Skip to content

Windows Event Log

A section that explains Windows security audit events (Event IDs) one by one in Japanese and English. The source is Windows Security Auditing Events on Microsoft Learn, to which we add notes from an operations / SIEM / incident-response perspective (how the event is triggered, security checkpoints, and things to watch for during log review).

Rather than translating the official descriptions verbatim, each article reworks them, focusing on practical content such as attack techniques (pass-the-hash, Kerberoasting, DCSync, lateral movement, and so on), detection points, and how to handle noise. Technical terms are accompanied by notes for newcomers.

Structure

  • The scope is all 244 Event ID pages in the auditing section of Microsoft Learn.
  • Each event has a Japanese version (event-<id>.md) and an English version (event-<id>.en.md).
  • Because weight is set to the Event ID, the sidebar is ordered by ascending ID.

Main categories and tags

  • Logon / logoff (4624, 4625, 4634, 4647, 4648, 4672, 4768, 4769, 4771, 4776, etc.)
  • Account management (4720, 4722, 4724, 4726, 4732, 4738, 4740, 4741, 4742, etc.)
  • Policy change (4719, 4739, 4713, 4715, 4906, etc.)
  • Process tracking (4688, 4689, 4696)
  • Object access / shares (4656, 4660, 4663, 5140, 5142, 5145, etc.)
  • Directory service (4662, 5136, 5137, 5141, 4928, etc.)
  • Firewall / filtering (4946, 4950, 5025, 5031, 5156, 5157, etc.)
  • Crypto / code integrity / device (5058, 5061, 5038, 6410, 6416, 6423, etc.)

Note

For the most accurate, up-to-date information, always check the Microsoft Learn source link at the end of each article (and the primary sources referenced). This section is a curated, annotated version.