Share via

Request for List of High and Critical Windows Security Event IDs

Suresh Nalamolu (Trianz) 20 Reputation points
2025-07-15T03:36:10.5566667+00:00

We are currently working on integrating and analysing Windows Security logs for threat detection and compliance reporting. As part of this effort, we are looking to focus specifically on high and critical severity security events that are logged in the Windows Event Viewer (Security Log).

Could someone please help provide a list of relevant Event IDs that are commonly classified as high or critical in severity.

If there is any official documentation or Microsoft reference guide that categorises these events by severity level, that would also be very helpful.

Microsoft Security | Microsoft Defender | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 2,855 Reputation points Microsoft Employee
    2025-07-15T07:54:59.7433333+00:00

    Hi Suresh Nalamolu (Trianz)

    Below is a list of some classified events IDs

    Authentication & Logon Events

    • 4625 – Failed logon (brute-force, password guessing)
    • 4649 – Replay attack detected

    Account Management

    • 4732 – Member added to a security-enabled local group
    • 4740 – Account locked out

    System Integrity & Audit Policy

    • 1102 – Audit log cleared
    • 4719 – System audit policy changed
    • 4616 – System time changed (can be used to hide activity)

    Object Access & Privilege Use

    • 4660 – Object deleted
    • 4674 – Operation attempted on a privileged object

    Process & Script Monitoring

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.