First published: 27 May 2025
Last updated: 27 May 2025

Content written for

Large organisations & infrastructure
Government
On this page

Introduction

In this publication, the authoring agencies provide cyber security practitioners, with detailed recommendations, on the logs that should be prioritised for ingestion by a Security Information and Event Management (SIEM) platform. The recommendations in this publication should be treated as generic advice; each organisation should tailor the collection, centralisation, and analysis of logs to its specific environment and risk profile. Practitioners should also adopt an approach of gradually building up the number and types of data sources ingested by the SIEM, rather than adding them all at once. The authoring agencies recommend referring to vendor specific guidance where available for information tailored to each operating system.

This publication is therefore generally intended for the team/s responsible for establishing and maintaining their organisation’s SIEM. However, a hunt or blue team can also use its guidance on priority event IDs as a starting point to search for adversary activity or build a baseline of business-as-usual activity on the organisation’s network

Note on terminology: All SIEM platforms have a log ingestion function. Some Security Orchestration, Automation, and Response (SOAR) platforms also perform this function, or have an in-built SIEM. If your organisation uses a SOAR platform with an in-built SIEM, the following recommendations will be relevant to its ingestion of logs.

This series of documents

This publication is one of three in a suite of guidance on SIEM/SOAR platforms:

  • Implementing SIEM and SOAR platforms: Executive guidance
    This document is primarily intended for executives. It defines SIEM/SOAR platforms, outlines their benefits and challenges, and provides broad recommendations for implementation that are relevant to executives.
  • Implementing SIEM and SOAR platforms: Practitioner guidance
    This document is intended for cyber security practitioners. In greater technical detail, it defines SIEM/SOAR platforms, outlines their benefits and challenges, and provides best practice principles for implementation.
  • Priority logs for SIEM/SOAR ingestion: Practitioner guidance
    This document is again intended for cyber security practitioners and provides detailed, technical guidance on the logs that should be prioritised for SIEM ingestion. It covers log sources including Endpoint Detection and Response tools, Windows/Linux operating systems, and Cloud and Network devices.

This guidance should be read alongside Best practices for event logging and threat detection, which provides high-level recommendations on developing a logging strategy.

Risk considerations

As above, logging decisions should be based on the organisation's specific environment and risk profile. While the below recommendations provide a starting point, it is critical that organisations model their threats and risks and select data sources most relevant to their risk profile. For each data source, your organisation should assess:

  • its purpose or use case the authoring agencies discourage logging for the sake of logging
  • its prioritisation – higher priority data sources should be ingested into new SIEM deployments first and their health should be regularly checked. This document provides a suggested order of prioritisation by broad category of data source.
  • the volume of logs it may generate. For example, the volume of firewall or Domain Name System (DNS) logs may overshadow the importance of the information received.
  • its analytical value. For example, high volume data sources may be queried for anomalies in timing. They may also be queried for correlations against other data sources (for instance, analysing high volume firewall logs against threat intelligence-identified malicious IP addresses).

Architectural considerations

A key premise of this publication is that the architecture of logging involves a two-stage process:

  1. log creation, collection and transfer to a centralisation point
  2. ingestion of those logs by the SIEM, either directly from the source or from the centralisation point.

Organisations are likely to have legal or regulatory reasons for logging a variety of sources and sending these logs to a centralised location. However, the authoring agencies strongly discourage using a SIEM as the central repository for all logs. A SIEM should only be used for centralisation of specific security logs according to the organisation’s risk profile.

Prioritised logging list

This document presents tables of logging events in a loose prioritisation by category of data source. The logging tables are not intended to be complete nor is the order applicable to every organisation. The authoring agencies recommend that organisations treat the following prioritisation as a starting point for a typical enterprise network environment. Organisations may need to account for reliability, the visibility each log or log type provides, the potential performance impacts of ingest, and the organisational cost of maintaining as well as analysing this data, them. Organisations may also need to adjust the prioritisation based on their unique threats, capabilities and needs.

For Active Directory (AD) event IDs, group policy changes have been included as an additional reference at the end of this document.

Priority logs for SIEM ingestion footnote legend

The following authoring agency documents are referenced within this document and presented as footnotes throughout the document:

  1. CCST - Cloud Computing Security for Tenants | Cyber.gov.au
  2. CCSCSP - Cloud Computing Security for Cloud Service Providers | Cyber.gov.au
  3. DMADC – Detecting and mitigating Active Directory compromises | Cyber.gov.au
  4. WELF - Windows Event Logging and Forwarding | Cyber.gov.au
  5. HMWW - Hardening Microsoft Windows 10 and Windows 11 Workstations | Cyber.gov.au

Detailed logging guidance

The following categories of data source are loosely in order of prioritisation.

