ANAVEM
EnglishFrancais
ANAVEM
Languagefr

#security-auditing

8 articles

Windows Events8

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed
Event 4771
Microsoft-Windows-Security-Auditing
Windows EventWarning

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed

Event ID 4771 indicates a Kerberos pre-authentication failure, typically caused by incorrect passwords, expired accounts, or time synchronization issues between client and domain controller.

March 1812 min
Windows Security Event Viewer displaying authentication events on a SOC monitoring dashboard
Event 4648
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4648 – Microsoft-Windows-Security-Auditing: Logon Attempted Using Explicit Credentials

Event ID 4648 fires when a user or process attempts authentication using explicit credentials different from their current logon session, commonly seen with RunAs, network authentication, or service account operations.

March 1812 min
Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min
Windows Event Viewer displaying security audit logs with Event ID 4634 logoff events on a SOC monitoring dashboard
Event 4634
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4634 – Microsoft-Windows-Security-Auditing: An Account Was Logged Off

Event ID 4634 records when a user account logs off from a Windows system. This security audit event tracks logoff activities for compliance and security monitoring purposes.

March 1812 min
Windows Event Viewer displaying security audit logs on a cybersecurity monitoring dashboard
Event 808
Security
Windows EventInformation

Windows Event ID 808 – Security: Audit Log Cleared

Event ID 808 indicates that the Windows Security audit log has been cleared, typically by an administrator or automated process. This event is critical for security monitoring and compliance tracking.

March 1712 min
Windows Event Viewer Security log displaying Event ID 4723 password change audit entries on a cybersecurity monitoring dashboard
Event 4723
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4723 – Microsoft-Windows-Security-Auditing: User Account Password Change Attempt

Event ID 4723 logs when a user attempts to change another user's password. This security audit event tracks administrative password reset operations and helps monitor unauthorized password modifications across Windows domains.

March 1712 min
Security analyst monitoring Windows Event ID 4625 failed logon events in a cybersecurity operations center
Event 4625
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting brute force attacks, credential issues, and unauthorized access attempts across domain and local accounts.

March 1712 min
Windows Event Viewer displaying security audit logs with successful logon events on a cybersecurity monitoring dashboard
Event 4624
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4624 – Microsoft-Windows-Security-Auditing: An Account Was Successfully Logged On

Event ID 4624 records successful user authentication attempts in Windows. This security audit event fires whenever a user, service, or computer account successfully logs on to the system, providing detailed logon session information.

March 1712 min