Fundamentals
T1562Windows Event Logging & Audit Policy
A complete guide to Windows Event Logging for SOC analysts — which Event IDs matter, how to configure Advanced Audit Policy, how to verify logging is enabled, and what to do when critical logs are missing.
View on Graph
Why Windows Event Logging Is the Backbone of Detection
Windows Event Logs are the raw material for every endpoint investigation in a Windows environment. They capture authentication, process creation, network connections, object access, and policy changes. Without these logs, a SOC is blind to what happens on endpoints.
- The Windows Security Event Log (
Security.evtx) is the single most important log file on any Windows system. Every authentication attempt, process launch, and privilege change generates a record here if audit policy is configured correctly. - Windows Event Forwarding (WEF) allows centralized collection. Forwarding these logs to a SIEM enables cross-host correlation — connecting an authentication from one host to a process creation on another.
- Event IDs survive OS upgrades. Event ID 4624 (logon) has the same meaning on Windows 10, Windows 11, Windows Server 2016, 2019, and 2022. This stability makes detection rules reusable.
MITRE ATT&CK maps log tampering to T1562.002 (Disable or Modify Tools — Impair Defenses). Attackers who disable or clear Event Logs are trying to cover tracks. Detecting log gaps is a detection in itself.
The 15 Event IDs Every Analyst Must Know
You do not need to memorize every Event ID. These 15 cover 90% of Windows-based investigations:
| Event ID | Name | Detection Use Case | Audit Subcategory |
|---|---|---|---|
| 4624 | An account was successfully logged on | Successful authentication — lateral movement, remote access, user activity baseline | Logon |
| 4625 | An account failed to log on | Brute force, password spray, credential stuffing | Logon |
| 4648 | A logon was attempted using explicit credentials | RunAs, scheduled task, WMI, PsExec — lateral movement indicator | Logon |
| 4672 | Special privileges assigned to new logon | Admin-level login — every admin session triggers this | Privilege Use |
| 4688 | A new process has been created | Process creation — the most important event for endpoint detection | Detailed Tracking (must enable CommandLine) |
| 4698 | A scheduled task was created | Persistence via scheduled tasks | Detailed Tracking |
| 4719 | System audit policy was changed | Attacker disabling logging or changing audit settings — always high priority | Policy Change |
| 4720 | A user account was created | Backdoor account creation — compare against HR records | Account Management |
| 4728 | A member was added to a security-enabled global group | Domain Admin group modification — lateral movement or privilege escalation | Account Management |
| 4732 | A member was added to a security-enabled local group | Local admin group addition — privilege escalation | Account Management |
| 4768 | A Kerberos authentication ticket was requested | TGT request — volume spikes indicate Kerberoasting | Account Logon |
| 4769 | A Kerberos service ticket was requested | ST request — multiple 4769 from different IPs = Kerberoasting | Account Logon |
| 4776 | The domain controller attempted to validate credentials | NTLM authentication — pass-the-hash detection | Account Logon |
| 5156 | The Windows Filtering Platform permitted a connection | Network connection allowed — outbound connection monitoring | Object Access (Filtering Platform) |
| 5157 | The Windows Filtering Platform blocked a connection | Connection blocked — blocked outbound traffic = potential C2 | Object Access (Filtering Platform) |
Event 4688 — The Most Important Event
Event 4688 (process creation) is the single highest-value security event because it captures what actually ran on the endpoint. With command-line logging enabled, it includes the full command string.
What to look for in 4688:
- Encoded PowerShell:
powershell.exe -EncodedCommand <base64>— malware delivery and execution - LOLBin execution:
rundll32.exe,regsvr32.exe,mshta.exe,cscript.exe,wscript.exe,certutil.exe,bitsadmin.exe - Unusual parent-child relationships:
winword.exespawningpowershell.exe= macro malware - Processes launched from suspicious paths:
%TEMP%,%APPDATA%,%PUBLIC%,\Users\*\AppData\Local\Temp\ - Service control:
sc.exe create,sc.exe config— service creation or modification - WMI execution:
wmic.exe process call create— lateral movement via WMI
Without command-line logging, 4688 events show only “powershell.exe” — you cannot distinguish a legitimate admin from an attacker running encoded commands.
Configuring Advanced Audit Policy
Default Windows audit policy is minimal. You must configure Advanced Audit Policy to get the Event IDs listed above.