1. Endpoint detection and response (EDR) logs

Endpoint Detection and Response (EDR) Logs
CategorySubcategoryEvent
AmCacheRegistry file used during process creationAll
AntivirusSignature detectionAll
Reputational alertAll
Other detectionsAll
Network Connections & PortsPorts (recent or active)All
Protocols (recent or active)All
IPs (recent or active)All
Dynamic-Link LibrariesWrong path DLLsAll
Scheduled TasksExistingModification
CreationAll
File EventsUnsuccessful unauthorised file access attemptsAll
ExecutionAll
DownloadsAll
File system changesUser profile creationAll
User profile registry keysModification
User profile filesModification
System InformationSystem nameAll
HostnameAll
TimestampAll
TimezoneAll
OS infoAll
ProcessorAll
DNS CacheDomain name resolutionAll
Network connections.All
Windows RegistryLast modified timeAll
ModificationsAll
Hive locationAll
Windows ServicesService nameAll
Description nameAll
Service descriptionAll
PIDAll
PathAll
ArgumentsAll
Service statusAll
Service typeAll
ServiceDLLAll
Registry key last modified timestampAll
Command HistoryRecently run commandsAll
PrefetchSystem bootAll
Applications launchedAll
Alternate Data StreamsAnyAll
Browser HistoryTyped URL cacheAll
ShimCachePE file metadataModification
ShellbagsGUI preferencesAll
RegistryRegistry ModificationAll
LNK FilesShortcut ExecutionCreation/Modification
Background Activity Moderator (BAM)Process activityModification
Jump ListsExecutionCreation/Modification

2. Network device logs

Network Device Logs
FunctionSubcategoryEvent
FirewallIngress data flowsDenied
EgressDenied
EgressAllowed
Ingress (Optional)Allowed
Running-stateModification
ConfigurationModification
Configuration read/dumpAll
Authentication and authorisationAll
System change eventsAll
Core Routers/SwitchesIngressNetFlow
Authentication and authorisationAll
EgressNetFlow
Running-stateModification
System change eventsAll
Configuration read/dumpAll
ConfigurationModification
Routers/SwitchesRouting TableModification
Authentication and authorisationAll
Critical servers/services (subnets - VLANs)NetFlow
Admin/IT security (subnets – VLANs)NetFlow
Development subnets and VLANsNetFlow
Running-stateModification
System change eventsAll
Configuration read/dumpAll
ConfigurationModification
Intrusion Detection/Prevention SystemsSecurity alertsNotification
Authentication and authorisationAll
Running-stateModification
Authentication and authorisationAll
System change eventsAll
Configuration read/dumpAll
ConfigurationModification
Application Layer GatewaysContent inspection logsAll
Authentication and authorisationAll
Running-stateModification
System change eventsAll
Configuration read/dumpAll
ConfigurationModification
Network Access Controls (NAC)NAC authentication eventsAll
Border FirewallIngress data flowsDenied
Authentication and authorisationAll
EgressAllowed
Ingress (Optional)Allowed
Running-stateModification
ConfigurationModification
Configuration read/dumpAll
System change eventsAll
Border Routers / Load BalancersIngressNetFlow
Authentication and authorisationAll
EgressNetFlow
Running-stateModification
System change eventsAll
Service/process RestartAll
Service/process ReloadAll
Configuration read/dumpAll
ConfigurationModification
Web ProxiesWeb query logsAll
Authentication and authorisationAll
SSL/TLS inspectionAll
Running-stateModification
Service/process RestartAll
Service/process ReloadAll
System change eventsAll
Configuration read/dumpAll
ConfigurationModification
Virtual Private Network (VPN)Allowed connectionsAll
Denied connectionsAll
Authentication and authorisationAll
Configuration read/dumpAll
Running-stateModification
System change eventsAll
ConfigurationModification
Configuration read/dumpAll
TimestampAll
Event type [CONNECTED, DISCONNECTED, FAILED, or UNKNOWN]All
Origin idsAll
Origin typeAll
User idAll
Organisation idAll
Session idAll
Session typeAll
VPN profileAll
Public IPAll
Assigned IPAll
Connected atAll
Disconnection reasonAll
HostnameAll
OS versionAll
VPN versionAll
User agentAll
Mail ApplianceIP and Domain ReputationAll
SenderAll
RecipientsAll
Subject NameAll
Attachment NamesAll

3. Microsoft Domain Controller

Please see additional references at the end of this document for the group policy changes relevant to the following event IDs.

