#@
#Event ID What it means
#4618 A monitored security event pattern has occurred.
#4649 A replay attack was detected. May be a harmless false positive due to misconfiguration error.
#4765 SID History was added to an account.
#4766 An attempt to add SID History to an account failed.
#4794 An attempt was made to set the Directory Services Restore Mode.
#4897 Role separation enabled
#4964 Special groups have been assigned to a new logon.
#5124 A security setting was updated on the OCSP Responder Service
#4624 Successful account log on
#4625 Failed account log on
#4634 An account logged off
#4648 A logon attempt was made with explicit credentials#4719 System audit policy was changed.
#4964 A special group has been assigned to a new log on
#1102 Audit log was cleared. This can relate to a potential attack
#4720 A user account was created
#4722 A user account was enabled
#4723 An attempt was made to change the password of an account
#4725 A user account was disabled
#4728 A user was added to a privileged global group
#4732 A user was added to a privileged local group
#4756 A user was added to a privileged universal group
#4738 A user account was changed
#4740 A user account was locked out
#4767 A user account was unlocked
#4735 A privileged local group was modified
#4737 A privileged global group was modified
#4755 A privileged universal group was modified
#4772 A Kerberos authentication ticket request failed
#4777 The domain controller failed to validate the credentials of an account.
#4782 Password hash an account was accessed
#4616 System time was changed
#4657 A registry value was changed
#4697 An attempt was made to install a service
#4698, 4699, 4700, 4701, 4702 Events related to Windows scheduled tasks being created, modified, deleted, enabled or disabled
#4946 A rule was added to the Windows Firewall exception list
#4947 A rule was modified in the Windows Firewall exception list
#4950 A setting was changed in Windows Firewall
#4954 Group Policy settings for Windows Firewall has changed
#5025 The Windows Firewall service has been stopped
#5031 Windows Firewall blocked an application from accepting incoming traffic
#5152, 5153 A network packet was blocked by Windows Filtering Platform
#5155 Windows Filtering Platform blocked an application or service from listening on a port
#5157 Windows Filtering Platform blocked a connection
#5447 A Windows Filtering Platform filter was changed
$cvar1 = Get-Date
$cvar2 = $cvar1.AddDays(-1)
Get-EventLog -Log Security -After $cvar2 | where-Object instanceid -in (4618,4649,4765,4766,4766,4794,4897,4964,5124,4625,4719,4964,1102,4720,4722,4723,4725,4728,4732,4756,4738,4740,4767,4735,4737,4755,4772,4777,4782,4616,4657,4697,4698,4699,4700,4701,4702,4946,4947,4950,4954,5025,5031,5152,5153,5155,5157,5447) | Sort-Object -Property instanceid | Format-Table -AutoSize
#with successfull logons/logoffs 4624,4648,4634
#Get-EventLog -Log Security -After $cvar2 | where-Object instanceid -in (4618,4649,4624,4765,4766,4766,4794,4897,4964,5124,4625,4634,4648,4719,4964,1102,4720,4722,4723,4725,4728,4732,4756,4738,4740,4767,4735,4737,4755,4772,4777,4782,4616,4657,4697,4698,4699,4700,4701,4702,4946,4947,4950,4954,5025,5031,5152,5153,5155,5157,5447) | Sort-Object -Property instanceid | Format-Table -AutoSize
#check one by one
#Get-EventLog -Log Security -After $cvar2 | where-Object instanceid -in (4625) | Sort-Object -Property instanceid | Format-Table -AutoSize