The Two Audit Policy Systems
Windows has two audit policy systems:
| System | Configured Via | Notes |
|---|---|---|
| Legacy Audit Policy | Local Security Policy | Limited subcategories. Overrides Advanced Audit Policy if both are set. |
| Advanced Audit Policy | auditpol.exe or GPO | Granular control per subcategory. Use this. |
Rule: If you configure both Legacy and Advanced audit policy, Legacy settings take precedence. Best practice: configure Advanced Audit Policy only and clear Legacy policy.
Essential Audit Policy Configuration via GPO
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access| Audit Subcategory | Setting | What It Logs |
|---|---|---|
| Audit Process Creation | Success | 4688 — process creation. Enabled command line logging separately. |
| Audit Logon | Success + Failure | 4624, 4625 — all authentication |
| Audit Account Logon | Success + Failure | 4768, 4769, 4776 — Kerberos and NTLM auth |
| Audit Account Management | Success | 4720, 4728, 4732 — account and group changes |
| Audit Detailed Tracking | Success | 4688 (process), 4698 (scheduled task) |
| Audit Policy Change | Success | 4719 — policy modification (attacker disabling logging) |
| Audit Privilege Use | Success | 4672 — privilege assignments |
| Audit Filtering Platform Connection | Success | 5156, 5157 — network connections permitted/blocked |
Enabling Command Line Logging in 4688 Events
This is not enabled by default and is the single highest-value log setting:
Via GPO:
Computer Configuration > Administrative Templates > System > Audit Process Creation
> "Include command line in process creation events" → EnabledVia Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit]
"ProcessCreationIncludeCmdLine_Enabled"=dword:00000001Verification via auditpol.exe
# Export current audit policy
auditpol /get /category:* /r > audit-policy.csv
# Check specific subcategory
auditpol /get /subcategory:"Process Creation"
# Set audit policy for process creation
auditpol /set /subcategory:"Process Creation" /success:enable
# Set command line logging via registry
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1SPL query — detect audit policy changes (Event 4719):
index=windows EventCode=4719
| search AuditPolicyChanges="*Security*" OR AuditPolicyChanges="*System*" OR AuditPolicyChanges="*DetailedTracking*"
| eval alert = if(AuditPolicyChanges LIKE "%disable%", "HIGH — Audit policy disabled by " . Account_Name . " on " . ComputerName, "INFO — Audit policy modified by " . Account_Name . " on " . ComputerName)
| table _time, ComputerName, Account_Name, AuditPolicyChanges, alert
| sort - _timeVerifying Logging Is Enabled
Quick Health Check for Windows Security Log
# Check Event Log status
Get-WinEvent -ListLog "Security" | Select LogName, RecordCount, IsEnabled, LogMode, LogIsFull
# Check if command line logging is enabled
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -ErrorAction SilentlyContinue
# Check audit policy subcategories
auditpol /get /category:"Detailed Tracking"
auditpol /get /category:"Logon"
auditpol /get /category:"Account Logon"What a healthy system looks like:
| Check | Expected Result | If Missing |
|---|---|---|
| Security log enabled | IsEnabled: True | Logs not capturing. Check GPO or auditpol. |
| 4688 appearing | Multiple 4688 events per host per hour | Process audit not configured. Run auditpol /set /subcategory:"Process Creation" /success:enable |
| 4688 has CommandLine | CommandLine field populated | Command line logging not enabled. Enable via GPO or registry. |
| 4624 and 4625 appearing | At least 10 4624 events per host per day | Logon audit not configured. |
| Log size > 20 MB | Large enough to retain minutes/hours of activity | Insufficient log size — increase via wevtutil. |
| Log not circular | LogMode: Circular is fine but Retroactive means logs never fill | Retroactive mode can lose oldest events — use Circular for production. |
Log Size and Retention Configuration
# Set Security log to 1 GB (1024 MB)
wevtutil sl Security /ms:1073741824
# Set retention to overwrite oldest events (circular)
wevtutil sl Security /rt:true
# Set automatic backup when full
wevtutil sl Security /ab:trueWhat to Do When Logs Are Missing
Scenario 1: No Event IDs Appearing
| Symptom | Likely Cause | Fix |
|---|---|---|
| No 4688 events | Process audit not configured | auditpol /set /subcategory:"Process Creation" /success:enable |
| No 4625 events | Failure audit not enabled for Logon | auditpol /set /subcategory:"Logon" /failure:enable |
| 4688 exists but no CommandLine | Command line logging disabled | Enable via GPO or registry entry above |
| No events for hours then a gap | Log full, circular mode not working | Check log size: wevtutil gl Security — increase as needed |
| Complete log gap for all hosts | WEF collector down or SIEM ingestion broken | Check Windows Event Forwarding subscription or SIEM forwarder health |
Scenario 2: Logs Present but Incomplete
SPL query — detect log gaps (hosts with no events in the last hour):
index=windows
| stats latest(_time) as last_event by ComputerName
| eval last_event_ago = (now() - last_event) / 3600
| where last_event_ago > 1
| eval alert = "HIGH — No Windows Events from " . ComputerName . " for " . round(last_event_ago, 1) . " hours — possible logging gap"
| table ComputerName, last_event, alertScenario 3: Audit Policies Changed or Disabled
Attackers frequently disable logging before executing their objective. Event ID 4719 fires when audit policies change.
