Top 50 Windows Event IDs

Authentication & Access Monitoring

Failed Login Attempts ❌ – Event ID: 4625
Account Lockouts 🔒 – Event ID: 4740
Successful Login Outside Business Hours 🌙 – Event ID: 4624
New User Creation 🆕 – Event ID: 4720
Privileged Account Usage 🔑 – Event ID: 4672
User Account Changes 🔄 – Event IDs: 4722, 4723, 4724, 4725, 4726
Logon from Unusual Locations 🌍 – Event ID: 4624 (with geolocation analysis)
Password Changes 🔑🔄 – Event IDs: 4723, 4724
Group Membership Changes 👥 – Event IDs: 4727, 4731, 4735, 4737
Suspicious Logon Patterns ⚠️ – Event ID: 4624
Excessive Logon Failures 🚫 – Event ID: 4625
Disabled Account Activity ⛔ – Event ID: 4725
Dormant Account Usage 💤 – Event ID: 4624
Service Account Activity ⚙️ – Event IDs: 4624, 4672
RDP Access Monitoring 💻 – Event ID: 4624 (with RDP-specific filtering)
Lateral Movement Detection 🔄🌐 – Event ID: 4648