Microsoft Domain Controller Log Types
CategorySubcategoryEvent ID
Account LogonAudit Credential Validation4776(S, F)
Audit Kerberos Authentication Service4768[1](S, F)
Audit Kerberos Service Ticket Operations4769[2](S, F)
Account ManagementAudit Computer Account Management[3]4741[4], 4742, 4743
Audit Other Account Management Events[5]4739
Audit Security Group Management[6]4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764
DCSync4928, 4929
Audit User Account Management[7]4675[8]4720, 4722, 4723, 4724[9], 4725, 4726, 4738[10], 4740[11], 4767, 4780, 4781, 4794, 5376, 5377
Certificate ServicesService failure39[12]
Service did not start40[13]
Incompatible SID41[14]
Certificate export70[15]
CA Database backup4876[16]
Certificate Request4886[17]
Certificate Issued4887[18]
Template update4899[19]
Template security updated4900[20]
Detailed TrackingAudit DPAPI Activity4695
Audit Process Creation[21]4688[22], 4696
Audit Process Termination[23]4689
Include command line in process creation events[24]4688
DS AccessAudit Directory Service Access4661, 4662[25]
Audit Directory Service Changes5136[26], 5137, 5138, 5139, 5141
DumpingShadow copy8222[27]
Federation Services[28]Configuration change307[29]
Additional info to support Event ID 307510[30]
Signing certificate export1007[31]
Audit log cleared1102[32]
Token issued1200[33]
New credential validation1202[34]
KerberosLogon Ticket4678
Service Ticket4679
Renewed Ticket4770[35]
LDAPBind2889[36]
Logon and LogoffAudit Account Lockout[37]4625[38](F)
Audit Logoff[39]4634(S), 4647(S)
Audit Logon[40]4624[41], 4625[42], 4627[43], 4634, 4647, 4648[44], 4779
Audit Special Logon[45]4964(S), 4672(S)
Object AccessAudit Kernel Object4663[46](S)
Audit Other Object Access Events[48]4671(-), 4691(S), 5148(F), 5149(F), 4698(S), 4699(S), 4700(S), 4701(S), 4702(S), 5888(S), 5889(S), 5890(S)
Privilege UseAudit Sensitive Privilege Use4673[48](S, F), 4674[49](S, F), 4985(S, F)
Policy ChangeAudit Authentication Policy Change4670(S), 4706(S), 4707(S), 4716(S), 4713(S), 4717(S), 4718(S), 4739(S), 4864(S), 4865(S), 4866(S), 4867(S)
Audit Authorisation Policy Change4703[50](S, F)
Audit Policy Change[51]4719(S, F)
Audit Other Policy Change[52]4719(S, F)
SystemAudit IPsec Driver4960(S), 4961(S), 4962(S), 4963(S), 4965(S), 5478(S), 5479(S), 5480(F), 5483(F), 5484(F), 5485(F)
Audit Security State Change4608(S), 4616(S), 4621(S)
Audit Security System Extension4610, 4611, 4614, 4622, 4697[53]
Audit System Integrity[54]4612, 4615, 4618, 5038, 5056, 5061, 5890, 6281, 6410
Local Security Authority Subsystem Service3033[55], 3063[56]

4. Active Directory (AD) and Domain Service security logs

Please see additional references at the end of this document for the group policy changes relevant to the following event IDs.

Active Directory (AD) and Domain Service Security Logs
CategorySubcategoryEvent ID
System IntegritySecurity event pattern occurred4618
Logon/LogoffReplay attack - detected4649
Special groups assigned new logon4964
Directory Service AccessAn operation was performed on an object4662[57]
Object AccessPermissions - changed4670
Role separation enabled4897
Privileged UsePrivileged service - called4673[58]
Process TrackingProtection of auditable protected data was attempted4694
User Rights[59]User right - adjusted4703[60]
User right - assigned4704
User right - removed4705
DomainNew trust created4706
Trust removed4707
Account ManagementReset of account password4724
Domain Policy - changed[61]4739
Security-enabled Global GroupMember - added 4728
Member - removed4729
Group - change4737
Security-enabled Local GroupMember - added4732
Member - removed4733
Group - change4735
Security-enabled Universal GroupGroup - change4755
Member - added4756
Member - removed4757
SID HistoryAccount add - success4765
Account add - fail4766
KerberosKerberos policy changed4713
TGT authentication ticket requested4768[62]
Service ticket requested4769[63]
Pre-authentication failure4771[64]
Service ticket denied4821
Pre-authentication failed using DES or RC44824
User Account ManagementACL set - administrators group(s)4780
Directory Services Restore Mode - administrator password4794
NTLM authentication[65]Failed4822
OCSP Responder serviceSecurity settings updated5124
Directory Replication Agent (DRA)Intersite replication1102
Directory service objectDirectory service object - modified5136[66]
Directory service object - created5137
Directory service object - deleted5141
User Account[67]User account - disabled4725
User account - deleted4726
User account - changed[68]4738[69]
Attempted validation of credentials4776
Certificate ServicesService failure39[70]
Service did not start40[71]
Incompatible SID41[72]
Certificate export70[73]
CA Database backup4876[74]
Certificate Request4886[75]
Certificate Issued4887[76]
CertificatesTemplate update4899[77]
Template security updated4900[78]

5. Microsoft Windows endpoints logs

Please see additional references at the end of this document for the group policy changes relevant to the following event IDs.

Microsoft Windows Endpoint Logs
CategorySubcategoryEvent ID
Windows Application Event LogsProcess Creation1 (Sysmon[79])
Crashes (including error messaging)1001
Windows Task Scheduler Event Logs[80]Task triggered by computer start-up118
Task triggered on logon119
Created Task Process129
Action started200
Windows PowerShell Event Logs[81]Module Event4103[82]
Script Block Event4104[83]
Engine Lifecycle400
Windows WMI Activity/Operational Event Logs[84]ESS Started5859
Temporary ESS Started5860
ESS To Consumer Binding5861
Operation Started5857
Client Failure5858
Windows Security Event LogsAudit Log Cleared1102[85][86]
Local Security Authority (LSA) - authentication package loaded4610
LSA - trusted logon process registered4611
Security Account Manager - notification package loaded4614
LSA - security package loaded4622
Account Logon[87] - Success4624[88]
Account Logon[89] - Failure4625[90]
Account Logon - explicit credentials4648
Object handle - request4656[91]
Object access - Failure4663[92]
Special privileges -new logon4672[93]
New process - created4688
Service - installed4697[94], 7045
Scheduled task - created[95]4698
Scheduled task - updated[96]4702
System security access - granted4717
System security access -removed4718
System audit policy - changed4719
User account - created4720[97]
User account - enabled4722[98]
Change to account password (Failure)4723
Member - added (Security-enabled Local Group)4732
Kerberos Ticket-granting-ticket (TGT) denied4820
Special groups assigned new logon4964
Object handle closed4658
Process exited4689
Scheduled task - deleted[99]4699
Scheduled task - disabled[100]4701
AppLockerPolicy incorrectly applied8000
Disabled8008
Policy changed/applied8001
Change of mode (enforcement to audit) 
EXE or DLL blocked8004
Script or Microsoft Software Installer (MSI) blocked8007
File was prevented from running8022, 8025
Packaged app failure due to lack of Packaged app rules8027
Config CI policy prevented file or package from running8029, 8036, 8040
ManagedInstaller Script check SUCCEEDED/FAILED8032, 8035
Windows Systems LogHandle scavenged1017
Windows Extensible Storage Engine Technology (ESENT) ApplicationDatabase location change216[101]
New database325
Mounting of an NTDS.dit file326
Database detachment327
New flush map file637[102]
Windows Terminal Services Local Session ManagerNew local session21
Shell start notification received22
Successful session logoff23
Session disconnect24
Session reconnect25
Windows Defender Application ControlFile was blocked3077
Signature3089