SPL query — history of audit policy changes:
index=windows EventCode=4719
| table _time, ComputerName, Account_Name, AuditPolicyChanges, DomainName, SubjectUserName
| sort - _timeIf you see a 4719 followed by a gap in events from that host, assume the attacker disabled logging and the logs that would have captured their activity are missing.
Scenario 4: Logs Cleared
Event ID 1102 (Security log cleared) in the System log confirms intentional log clearing.
index=windows source="System" EventCode=1102
| table _time, ComputerName, Account_Name
| sort - _timeIf you find 1102 events, correlate with surrounding activity from other log sources (firewall, proxy, Sysmon on other hosts) to reconstruct what happened.
Windows Event Forwarding (WEF) Architecture
WEF enables centralized collection of Windows Event Logs. Without WEF or a SIEM forwarder, you must RDP to every host to check logs — impractical at scale.
WEF Collector Configuration
Source Computers → WinRM → WEF Collector (HTTP/HTTPS) → Forwarded Events log → SIEM Forwarder| Component | Role | Configuration |
|---|---|---|
| Source computers | Generate and forward events | Enable WinRM via GPO: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client |
| WEF Collector | Receives and aggregates forwarded events | wecutil qc on the collector server |
| Subscription | Defines which events to collect (initiated, filtered) | Event Viewer > Subscriptions > Create Subscription — use Source Initiated for domain-joined endpoints |
| SIEM Forwarder | Forwards collected events to SIEM | Universal Forwarder (Splunk), Log Analytics Agent (Sentinel), Elastic Agent (ELK) |
Recommended WEF Subscriptions
| Subscription Name | Event IDs | Use |
|---|---|---|
| Security Logs — Full | 4624, 4625, 4688, 4719, 4720, 4728, 4732, 4648, 4672, 4776, 5140 | All critical security events |
| Security Logs — Process | 4688 (all) | Process creation for hunting and EDR baseline |
| Sysmon — Full | 1, 3, 7, 8, 10, 11, 15, 22 | Advanced endpoint telemetry |
| System Logs | 7036 (service state change), 7045 (service install), 1102 (log cleared) | Service changes and log health |
| AppLocker / WDAC | 8024, 8025, 8026, 8027 (blocked executables) | Application control alerts |
Correlation — Connecting Event IDs Across Hosts
The real power of Event Logs comes from connecting events across hosts:
| Scenario | Event Sequence |
|---|---|
| Lateral movement via PsExec | 4648 (explicit creds on source) → 4624 LogonType 3 on target → 4688 (psexec.exe) → 5156 (SMB outbound) |
| Kerberoasting | Multiple 4769 from same source IP → different service names → consistent timing |
| Ransomware execution | 4688 (malware process) → 4698 (scheduled task persistence) → 4719 (audit policy disabled) |
| Admin account compromise | 4625 (failed logins) → 4624 (successful login) → 4672 (admin privileges) → 4688 (suspicious commands) |
| Data exfiltration | 5156 (outbound connection to unusual IP/port) → large data transfer patterns |
Related
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Log Sources Overview — covers the log sources overview concepts
- Digital Forensics & Live Response — detection and response for T1562.001 techniques