What to monitor to stop hacker and malware attacks

Most organizations under attack have no clue they're being targeted. Here are security events to look for in case of a breach

Page 2 of 4

What to monitor

In the interest of giving specific advice, I've assembled the Windows security event log IDs [Excel format] that you should be monitoring on Microsoft operating system, although the events and behaviors they cover should be monitored on any OS used by your organization. Microsoft probably has the best security event log ID descriptions, so it's a good place to start. (Note: I am a full-time employee of Microsoft.)

High-criticality events. Here are the events I consider most relevant and require immediate investigation, unless the event that occurred through approved change/configuration control requirements.

High-criticality events

Vista/W2K8/Win7W2K3/XP legacyEvent description
4618-A monitored security event pattern has occurred.
-550Possible denial-of-service (DoS) attack.
4649-A replay attack was detected. (Note: This may be nonmalicious and frequently reoccurring in some environments.)
4692-Backup of data protection master key was attempted.
4693-Recovery of data protection master key was attempted.
4694-Protection of auditable protected data was attempted.
4695-Unprotection of auditable protected data was attempted.
4719612System audit policy was changed.
4765-SID History was added to an account.
4766-An attempt to add SID History to an account failed.
4794-An attempt was made to set the Directory Services Restore Mode.
4816-RPC detected an integrity violation while decrypting an incoming message.
4964-Special groups have been assigned to a new log-on.
5124-A security setting was updated on the OCSP Responder Service.
| 1 2 3 4 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies