1. https://plaso.readthedocs.io/en/latest/
Server and workstation operating system logs
• Application logs (e.g.,web server,database server)
• Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
• Outbound proxy logs and end-user application logs
• Remember to consider other, non-log sources for security events.
User logon/logo! events Successful logon 528, 540;
failed logon 529-537, 539; logo! 538, 551, etc
User account changes Created 624; enabled 626;
changed 642; disabled 629; deleted 630
Password changes To self: 628; to others: 627
Service started or stopped 7035, 7036, etc.
Object access denied 560, 567, etc
(if auditing enabled)
Successful user login “Accepted password”, “Accepted publickey”, “session opened”
Failed user login “authentication failure”, “failed password”
User log-off “session closed”
User account change “password changed”, “new user”, “delete user” or deletion
Sudo actions “sudo: … COMMAND=…” “FAILED su”
Service failure “failed” or “failure”
refrence: https://www.sans.org/brochure/course/log-management-in-depth/6