Introduction
Field Effect MDR's endpoint agent for windows poll event logs for the Event IDs outlined in the table below.
These event IDs cover a wide range of system, security, and application logs. Some are related to user actions, others to security events, and some to system events that require administrative attention.
Windows Events Logged by the Endpoint Agent
The following events are logged by the endpoint agent and used for analytics.
| Event Id | Description |
|---|---|
| EventID 15 | Security Center events, likely related to system alerts for missing security components or updates. |
| EventID 21 | Windows WLAN AutoConfig event, typically related to network configuration or issues with wireless connections. |
| EventID 25 | Another WLAN AutoConfig event, usually tied to issues with wireless network settings or operations. |
| EventID 41 | Indicates a system has rebooted unexpectedly, which could be caused by power failure, hardware issues, or system crashes. |
| EventID 51 | Symantec AntiVirus event related to a detected issue or action taken by Symantec Antivirus software. |
| EventID 104 | Logon event, typically indicating a user has logged on to the system. |
| EventID 1074 | Indicates that the system has been restarted by a user or process, often initiated through the shutdown dialog or via the Task Scheduler. |
| EventID 1102 | Indicates that the audit log has been cleared, possibly an action taken by an administrator. |
| EventID 11000 | WLAN AutoConfig event, usually related to an issue or change in the wireless network configuration. |
| EventID 1151 | Windows Defender event, usually indicating that Defender has detected a suspicious activity or an issue that requires attention. |
| EventID 1006 | Windows Defender event related to potential malware or suspicious activity. |
| EventID 1007 | Another Windows Defender event tied to malware detection or related actions. |
| EventID 1008 | Windows Defender event regarding an issue detected by the defender system, likely malware or security threat. |
| EventID 1015 | dir="ltr">Windows Defender event, indicating potential security risk detection, such as malware or threats. |
| EventID 1116 | A specific Defender event indicating a particular kind of detected threat or issue with security software operations. |
| EventID 1117 | Similar to EventID 1116, another Defender event that could indicate system health or security issues. |
| EventID 1118 | Event in Windows Defender, dealing with security or malware-related issues. |
| EventID 1119 | Another Defender security-related event, similar to others related to malware or potential system issues. |
| EventID 1151 | Another mention of the Windows Defender event, indicating system scanning and potential issues. |
| EventID 4624 | Successful logon event, indicating a user has logged in successfully to the system. |
| EventID 4625 | Failed logon event, often indicating an incorrect password, locked account, or other authentication failure. |
| EventID 4663 | A file or object access event. Typically triggered when a specific file or object is accessed in a manner consistent with security monitoring. |
| EventID 4720 | User account was created. A common event related to user management. |
| EventID 4722 | A user account was enabled, usually after being disabled for security reasons. |
| EventID 4725 | A user account was disabled. This can be due to an administrator's action or security policy. |
| EventID 4728 | A user was added to a group, commonly used for tracking changes in user permissions |
| EventID 4729 | A user was removed from a group, reflecting a change in group membership. |
| EventID 4732 | A member was added to a security-enabled local group, often related to group permission management. |
| EventID 4738 | A user account was changed, indicating modifications to user properties. |
| EventID 4740 | A user account was locked out, typically because of multiple failed login attempts. |
| EventID 4741 | A computer account was reset, often indicating a change or refresh in the account's settings. |
| EventID 4743 | A user was removed from a security-enabled global group. |
| EventID 4768 | A Kerberos authentication ticket was requested, often associated with login events using Kerberos authentication. |
| EventID 4769 | A service ticket was requested, part of Kerberos authentication flow. |
| EventID 4770 | A service ticket was renewed as part of the ongoing use of Kerberos authentication. |
| EventID 4781 | A DNS lookup was performed, often part of network activities and related to system operations. |
| EventID 4769 | Another mention of a service ticket request, similar to 4768 but with a different process flow or stage. |
| EventID 4770 | A service ticket was renewed |
| EventID 7031 | A service has terminated unexpectedly, often related to system crashes or issues with running services. |
| EventID 7031 (Print Spooler) | Indicates an issue with the Print Spooler service, typically related to problems with printing functionality. |
| EventID 7031 (Field Effect Endpoint Service) | Indicates an issue with a specific service called Field Effect Endpoint Service, related to endpoint security. |
| EventID 5829 | Likely related to system error or issue with hardware, typically in the context of a print or scan-related issue. |
| EventID 5828 | Another event associated with system issues or printer-related errors. |
| EventID 5827 | Related to printer problems or errors, particularly with printing systems. |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article