6. Virtualisation system logs

Virtualisation System Logs
CategorySubcategoryEvent
User AuthenticationLogon (Success and Failure)All
Privileged Access (Success and Failure)All
User and Administrator/Root Access and ActionsFile and Object AccessAll
Audit Log Access (Success and Failure)All
System Access (Failure)All
System Performance and Operational CharacteristicsResource UtilizationAll
Process Status 
System EventsAll
Service Status ChangesAll
System ConfigurationChanges to Security Configuration (Success/Failure)All
Changes to HypervisorAll
Changes to VMSAll
Changes Made within VMSAll
Audit Log ClearedAll
Creation of VMSSourceAll
Target Systems,All
TimeAll
AuthorizationAll
Deployment of VMSSourceAll
Target Systems,All
TimeAll
AuthorizationAll
Migration of VMSSourceAll
Target Systems,All
TimeAll
AuthorizationAll
System-Level ObjectsCreation and DeletionAll

7. Operational technology logging

Operational Technology (OT) logging integration into a SIEM can be challenging due to the specialised nature of OT systems, which are often vendor-specific and segmented from the environments where the SIEM is typically located. The authoring agencies also note that OT devices often come with limited logging. Where possible, it is recommended that OT devices enable logging and then send and store logs in a centralised location. While implementing a dedicated SIEM specific to the OT environment may be feasible, it would also require staff to develop familiarity with the two systems and event types.

Industrial Control System (ICS) monitoring offers a solution that can safely ingest, interpret, and enrich OT data before either forwarding it to a SIEM or storing it in a central repository. Additionally, these products can monitor OT networks, assets, parse the OT-native protocols, and generate additional logs with necessary details and contextual metadata for events that are going to the SIEM.

In cases where security supersedes other requirements, organisations may implement unidirectional gateways or data diodes to securely transmit log data from the OT environment to the IT SIEM without exposing the OT network to external threats.

Due to the safety-critical risks, high speed and deterministic communications of the messaging, organisations should take a conservative approach to logging directly from OT assets and test any logging solution thoroughly before deployment to avoid impacting operations.

8. Cloud platform logging [103][104]

Cloud services may not be enabled by default. Every application may have its own logging format, or no logging at all. The recommendations below are only a sample of what may be logged; organisations should seek out advice from their cloud service provider and cloud application provider for security logging that meets the organisation’s security requirements and risk profile.

See Best practices for event logging and threat detection for more on this.

Logging priorities for cloud computing

The authoring agencies recommend organisations adjust event logging practices in accordance with the cloud service that is administered, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or software-as-a-service (SaaS) are implemented. For example, IaaS includes a significant amount of logging responsibility on the tenant, whereas SaaS places a significant amount of the logging responsibility on the provider. Therefore, organisations should coordinate closely with their cloud service provider to understand the shared-responsibility model that is in place, as it will likely influence their logging priorities. Logging priorities may also be influenced by different cloud computing service models and deployment models (public, private, hybrid, community). Where privacy and data sovereignty laws apply, logging priorities may also be influenced by the location of the cloud service provider’s infrastructure.

See the National Security Agency’s Manage Cloud Logs for Effective Threat Hunting[105] guidance for additional information.

Organisations should prioritise the following log sources in their use of cloud computing services:

  • critical systems and data holdings likely to be targeted
  • internet-facing services (including remote access) and, where applicable, their underlying server operating systems
  • use of the tenant’s user accounts that access and administer cloud services
  • logs for administrative configuration changes
  • logs for the creation, deletion and modification of all security principals, including setting and changing permissions
  • authentication success and/or failures to third party services (for example Security Assertion Markup Language (SAML)/ Open Authorization (OAuth))
  • logs generated by the cloud services, including logs for cloud Application Programming Interface (API/s), all network-related events, compliance events and billing events.

