Elastic Codes
Windows*
event.code
1 - Process creation
13 - Registry modification (Description: Triggered when a registry key value is set (modified))
15 - FileCreateStreamHash (browser file download event)
11 - File create
3 - Network connection
πΉ Authentication & Logon Events
4624 β Successful logon
4625 β Failed logon attempt
4634 β Logoff
4648 β Logon using explicit credentials
4672 β Special privileges assigned to a new logon (e.g., admin logins)
4776 β NTLM authentication attempt
πΉ Account & Privilege Changes
4720 β A user account was created
4722 β A user account was enabled
4725 β A user account was disabled
4726 β A user account was deleted
4732 β A user was added to a privileged group
4733 β A user was removed from a privileged group
πΉ Process & System Monitoring
4688 β A new process was created
4689 β A process was terminated
4657 β A registry value was modified
4697 β A service was installed on the system
πΉ Security & Threat Detection
1102 β Security audit log cleared (potential sign of tampering)
4621 β Administrator recovered from a crash
4728 β A user was added to the Administrators group
4768 β A Kerberos authentication ticket was requested
4769 β A Kerberos service ticket was requested
4104 - Remote PowerShell script execution
πΉ File & Object Access
4663 β Access to an object was requested (file/folder access)
4656 β A handle to an object was requested
process
process.command_line: -
process.parent.name: - app that runs the process
process.parent.command_line - command executed when started
Zeek*
source.ip - ip adress
dns.question.name - queried domain
Last updated