Monitoring – Event ID 4689
  -> Failed Attempts to Start a Service – Event ID 7041
  -> Audit Policy Changes – Event IDs 4719, 1102
  -> Time Change Monitoring – Event IDs 4616, 520
  -> BitLocker Encryption Key Changes – Event ID 5379

Make sure your IT & SOC teams monitor these events for faster threat detection!