The document lists essential event IDs for monitoring and securing various systems, including Windows, Linux/Unix, network devices, SIEM, web servers, and database servers. Key events, such as successful logins, failed login attempts, and service terminations, are highlighted for their importance in detecting unauthorized access and maintaining system integrity. The information is aimed at enhancing security operations through better awareness and monitoring practices.

1. Most Important
Event IDs in SOC
(Security Operations Center)
www.infosectrain.com

2. Windows Event IDs
Event ID 4624: Signals a successful account login,
vital for verifying legitimate access
Event ID 4625: Indicates a failed login attempt,
crucial for detecting unauthorized access attempts
Event ID 4768: Shows Kerberos authentication ticket
requested, crucial for access monitoring
Event ID 4776: Credential validation attempt,
essential for account security
Event ID 4697: Alerts new service installation,
monitor for unauthorized changes
Event ID 7034: Reports unexpected service
terminations, indicating malicious activity or system
issues
www.infosectrain.com

3. Linux/Unix Event IDs (Syslog)
LOG_AUTH: Covers authentication-related events,
vital for monitoring login attempts & access control
LOG_CRON: Scheduled task execution, critical for
system maintenance activities
LOG_DAEMON: Covers system service events, vital
for monitoring service health and performance
LOG_KERNEL: Provide insights into the behavior and
operation of the kernel Kernel-related events
LOG_USER: Includes user-level messages for
understanding behavior and detecting unauthorized
access
www.infosectrain.com

4. Network Device Event IDs (Syslog)
www.infosectrain.com
Syslog ID 4: Captures firewall events, essential for
maintaining network security and integrity
Syslog ID 5: Captures VPN events, crucial for
ensuring the availability, security, and performance of
VPN connections
Syslog ID 6: Authentication events in network
devices, crucial for secure network access control
Syslog ID 7: Intrusion detection/prevention, crucial for
threat mitigation
SIEM and IDS/IPS Event IDs
Event ID 1: IDS/IPS triggered an alert, indicating
potential security threat detected
Event ID 2: SIEM rule matched, crucial for incident
correlation and analysis
Event ID 3: Anomaly detection, crucial for identifying
deviations indicating security breaches or system issues

5. Web Server Event IDs
Event ID 200: Signals HTTP request receipt, vital for
tracking client interactions
Event ID 404: Denotes page not found, critical for
diagnosing broken links or misconfigurations
Event ID 500: Indicates an internal server error,
crucial for troubleshooting server issues
Database Server Event IDs
Event ID 102: Establishes database connection,
crucial for monitoring server connectivity
Event ID 201: Executes database query, crucial for
tracking database activity
Event ID 401: Denies database access, vital for
identifying unauthorized access attempts
www.infosectrain.com

6. Found This Useful?
Get More Insights
Through Our FREE
Courses | Workshops | eBooks
Checklists | Mock Tests
CLICK HERE