Skip to content

Instantly share code, notes, and snippets.

@timsonner

timsonner/triage-security-events.md

Created April 13, 2025 12:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save timsonner/29bc892b06f488a908eec9083e0dbcdd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save timsonner/29bc892b06f488a908eec9083e0dbcdd to your computer and use it in GitHub Desktop.
Download ZIP
Powershell. Lookup Windows security events quickly to corelate activity.
Raw
triage-security-events.md

PowerShell - View Windows Security Event Logs

A reference for triaging security alerts

Common Event IDs

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Event ID Description
4624 An account was successfully logged on
4625 An account failed to log on
4627 Group membership information
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account's password
4724 An attempt was made to reset an account's password
4725 A user account was disabled
4726 A user account was deleted
4727 A security-enabled global group was created
4728 A member was added to a security-enabled global group
4729 A member was removed from a security-enabled global group
4730 A security-enabled global group was deleted
4731 A security-enabled local group was created
4732 A member was added to a security-enabled local group
4733 A member was removed from a security-enabled local group
4734 A security-enabled local group was deleted
4735 A security-enabled local group was changed
4737 A security-enabled global group was changed
4740 A user account was locked out

Get-WinEvent

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.5

# Event ID - display last 300
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 300 | Select-Object *

# Event ID and username
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4724} | 
  Where-Object {$_.Properties[0].Value -eq "username"} | 
  ForEach-Object { 
    $_ | Select-Object * 
  }

# Event ID and SID
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4724} | 
  Where-Object {$_.Properties[2].Value -eq "S-1-5-21-1966530601-3185510712-10604624-1010"} | 
  ForEach-Object { 
    $_ | Select-Object * 
  }

Get-EventLog

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1

# Event ID - most recent
Get-EventLog -LogName Security -InstanceId 4624 -Newest 10 | select-object *

# Security events from last hour
Get-EventLog -LogName Security -After (Get-Date).AddHours(-1) | select-object *

# Event ID and date range
$Begin = Get-Date -Date '1/17/2019 08:00:00'
$End = Get-Date -Date '4/13/2025 17:00:00'
Get-EventLog -LogName Security -InstanceID 4657 -After $Begin -Before $End

Export-Csv and Out-File

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-7.5

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/out-file?view=powershell-7.5

Export-Csv -Path "C:\SecLogs\failed_logins.csv" -NoTypeInformation
Out-File -FilePath "C:\SecLogs\successful_logins.txt"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment