What event id should i use

This can relate to a potential attack. An attempt was made to change the password of an account. A user was added to a privileged universal group. A Kerberos authentication ticket request failed. The domain controller failed to validate the credentials of an account. Events related to Windows scheduled tasks being created, modified, deleted, enabled or disabled.

A rule was added to the Windows Firewall exception list. A rule was modified in the Windows Firewall exception list. Group Policy settings for Windows Firewall has changed. Windows Firewall blocked an application from accepting incoming traffic.

A network packet was blocked by Windows Filtering Platform. Windows Filtering Platform blocked an application or service from listening on a port. For instance logging on interactively to a member server Win RC1 with a domain account produces an instance of this event in addition to 2 instances of This is the original account that started a process or connection using new credentials. In this case Administrator was logged on to the local computer.

These are the new credentials. In this case Administrator then logged on as rsmith mtg. This is the server in this case a Sharepoint server Administrator logged on to as rsmith mtg.

This section may be blank or indicate the local computer when starting another process on local computer.

This is the process that initiates the connection or new process. In this case it makes sense that it's Internet Explorer since we're accessing a Sharepoint site. Before you leave, check out our guide on the 8 most critical Windows security events you must monitor. UK: Introduction Event ID viewed in Windows Event Viewer documents every successful attempt at logging on to a local computer. Event Windows In other words, it points out how the user logged on.

There are a total of nine different types of logons, the most common logon types are: logon type 2 interactive and logon type 3 network. Any logon type other than 5 which denotes a service startup is a red flag. Logon Type Description 2 - Interactive logon Occurs when a user logs on using a computer's local keyboard and screen.

Reasons for monitoring successful logons Security To prevent privilege abuse , organizations need to be vigilant about what actions privileged users are performing, starting with logons. Operational To get information on user activity like user attendance, peak logon times, etc. Sure enough, it is up to the author to define and track event IDs they use and what they mean.

The usable bits are: 0x - 0xffff See: Event Message Structure The upper bits should be avoided but all values for the bottom bits are available if you create a custom source. Liam 24k 26 26 gold badges silver badges bronze badges. Yes, accepts a int32 as a parameter, but if you enter a int that is not in the range of 0 and throws an exception.

You are right. I tested it now and I am surprised that MS claims it is 32 bits Unfortunately, many APIs avoid unsigned integer types. They are not CLS-compliant. Why -1? Any comment? Technically you can use any values between 1 - for that. Next 0, ;. Vinod Srivastav Vinod Srivastav 2, 1 1 gold badge 22 22 silver badges 31 31 bronze badges. Probably because the purpose of the eventId to to uniquely identify the type of event. All events of the same type should have the same id. This for example allows that automated monitoring can take certain actions when certain events occur.

Assigning a random ID defies this purpose — Pete. Pete That make sense when you log in the Application log although it was just a suggestion.