Amazon Web Services logs

Amazon Web Services Logs
CategorySubcategoryEvent
Amazon Web ServicesCloudTrail LogsAll
Server Access LogsAll
Web Access to S3 BucketsAll
Load Balancer LogsAll
Proxied Web RequestsAll
Breakglass account useAll
VPC Network Flow LogsAll
Secrets ManagerListSecretsAll
GetSecretValueAll
S3ListBucketsErrors Only
ListObjectsErrors Only
GetObjectErrors Only
CopyObjectErrors Only
GetObjectAclAll
HeadBucketAll
HeadObjectAll
PutPublicAccessBlockAll
EC2CreateKeyPairAll
ImportKeyPairAll
CreateSnapshotsAll
RunInstancesAll
DescribeSecurityGroupsAll
ModifySecurityGroupRulesAll
GetPasswordDataAll
GetConsoleScreenshotAll
DescribeInstanceDataWhere Attribute='userdata'
VPCCreateNatGatewayAll
AttachInternetGatewayAll
CreateInternetGatewayAll
CreateEgressOnlyInternetGatewayAll
CreateVpcPeeringConnectionAll
AcceptVpcPeeringConnectionAll
EBS direct APIsGetSnaphotBlockAll
IAMGetAccountAuthorizationDetailsAll
ListUsersAll
CreateUserAll
CreateOpenIDConnectProviderAll
STSGetCallerIdentityAll
SSMDescribeParametersErrors
GetParameterErrors
RDSDescribeDBInstancesAll
DescribeDBClustersAll
DynamoDBQueryErrors
ScanErrors
ListTablesAll
DescribeTableErrors
LambdaGetFunctionAll

Critical Azure service and app logs

Critical Azure Service and App Logs
CategorySubcategoryEvent
Entra & Entra Connect Servers[106]Unified Audit LogAll
PHS Failure611[107]
AD password synchronisation - start650[108]
AD password synchronisation - finish651[109]
Password synchronisation656[110]
Password change request657[111]
Audit log cleared1102[112]
PowerShell – Pipeline execution and logs4103[113]
PowerShell – Scripts & Commands4104[114]
Signin LogAll
Managed Identity Signin LogAll
Non Interactive User Signin LogAll
Service Principal Signin LogAll
ADFS Signin LogAll
Azure Audit LogRead and WriteAll
Azure Storage Container LogRead and WriteAll
Breakglass account useAnyAll
Microsoft Office 365Unified Audit LogAll
Virtual MachineLinux Operating System Log (Configured on VM OS)All
Windows Operating System Log (Configured on VM OS)All

Google Cloud Platform (GCP) logs

Google Cloud Platform (GCP) Logs
CategorySubcategoryEvent
Google Cloud PlatformAccess Transparency LogsAll
Admin Activity LogsAll
Enterprise Group Audit LogsAll
Login Audit LogsAll
System Event LogsAll
Policy Denied Audit LogsAll
Storage Bucket LogsAll
Host VM LogsAll
Platform Audit LogsAll
Breakglass account useAll
VPC Firewall LogsAll
VPC Network Flow LogsAll

Google Workspace (GWS) logs

Google Workspace (GWS) Logging
CategorySubcategoryEvent
Google WorkspaceAccess Transparency LogsAll
Admin Activity LogsAll
Context Aware AccessAll
Device eventsAll
Directory Sync eventsAll
OAuth eventsAll
Password Vaulted Apps eventsAll
Rules eventsAll
SAML eventsAll
Secure LDAP eventsAll
User Audit eventsAll
Chrome eventsAll
Drive eventsAll
Gmail eventsAll
Graduation eventsAll
Takeout eventsAll

9. Container logs

Container Logs
CategorySubcategoryEvent
Container User LogsLogon (Success and Failure)All
Privileged Access (Success and Failure)All
Container Service LogsAudit Log ChangesAll
Audit Log ClearedAll
Container and Application API Audit LogsFile and Object AccessAll
Audit Log Access (Success and Failure)All
System Access (Failure)All
Container Management Access LogsLogon (Success and Failure)All
Changes to Container RBACAll
Service Status ChangesAll
Container ResourcesSecurity Configuration ChangesAll
Changes to ContainerAll
Audit Log ChangesAll
Audit Log ClearedAll
Container Management EnvironmentLogon (Success and Failure)All
Privileged Access (Success and Failure)All

10. Database logs

Database Logs
CategorySubcategoryEvent
User AuthenticationLogon (Success and Failure)All
Privileged Access (Success and Failure)All
User Roles (Changes)All
User and Administrator Access and ActionsTable and Object AccessAll
New Users / Privileged UsersAll
Privilege Elevation (Success and Failure)All
Audit Log Access (Success and Failure)All
Executable CommandsAll
PasswordsAll
Database PermissionsAll
CLI CommandsAll
Query, Response, and Traceback CharacteristicsQuery ExecutionAll
MethodAll
Comments or VariablesAll
Multiple Embedded QueriesAll
Alerts or FailuresAll
Time to Execute QueryAll
System ConfigurationDatabase Structure ChangesAll
Version updates/roll backsAll
Keys (including access)All
User Roles or Database Permissions changesAll

11. Mobile device management

Mobile Device Management
CategorySubcategoryEvent
Device DataDevice Name ChangeAll
Phone Number ChangeAll
OS Version ChangeAll
Firmware Version ChangeAll
Developer Mode EnabledAll
Device Synched with EnterpriseAll
Application DataApplication installationAll
Application updatesAll
Uninstalled applicationsAll
Data storage locationAll
Application permission changesAll
Device Policy SettingsEnrolment Policy (changes)All
Applied policies (success/fail)All
Authentication Policies changesAll
Device ConfigurationCertificate changesAll
Device encryption configuration changesAll
Android Enterprise settings changesAll
System Integrity Status (Failure)All
Network ConfigurationNetworks (Allowed/Disallowed)All
Proxy/TunnelAll
Per-App VPN detailsAll
Connected NetworkAll
Captive Portal connectionsAll
Network MAC AddressAll
Bluetooth connectionsAll
Wi-Fi SSID connectionsAll
Event / Audit / Crash LogsEvent TimestampAll
Event TypeAll
User Authentication (Success/Failure)All
Various Services (Success/Failure)All
Event ActorAll
Event IDAll
Event Change Type (CRUD)All
MTD Agent InfoAgent StatusAll
Agent Configuration changesAll
Threat DetectionAll
MITM ActivitiesAll
Remediation ActionsAll
Privilege EscalationAll
Phishing Protection StatusAll
Last Time Device Synched with EnterpriseAll

