Event ID

  • 4720
  • 4624
  • 4625
  • 4770
  • 4728
  • 21
  • 4726
  • 1102

Events

New Local Users

User Added to secure groups (Domain Admins)

Priority 1 Snort Alerts

Sysmon Events (https://github.com/ion-storm/sysmon-config)

Snort Stopped

DNS Queries

Logs Cleared

 

Events

GPO Changes

Firewall Changes

Logins to Firewalls/Switches

Categories blocked by NGFW

Bytes Sent/Received

Failed Authentication Attempts

Account Lockouts

 

Events

DNS Entries

Traffic to High Priority Servers (Password Servers)

VPN Connections