5 Windows Event IDs every system administrator should be monitoring

Five or more 4625 events for the same account in a short window means someone is guessing passwords. If a 4625 burst is followed by a 4624 (successful logon), the attacker got in. Filter out machine accounts (ending in $) and known service accounts to reduce noise. Focus on failures with Logon Type 3 (network) and Type 10 (RDP).

Not every 4624 matters — your machines generate hundreds daily. Focus on Logon Type 10 (RDP) from unexpected IPs and Logon Type 3 (network) from workstations to servers. If you see a Type 3 logon from a workstation to another workstation, that's lateral movement. Also watch for Type 9 (NewCredentials) which often indicates pass-the-hash or runas /netonly.

Every new service on a Windows machine gets a 7045 in the System log. This is how PsExec works — it installs a temporary service on the remote host. Any service with a random name, a path pointing to a temp folder, or running as SYSTEM that you didn't install is worth investigating immediately. Also catches persistence mechanisms where attackers install services that survive reboots.

Scheduled tasks are the most common persistence mechanism in real-world attacks. A 4698 tells you exactly what was created, what it runs, and who created it. Watch for tasks that run PowerShell with encoded commands, tasks created by non-admin users, or tasks that were created and then deleted quickly (4698 followed by 4699 within minutes — a sign of a living-off-the-land attack).

If your Security log gets cleared, this is the one event that survives (it's written as the log is being cleared). There is almost never a legitimate reason to clear the Security log on a production machine. If you see this, treat it as a critical indicator that someone is covering their tracks. Pair it with Event ID 104 in the System log which records System log clearing.