Major Event ID for System Admin & Network Admin
Here are 100 major Event IDs that may be useful for external auditors to check: Security Event IDs: Event ID 4624 (Logon Success): Successful user logon events. Event ID 4625 (Logon Failure): Failed user logon attempts. Event ID 4648 (Explicit Credential Logon): Logon using explicit credentials. Event ID 4740 (Account Lockout): Indicates when an account is locked out due to failed logon attempts. Event ID 4768 (Kerberos Authentication): Records Kerberos authentication events. Event ID 4771 (Kerberos Pre-Authentication Failure): Failed Kerberos pre-authentication attempts. Event ID 4776 (NTLM Authentication): Logs NTLM authentication events. Event ID 4793 (The Password Policy Checking API was called): Records password policy-related events. Event ID 4946 (A change has been made to Windows Firewall exception list): Indicates changes to the Windows Firewall exception list. Event ID 5024 (The Windows Firewall Service has started successfully): Firewall service start event....