There is a significant number of Windows Event Log types available to IT and security professionals. This Appendix includes the most critical events that pertain to security and incident investigations and have been provided as a reference.
Event ID |
Event type |
Primary use |
Event log |
21 |
Remote desktop services: session logon succeeded. |
Event correlation, lateral movement, scoping |
TerminalServices-LocalSessionManager/Operational |
25 |
Remote desktop services: session reconnection succeeded. |
Event correlation, lateral movement, scoping |
TerminalServices-LocalSessionManager/Operational |
102 |
This event is logged when the terminal services gateway service requires a valid Secure Sockets Layer (SSL) certificate to accept connections. |
Event correlation, lateral movement, scoping |
Microsoft-Windows-TerminalServices-Gateway |
106 |
A user registered... |