12. Windows DNS server analytic event logs

Windows DNS Server Analytic Event Logs
CategorySubcategoryEvent ID
DNS Server AnalyticResponse success257
Response failure258
Ignored query259
Query out260
Response in261
Recursive query timeout262
Update in263
Update response264
Update forward277
Update response in278
DNS Server Zone TransferDNS Server Zone Transfer successfully completed6001

13. Linux endpoint auditing logs

Linux Endpoint Auditing Logs
CategorySubcategoryEvent
AuditConfigurationModification
Log FilesModification
Audit ToolsConfigurationModification
ReadingAccess
MonitoringAccess
User AccessSensitive directories and binaries (e.g., /sbin)All (Any?)
Authentication mechanisms (e.g., SSH).Modification
Authentication/Authorisation configuration changeAll
Login and logout events (/var/log/wtmp).All
Session recordingModification
Users (+associations), groups (+associations), and passwordsModification
SSH Session initiationAll
Privileged EventsPrivileged system callsAll
Sudoers/root privilegesModification
Login informationModification
Sensitive access control levels (e.g., chmod >= 500).Modification
Public/private keys locations (.ssh directory)All
Shell HistoryModification
/etc/passwd using auditctlAll
Auditing of all privileged functionsAll
System EventsTrusted databases (e.g., /etc/passwd).Modification
Process IDModification
System file deletionAll
Drive and file mount operationsAll
Start-up scripts and changesModification
Search pathsModification
Special files (e.g., attached block devices)All
Mount operationsAll
Swap operationsAll
Standard kernel parametersAll

Loading and unloading of modules

All

Package (including sources)

  • Installation

  • Removal

  • Reconfiguration

All

Modification of boot parameters

All

Modification of mount options

All

SSSD log files

All

kexec usage

All
Cron configurations and logs (/etc/cron and /var/log/cron).Modification
Service and system configurationsModification
File EventsUnsuccessful unauthorised file access attemptsAll
Security EventsCommon reconnaissance tools e.g. NetcatAll
Suspicious binaries e.g. code/data/process injectionsAll
Network EventsSuch as hostname changes and connectionsAll

14. Apple MacOS endpoint logs

Apple MacOS Endpoint Logs
CategorySubcategoryEvent
Content Cachingcom.apple.AssetCache (subsystem)All/Default
GatekeeperSyspolicyd (policy)All/Default
com.apple.syspolicy.exec (subsystem)All/Default
macOS Installer and Software UpdateSoftwareupdated (policy)All/Default
com.apple.mac.install (subsystem)All/Default
com.apple.SoftwareUpdate (subsystem)All/Default
com.apple.SoftwareUpdateMacController (subsystem)All/Default
com.apple.mobileassetd (subsystem)All/Default
Mobile Device Management (MDM)Mdmclient (policy) orAll
com.apple.ManagedClient (subsystem)All
Networkingcom.apple.network (subsystem)All
connection (category)All
boringssl (category)All
OCSP (Certificate Validity)com.apple.securityd (subsystem)All
ocsp (category)All
User and Administrator Access to OS Components and ApplicationsFile and Object AccessAll
Audit Log AccessSuccess/Failure
System Access and Log OffSuccess/Failure
Privilege Access and Log OffSuccess/Failure
Sensitive Privilege Use (sudo)Success/Failure
Remote Terminal or Equivalent Access and Log OffSuccess/Failure
Samba/NFS/(S)FTP or Equivalent AccessAll
Mac OS X utmpx / wmtpAll
Audit DaemonAll
Permissions/Access ViolationsAll
Terminal Commands SessionsAll
SSH Session initiationAll
Open Directory 
Terminal Commands HistoryAll
Installation or Removal of ApplicationsAll
Installation or Removal of Storage Volumes or Removable MediaAll
System Performance and Operational CharacteristicsResource Utilization, Process StatusAll
System EventsAll
Service Status ChangesStart, Stop, Fail, Restart, etc.
Service Failures and RestartsAll
Launch Services DaemonAll
JamfAll
Process Creation and TerminationAll
System ConfigurationChanges to Security ConfigurationSuccess/Failure
Audit Log ClearedAll
Changes to AccountsAll
User or Group Management ChangesAll
Apple Push Notification Service (APNs)All
Snapshots DBSuccess/Failure
Syslog format filesAll
Scheduled Task ChangesAll
File AccessTransfer to external MediaAll
Transfer to remote HostsAll
File SharingAllAll
Host Network CommunicationsPortAll
IP addressAll
Active network commsAll
Command-Line Interface (CLI)System Log Folder: /Var/Log/*All
System Log: /Var/Log/System.LogAll
Mac Analytics Data: /Var/Log/Diagnosticmessages/*All
Wi-Fi Log: /Var/Log/Wifi.LogAll
System Application Logs: /Library/Logs/* and /Private/Var/Log/*All
System Reports: /Library/Logs/Diagnosticreports/ *All
User Application Logs: /Users/Name/Library/Logs/*All
User Reports: /Users/Name/Library/Logs/Diag nosticreports/*All
Audit Log: /Var/Audit/*All
Basic Input Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and Other FirmwareVersionAll
Created dateAll
Installed dateAll
ManufacturerAll
Keychain EventsPublic/private keys locations (.ssh directory)All
XProtectDetection events and alertsAll
Misc. LogsAs required or determined through risk assessmentAll

Reference and resource annex

Active directory group policy changes

The following table lists the Group Policy changes required to generate the specific event IDs within log sources.

