Critical event IDs cheatsheet

Authentication Events:

• 4624: Successful logon

• 4625: Failed logon

• 4634/4647: Logoff

• 4648: Explicit credential logon

• 4672: Special privileges assigned

• 4776: NTLM authentication

• 4768/4769: Kerberos TGT/ST

• 4771: Kerberos pre-authentication failed

Account Management:

• 4720: Account created

• 4722: Account enabled

• 4723: Password change attempt

• 4725: Account disabled

• 4726: Account deleted

• 4728/4732/4756: Member added to security-enabled group

• 4740: Account locked out

System Security:

• 4688: Process creation

• 4689: Process termination

• 4697: Service installed

• 4698/4699: Scheduled task created/deleted

• 4700/4701: Scheduled task enabled/disabled

• 4719: System audit policy changed

• 4738: User account changed

• 7045: Service installed (System log)