├── .github
    └── workflows
    │   ├── check_urls.yml
    │   └── lint_readme.yml
├── .gitignore
├── LICENSE
├── README.md
└── event_ids
    └── smb.md


/.github/workflows/check_urls.yml:
--------------------------------------------------------------------------------
 1 | name: Check URLs
 2 | on:
 3 |   pull_request:
 4 |   push:
 5 |   schedule:
 6 |     - cron: '25 4 * * 3,6'
 7 | 
 8 | jobs:
 9 |   check-urls:
10 | 
11 |     runs-on: ubuntu-latest
12 | 
13 |     steps:
14 |     - uses: actions/checkout@v4
15 |     - uses: urlstechie/urlchecker-action@master
16 |       with:
17 |         file_types: .md
18 | 


--------------------------------------------------------------------------------
/.github/workflows/lint_readme.yml:
--------------------------------------------------------------------------------
 1 | name: Lint Readme
 2 | 
 3 | on: [pull_request, push]
 4 | 
 5 | jobs:
 6 |   lint_readme:
 7 | 
 8 |     runs-on: ubuntu-latest
 9 |     strategy:
10 |       max-parallel: 5
11 |       matrix:
12 |         python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
13 | 
14 |     steps:
15 |       - uses: actions/checkout@v4
16 |       - uses: actions/setup-python@v5
17 |         with:
18 |           python-version: ${{ matrix.python-version }}
19 |       - run: pip install codespell
20 |       - run: codespell
21 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Created by https://www.toptal.com/developers/gitignore/api/vim
 2 | # Edit at https://www.toptal.com/developers/gitignore?templates=vim
 3 | 
 4 | ### Vim ###
 5 | # Swap
 6 | [._]*.s[a-v][a-z]
 7 | !*.svg  # comment out if you don't need vector files
 8 | [._]*.sw[a-p]
 9 | [._]s[a-rt-v][a-z]
10 | [._]ss[a-gi-z]
11 | [._]sw[a-p]
12 | 
13 | # Session
14 | Session.vim
15 | Sessionx.vim
16 | 
17 | # Temporary
18 | .netrwhist
19 | *~
20 | # Auto-generated tag files
21 | tags
22 | # Persistent undo
23 | [._]*.un~
24 | 
25 | # End of https://www.toptal.com/developers/gitignore/api/vim
26 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Mathias Stuhlmacher
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome Event IDs
  2 | 
  3 | [![Check URLs](https://github.com/stuhli/awesome-event-ids/actions/workflows/check_urls.yml/badge.svg)](https://github.com/stuhli/awesome-event-ids/actions/workflows/check_urls.yml)
  4 | 
  5 | > Collection of Event ID resources useful for Digital Forensics and Incident Response
  6 | 
  7 | In incidents, analysts are often faced with the problem of interpreting unknown event IDs.
  8 | The event itself does not always contain the desired information.
  9 | In addition, it is impossible to remember them all, given the huge number of event IDs and log sources.
 10 | 
 11 | ## Contents
 12 | 
 13 | - [Awesome Event IDs](#awesome-event-ids)
 14 |   - [Contents](#contents)
 15 |   - [Resources](#resources)
 16 |     - [Event ID databases](#event-id-databases)
 17 |     - [Event ID documentation](#event-id-documentation)
 18 |     - [Event ID configuration and monitoring suggestions](#event-id-configuration-and-monitoring-suggestions)
 19 |     - [Event ID analysis](#event-id-analysis)
 20 |   - [Contributing](#contributing)
 21 | 
 22 | ## Resources
 23 | 
 24 | ### Event ID databases
 25 | 
 26 | - [EventTracker Knowledgebase](https://kb.eventtracker.com/) - Database
 27 | - [MyEventlog.com](https://www.myeventlog.com/) - Database
 28 | 
 29 | ### Event ID documentation
 30 | 
 31 | - [Kaspersky Security for Microsoft Exchange](https://support.kaspersky.com/KS4Exchange/9.6/en-US/127197.htm) - Official resource.
 32 | - [Microsoft Defender Antivirus](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#microsoft-defender-antivirus-event-ids) - Official resource.
 33 | - [Microsoft Windows Security Auditing](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview) - Official resource.
 34 | - [Microsoft Windows Security Auditing by Randy Franklin Smith](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/) - Better known as _Ultimate Windows Security_.
 35 | - [Notable Event IDs](https://github.com/TonyPhipps/SIEM/blob/master/Notable-Event-IDs.md) - Collection of common event IDs with descriptions.
 36 | - [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events) - Official resource.
 37 | - [Symantec Endpoint Protection 14.0.X](https://knowledge.broadcom.com/external/article/170359/endpoint-protection-140x-event-log-entri.html) - Official resource.
 38 | - [Symantec Endpoint Protection Manager](https://knowledge.broadcom.com/external/article/157017/endpoint-protection-manager-event-log-en.html) - Official resource.
 39 | - [Events and Errors - Windows Server 2008](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754424(v=ws.10)) - Collection of event IDs from different windows event source. Applies to Windows Server 2008 and similar. (Official resource)
 40 | - [Finding Forensic Goodness In Obscure Windows Event Logs](https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3) - List of lesser-known Event IDs.
 41 | 
 42 | ### Event ID configuration and monitoring suggestions
 43 | 
 44 | - General
 45 |   - [Audit Policy Recommendations](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations) - Audit Policy Recommendations by Microsoft.
 46 |   - [SIEM Tactics, Techniques, and Procedures](https://github.com/TonyPhipps/SIEM) - Comprehensive SIEM resources be TonyPhipps.
 47 |   - [Windows Auditing Mindmap](https://github.com/mdecrevoisier/Windows-auditing-mindmap) - Set of Mindmaps providing a detailed overview of the different Windows auditing capacities and event log files.
 48 | - PowerShell
 49 |   - [Script Block Logging](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#viewing-the-powershell-event-log-entries-on-windows) - Enable 4104.
 50 |   - [Module Logging](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_group_policy_settings?view=powershell-7.1#turn-on-module-logging)
 51 |   - [Malware Archeology PowerShell Logging Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-Sept-2018-v22.pdf)
 52 |   - [Greater Visibility Through PowerShell Logging](https://www.mandiant.com/resources/greater-visibilityt)
 53 |   - [PowerShell Logging for the Blue Team](https://www.blackhillsinfosec.com/powershell-logging-blue-team/)
 54 | - Security Auditing
 55 |   - [Command line Process Auditing](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing#configuration) - Enable 4688 featuring command line.
 56 |   - [Critical Windows Event ID's to Monitor](https://graylog.org/post/critical-windows-event-ids-to-monitor/) - Monitoring suggestions.
 57 |   - [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor) - Official resource.
 58 |   - [Monitoring Guidance](https://github.com/JSCU-NL/logging-essentials) - Event monitoring guidance from JSCU (Joint SIGINT Cyber Unit) from Netherlands. With  volume estimates, and WEC/WEF configurations.
 59 |   - [Malware Archeology Windows Logging Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-Logging-Cheat-Sheet_ver_Feb_2019.pdf)
 60 |   - [Malware Archeology Advanced Windows Logging Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-Advanced-Logging-Cheat-Sheet_ver_Feb_2019_v12.pdf)
 61 |   - [Malware Archeology Splunk Logging Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-Splunk-Logging-Cheat-Sheet-v222.pdf) - about specific exclusions to avoid getting noise from the Splunk Universal Forwarder agent.
 62 |   - [Malware Archeology File Auditing Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-File-Auditing-Cheat-Sheet-ver-Nov-2017-3fwr.pdf)
 63 |   - [Malware Archeology Registry Auditing Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-Registry-Auditing-Cheat-Sheet-ver-Aug-2019.pdf)
 64 |   - [Malware Archeology ATT&CK Logging Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-ATTCK_Logging-Cheat-Sheet_ver_Sept_2018.pdf) - From 2018.