Event IDGroup Policy Object
4618 Audit System Integrity
4649 Audit Other Logon/Logoff Events
4964 Audit Special Logon
4662Audit Directory Service Access
4670 Audit Other Policy Change Events
4897 Audit Certification Services
4673Audit Sensitive Privilege Use
4694 Audit DPAPI Activity
4703, 4704, 4705, 4706, 4707Audit Authorization Policy Change
4724, 4739Audit Account Management
4728, 4729, 4732, 4733, 4735, 4737, 4755, 4756, 4757Audit Security Group Management
4765, 4766Audit User Account Management
4713 Audit Authentication Policy Change
4768Audit Kerberos Authentication Service
4769Audit Kerberos Service Ticket Operations
4771Kerberos pre-authentication failed
4821 Audit Kerberos Service Ticket Operations
4725, 4726, 4738, 4780, 4794 Audit User Account Management
5141 Audit Directory Service Changes
5124Protected Users
5136OCSP Responder Service
70Not directly related to a Group Policy setting
4876, 4886, 4887Audit Certification Services
39, 40, 41, 4776, 4824, 4899, 4900, 5137Windows Default

Windows Endpoint Group Policy Changes

The following table lists the Group Policy changes required to generate the specific event IDs within log sources.

Event IDGroup Policy Object 
4103Turn on Module Logging
4104Turn on PowerShell Script Block Logging
4610, 4611, 4614, 4622 Audit Security System Extension
4624, 4625, 4648Audit Logon Events
4656, 4663Audit Object Access
4688 Audit Process Creation
4697Audit Security System Extension
4698, 4699, 4701, 4702Audit Other Object Access Events
4717, 4718, 4719Audit Authentication Policy Change
4720, 4722, 4723Audit User Account Management Group Policy
4732 Audit Security Group Management
4820 Device-based access control policies
4964 Audit Special Logon
4658 Audit Handle Manipulation
4689 Audit Process Termination
8000, 8004NTLM auditing settings
8007, 8022, 8025, 8027, 8029, 8032, 8035, 8036, 8040 AppLocker Policies
3077, 3089Windows Defender Application Control
1, 118, 119, 129, 200, 1001, 1102, 5857, 5858, 5859, 5860, 5861, 7045Windows Default

Domain Controller Group Policy Changes

The following table lists the Group Policy changes required to generate the specific event IDs within log sources.

Event IDGroup Policy Object
4768, 4769Audit Kerberos Authentication Service
4741, 4742, 4743Audit Computer Account Management
4739Any Security Settings\Account Policies GPO
4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764, 4928, 4929Audit Detailed Directory Service Replication
4675, 4720, 4722Audit Logon
4723, 4724, 4725, 4726, 4738, 4767, 4780, 4781, 4794, 5376, 5377 Audit User Account Management
4876, 4886, 4887Audit Certification Services
4688, 4696Audit Process Creation
4689Audit Process Termination
4661, 4662Audit Directory Service Access
5136, 5137, 5138, 5139, 5141 Audit Directory Service Changes
8222Security
307Administrative Templates\Printers
4679 Audit Policy
4770Audit Kerberos Service Ticket Operations
2889Network security: LDAP client signing requirements
4634Audit logoff
4625, 4647 Audit logon events
4624, 4634, 4648Advanced Audit Policy Configuration
4627Audit Group Membership
4779Audit Other Logon/Logoff Events
4964Audit Special Logon
4672Special privileges assigned to new logon
4663Audit object access
4671, 4691, 4698, 4699, 4700, 4701, 4702, 5148, 5149, 5888, 5889, 5890Audit Other Object Access Events
4673, 4674Audit Sensitive Privilege Use
4985Audit File System
4670, 4707, 4739, 4864Audit Object Access
4706, 4707, 4713, 4716, 4717, 4718, 4865, 4866, 4867Audit Authentication Policy Change
4703Audit Authorization Policy Change
4719Audit Policy Change
4960, 4961, 4962, 4963, 4965, 5478, 5479, 5480, 5483, 5484, 5485Audit IPsec Driver
4608, 4616, 4621Audit Security State Change
4610, 4611, 4614, 4622, 4697Audit Security System Extension
4612, 4615, 4618, 5038, 5056, 5061, 6281, 6410 Audit System Integrity
5890Audit Other Object Access Events
6410Code Integrity
3033, 3063Code Integrity Policies
39, 40, 41, 70, 510, 1007, 1102, 1200, 1202, 4678, 4695, 4776, 4740, 4899, 4900Windows Default

Footnotes

  1. For more, see DMADC Table 2, Table 6, Table 10, Table 14.
  2. For more, see DMADC Table 1, Table 10.
  3. For more, see WELF.
  4. For more, see DMADC, Table 4.
  5. For more, see WELF.
  6. For more, see WELF.
  7. For more, see WELF.
  8. For more, see DMADC Table 15.
  9. For more, see DMADC Table 4.
  10. For more, see DMADC Table 2, Table 15.
  11. For more, see DMADC Table 3.
  12. For more, see DMADC Table 6.
  13. For more, see DMADC Table 6, Table 18.
  14. For more, see DMADC Table 6, Table 18.
  15. For more, see DMADC Table 7.
  16. For more, see DMADC Table 7.
  17. For more, see DMADC Table 6.
  18. For more, see DMADC Table 6.
  19. For more, see DMADC Table 6, Table 19.
  20. For more, see DMADC Table 6, Table 19.
  21. For more, see HMWW.
  22. For more, see DMADC Table 5, Table 8.
  23. For more, see HMWW.
  24. For more, see HMWW.
  25. For more, see DMADC Table 8, Table12. See also Detecting using Canaries.
  26. For more, see DMADC Table 1, Table 2.
  27. For more, see DMADC Table 9.
  28. For more, see DMADC Table 12.
  29. For more, see DMADC Table 12, Table 20.
  30. For more, see DMADC Table 12, Table 20.
  31. For more, see DMADC Table 12, Table 20.
  32. For more, see DMADC.
  33. For more, see DMADC Table 12, Table 20.
  34. For more, see DMADC Table 12, Table 20.
  35. For more, see DMADC Table 5.
  36. For more, see DMADC Table 3.
  37. For more, see HMWW.
  38. For more, see DMADC Table 2, Table 3.
  39. For more, see WELF.
  40. For more, see WELF.
  41. For more, see DMADC Table 3, Table 4, Table 5, Table 11.
  42. For more, see DMADC.
  43. For more, see DMADC Table 11.
  44. For more, see DMADC Table 3.
  45. For more, see HMWW.
  46. For more, see DMADC Table 8, Table 16.
  47. For more, see HMWW.
  48. For more, see DMADC Table 16.
  49. For more, see DMADC Table 6.
  50. For more, see DMADC Table 16.
  51. For more, see WELF.
  52. For more, see WELF.
  53. For more, see DMADC Table 16.
  54. For more, see WELF.
  55. For more, see DMADC Table 16, Table 18.
  56. For more, see DMADC Table 16.
  57. For more, see DMADC Table 8, Table 12. See also Detecting using Canaries.
  58. For more, see DMADC Table 16.
  59. For more, see HMWW.
  60. For more, see DMADC Table 16.
  61. For more, see WELF.
  62. For more, see DMADC Table 6, Table 10, Table 14.
  63. For more, see DMADC Table 1, Table 10.
  64. For more, see DMADC Table 3.
  65. For more, see WELF.
  66. For more, see DMADC Table 1, Table 15.
  67. For more, see WELF.
  68. For more, see HMWW.
  69. For more, see DMADC Table 1, Table 15.
  70. For more, see DMADC Table 6.
  71. For more, see DMADC Table 6.
  72. For more, see DMADC Table 6.
  73. For more, see DMADC Table 7.
  74. For more, see DMADC Table 7.
  75. For more, see DMADC Table 6.
  76. For more, see DMADC Table 6.
  77. For more, see DMADC Table 6.
  78. For more, see DMADC Table 6.
  79. For more, see WELF.
  80. For more, see WELF.
  81. For more, see WELF.
  82. For more, see DMADC Table 5, Table 7, Table 8, Table 13, Table 14, Table 15, Table 16.
  83. For more, see DMADC Table 5, Table 7, Table 8, Table 13, Table 14, Table 15, Table 16.
  84. For more, see WELF.
  85. For more, see DMADC Table 6, Table 7, Table 8, Table 12, Table 13, Table 14, Table 15, Table 16.
  86. PRC state-sponsored actors compromise and maintain persistent access to U.S. critical infrastructure | Cyber.gov.au
  87. For more, see WELF.
  88. For more, see DMADC Table 3, Table 4, Table 5, Table 11.
  89. For more, see WELF.
  90. For more, see DMADC Table 3, Table 4, Table 5, Table 11.
  91. For more, see DMADC Table 8.
  92. For more, see DMADC Table 8, Table 16.
  93. For more, see DMADC Table 8, Table 16.
  94. For more, see DMADC Table 16.
  95. For more, see WELF.
  96. For more, see WELF.
  97. For more, see DMADC Table 8, Table 16.
  98. For more, see DMADC Table 8, Table 16.
  99. For more, see WELF.
  100. For more, see WELF.
  101. For more, see PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
  102. For more, see Joint Guidance: Identifying and Mitigating Living Off the Land Techniques
  103. For more, see CCSCSP.
  104. For more, see CCST.
  105. https://media.defense.gov/2024/Mar/07/2003407864/-1/-1/0/CSI_CloudTop10-Logs-for-Effective-Threat-Hunting.PDF
  106. For more, see DMADC Table 13.
  107. For more, see DMADC Table 13.
  108. For more, see DMADC Table 13.
  109. For more, see DMADC Table 13.
  110. For more, see DMADC Table 13.
  111. For more, see DMADC Table 13.
  112. For more, see DMADC Table 13.
  113. For more, see DMADC Table 13.
  114. For more, see DMADC Table 13.
Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it