Important Event ID’s you should be monitoring in Windows.

Security
EventIDDescription
4756A member was added to a security-enabled universal group
4740A User account was Locked out
4735A security-enabled local group was changed
4732A member was added to a security-enabled local group
4728A member was added to a security-enabled global group
4724An attempt was made to reset an accounts password
4648A logon was attempted using explicit credentials
4625An account failed to log on
1102The Audit Log was cleared
4624An accout was successfully logged on
4634An account was logged off
5038Detected an invalid image hash of a file
6281Detected an invalid page hash of an image file
Application
EventIDDescription
1000Application Error
1002Application Hang- Crash
1001Application Error – Fault Bucket
1EMET
2EMET
System
EventIDDescription
104Event Log Cleared
1102The Audit Log was cleared
4719System Audit Policy was changed
6005Event log Service Stopped
7022 – 7026,
7031,
7032,
7034
Windows Services Fails or crashes
7045A service was installed in the system
4697A service was installed in the system
7022EVENT_SERVICE_START_HUNG
7023EVENT_SERVICE_EXIT_FAILED
104Event log was cleared
6New Kernel Filter Driver
Firewall
EventIDDescription
2005A Rule has been modified in the Windows firewall Exception List
2004Firewall Rule Add
2006,
2033,
2009
Firewall Rules Deleted
Terminal
Services
EventIDDescription
23Session Logoff Scceeded
24Session has been disconnected
25Session Reconnection Succeded
1102Client has initiated a multi-transport connection