 65 |   - [US NSA Spotting the Adversary with Windows Event Log Monitoring](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/applications/assets/public/upload/Spotting-the-Adversary-with-Windows-Event-Log-Monitoring.pdf) - Covers quite a lot of ground.
 66 |     - [US NSA Event Forwarding Guidance](https://github.com/nsacyber/Event-Forwarding-Guidance) - Companion repository with WEF configurations, scripts to configure WEF, and WEB subscriptions in XML format.
 67 |   - [UK NCSC - Logging Made Easy WEC (Windows Event Collection) Configuration File](https://github.com/ukncsc/lme/blob/master/Chapter%201%20Files/lme_wec_config.xml)
 68 |   - [Windows Security Monitoring - Policy & Event IDs](https://docs.google.com/spreadsheets/d/1BhR3cymZ53ZJfJdKAGKszuB-jgsr8GBJBOCJl50WGKE/edit?usp=sharing) - Spreadsheet with recommendations sorted by system functions.
 69 |   - [EventID Policy Map](https://docs.google.com/spreadsheets/d/16WuMNL5WWjE4YJIKrt1ut3fZWTbPPKnAGBjGilLrzBE/edit#gid=1714197816) - Spreadsheet with policy map as well as reference collection.
 70 |   - [Windows security event log library](https://www.manageengine.com/products/active-directory-audit/kb/windows-event-log-id-list.html) - Small database with explanations and monitoring suggestions.
 71 |   - [Yamato Security's Ultimate Windows Event Log Configuration Guide For DFIR And Threat Hunting](https://github.com/Yamato-Security/EnableWindowsLogSettings)
 72 | - Sysmon
 73 |   - [Configuration by SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config) - Configuration file template with default high-quality event tracing.
 74 |     - [Fork of SwiftOnSecurity by Neo23x0 Florian ROTH](https://github.com/Neo23x0/sysmon-config) - Same as above, with all PR.
 75 |   - [Configuration by olafhartong](https://github.com/olafhartong/sysmon-modular) - A repository of Sysmon configuration modules.
 76 |   - [Malware Archeology Sysmon Logging Cheat Sheet](https://www.malwarearchaeology.com/s/Windows-Sysmon-Logging-Cheat-Sheet_Jan_2020-g7sl.pdf)
 77 |   - [Sysmon Community Guide](https://github.com/trustedsec/SysmonCommunityGuide)
 78 | 
 79 | ### Event ID analysis
 80 | 
 81 | - General
 82 |   - [EVTX Attack Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - EVTX samples recorded during attack simulations by sbousseaden.
 83 |   - [EVTX-to-MITRE-Attack](https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack) - More than 170 EVTX samples matched to MITRE TTPs provided by [mdecrevoisier](https://twitter.com/mdecrevoisier)
 84 |   - [Tool Analysis Result Sheet](https://jpcertcc.github.io/ToolAnalysisResultSheet/#) - Logs analyzed after tool execution by JPCERT.
 85 |   - [EvtxECmd Map Repository](https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps) - Maps used by Eric Zimmerman's EvtxECmd which provide examples of Event IDs with documentation, lookup tables, and important values within each respective event ID which are parsed by EvtxECmd using the associated Map.
 86 |   - [Event Log Observer](https://lizard-labs.com/event_log_observer.aspx) - View, analyze and monitor events recorded in Microsoft Windows event logs.
 87 |   - [Splunk advanced input configuration for Windows](https://github.com/mdecrevoisier/Splunk-input-windows-baseline) - Provides an advanced input.conf file for Windows and 3rd party related software with more than 70 different event log mapped to the MITRE Att&CK.
 88 |   - [Windows Security Event ID Helper](https://github.com/qbrusa/Windows-Security-Event-ID-Helper) - [_Work in progress_] Will allow you to filter on each GPO setting and display all Event IDs produced by it.
