Free Tool
Windows Event ID Reference
The event IDs that matter for security operations. Searchable. With investigative context.
40+ event IDs across 12 categories — authentication, account management, process execution, services, scheduled tasks, Sysmon, PowerShell, Defender, Kerberos, and more. Each event includes the log source, importance level, what it means in context, and exactly what to look for during an investigation.
For the full investigation methodology using these events — how to correlate across log sources, build investigation timelines, and reconstruct attack chains — see Practical Incident Response (IR5: Event Log Analysis) and Endpoint Security Engineering (ES11: Forensic Readiness). Start the free IR modules →