How to Audit Active Directory for CIS / NIST Cyber Security Audit using Windows Event Viewer

Learn how to use Windows Event Viewer and PowerShell to audit Active Directory for cyber security threats fast.

In this step by step tutorial, we’ll show IT managers, security engineers and sysadmins how to detect suspicious activity in Active Directory using built-in Windows tools like Event Viewer and PowerShell. You’ll learn which key event IDs to monitor, how to correlate them to CIS Controls and the NIST Cybersecurity Framework, and how to automate the auditing process.

Want to improve your Active Directory (AD) security posture and stay compliant with CIS & NIST frameworks? In this video, we’ll walk you through a hands on Active Directory security audit using Windows Event Viewer and PowerShell, with real world examples from our AD lab.

You’ll learn how to detect suspicious logins, privilege escalation, group membership changes, user account lockouts, and more, all without needing expensive SIEM tools.

👉 Includes a PowerShell script to automate audit reports and to email them to you.

🔐 Topics Covered:

✅ Why auditing AD is critical for cyber security
✅ Top event IDs to track (4625, 4720, 4672, etc.)
✅ How to use Windows Event Viewer to investigate and filter logs
✅ Automate log collection with PowerShell
✅ Map logs/event ids to CIS & NIST compliance frameworks
✅ Which security event IDs to track for cyber threats
✅ Tracking Account Lockouts and investigating lockout sources
✅ How to correlate activity with CIS Controls & NIST CSF
✅ PowerShell automation for multi-DC auditing
✅ Generate csv reports
✅ Add email alerts for critical AD changes

Chapters:
00:00 Intro
01:17 Setting up Active Directory Auditing GPO
03:54 Monitoring User Logons & Authentication Events
11:27 InfraSOS Active Directory Auditing Overview
12:18 Auditing Admin Changes: User & Group Management Events
15:16 Windows Event Forwarding Explained
16:10 Auditing Group Policy Changes
17:30 Tracking AD Account Lockouts & Investigating Lockout Sources
23:39 Event IDs to Look out for for Signs of Compromise / Cyber Attack

📊 Key Event IDs Covered:
Event ID 4624 Successful Logon (normal login)
Event ID 4625 Failed Logon Attempt (possible brute force)
Event ID 4672 Admin Logon with Special Privileges
Event ID 4720 User Account Created
Event ID 4726 User Account Deleted
Event ID 4728 User Added to Domain Admin Group
Event ID 4729 User Removed from Security-Enabled Global Group
Event ID 4740 User Account Locked Out
Event ID 5136 Directory Object Modified (group/user/OU changes)
Event ID 5137 Object Created
Event ID 4722 / 4725 Account Enabled/Disabled
Event ID 4732 / 4733 Added/Removed from a Local Domain Group
Event ID 4738 User Account Changed
Multiple Failed Logons (4625) and Lockouts (4740)
Unauthorized Account Creation (4720)
Privilege Escalation via Group Membership (4728)
GPO Tampering (5136/5141)
Audit Log Cleared (Event 1102)

🔐 These Event IDs are mapped to:

CIS Control 4, 5, 6, 8
NIST PR.AC-1, PR.AC-4, DE.CM-1, DE.CM-3, CM-5


🔗 Try InfraSOS to automate Active Directory reporting across your entire AD environment:
https://infrasos.com

📄 Download the PowerShell script from the following: https://github.com/InfraSOS/Active-Di...

📌 Subscribe for more Active Directory & Office 365 Security tutorials.