 89 | - Antivirus
 90 |   - [Antivirus Event Analysis Cheat Sheet](https://www.nextron-systems.com/2023/01/20/antivirus-event-analysis-cheat-sheet-v1-12-0/) - Antivirus Event Analysis Cheat Sheet.
 91 | - PowerShell
 92 |   - [Attack and Defense Around PowerShell Event Logging](https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/) - PowerShell logging deep dive from different perspectives by Mina Hao.
 93 | - RDP
 94 |   - [RDP Logon / Logoff events 1](https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/) - RDP event chain by Jonathon Poling.
 95 |   - [RDP Logon / Logoff events 2](https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/) - RDP deep dive on 1149 by Mike Cary.
 96 | - SMB
 97 |   - [SMB error events (local collection)](event_ids/smb.md#smb-error-events)
 98 | - Task Scheduler
 99 |   - [Task Scheduler Event IDs](https://mnaoumov.wordpress.com/2014/05/15/task-scheduler-event-ids/) - List of the most common Event IDs for Windows Scheduled Tasks by mnaoumov.
100 | - Windows Remote Command Execution
101 |   - [Traces of Windows remote command execution](https://www.synacktiv.com/en/publications/traces-of-windows-remote-command-execution.html) - Blogpost focused on remote command execution techniques used by attackers and read teamers and detailed logging recommendations.
102 | - Windows Specific Event IDs
103 |   - [Windows Event ID 4776 [SOLVED]](https://www.pcwdld.com/windows-event-id-4776/) - Blogpost explaining the meaning of 4776 by Diego Asturias.
104 | 
105 | ## Contributing
106 | 
107 | This repo is dedicated to everything that has an event ID and the knowledge about it.
108 | Please ask yourself before submitting a PR if it really fits to this.
109 | In particular, please do not contribute tools, as these are already comprehensively summarized in the following great repositories.
110 | 
111 | - [awesome-incident-response](https://github.com/meirwah/awesome-incident-response)
112 | - [awesome-forensics](https://github.com/cugu/awesome-forensics)
113 | - [awesome-forensicstools](https://github.com/ivbeg/awesome-forensicstools)
114 | - [awesome-security](https://github.com/sbilly/awesome-security)
115 | 


--------------------------------------------------------------------------------
/event_ids/smb.md:
--------------------------------------------------------------------------------
 1 | # SMB
 2 | 
 3 | - Source: _Microsoft-Windows-SMBClient_
 4 | 
 5 | ## SMB error events
 6 | 
 7 | - **30800** _The server name cannot be resolved._ - [Reference](https://social.technet.microsoft.com/Forums/en-US/1d001951-6985-48cb-be38-e33c60f4fc20/event-id-30800-the-server-name-cannot-be-resolved?forum=winserverfiles)
 8 | - **30803** _The network connection failed._ - [Reference](https://social.technet.microsoft.com/Forums/de-DE/ef3e9243-5a22-4020-97a0-219595666cd7/smbclient-errors?forum=winserver8gen)
 9 | - **30822** _Failed to establish an SMB multichannel network connection._ - [Reference](https://learn.microsoft.com/en-us/answers/questions/1081872/event-id-30822-failed-to-establish-an-smb-multicha)
10 | - **30904** _The server does not support multi-channel._
11 | - **31001** _An attempt to initialize a security context failed._ - [Reference](https://social.technet.microsoft.com/Forums/lync/en-US/d275b7b0-00d3-49b1-b921-54822187c504/smbclient-event-id-31001-an-attempt-to-initialize-a-security-context-failed?forum=win10itpronetworking)
12 | - **31010** _The SMB client failed to connect to the share._ - [Reference](https://learn.microsoft.com/en-us/answers/questions/439044/win-2019-server-smb-session-authentication-failure)
13 | - **32000** _SMB1 negotiate response received from remote device when SMB1 cannot be negotiated by the local computer._- [Reference](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows)
14 | - **32002** _SMB1 is deprecated and should not be installed nor enabled._ - [Reference](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows)
15 | 


--------------------------------------------------------------------------------