[&] Why is Windows event ID 4720 important in incident response?
- It specifies a task was scheduled, relevant for detecting new tasks
- It denotes a successful logon, important for tracking user activity
- It shows that a service was installed, often linked to persistence
- It indicates a user account was created, possibly suggesting persistence

[&] Which Windows event ID is used for detecting a logon with explicit credentials?
- 4723
- 4625
- 4656
- 4648

[&] What is the purpose of correlating event IDs 4624 and 4634?
- To analyze logon durations and session activity
- To track password changes
- To determine changes made to security groups
- To verify the scheduling of new tasks

[&] What is the significance of Windows event ID 4624?
- It indicates a failed logon attempt
- It represents a successful logon
- It signifies a user account was created
- It shows a user account was enabled

[&] What does the Windows event ID 7045 signify?
- A session was reconnected
- A user account was created
- An object was accessed
- A new service was installed

[&] How does event ID 4663 assist in identifying security incidents?
- It detects when a new service is installed
- It monitors changes to user account passwords
- It identifies failed logon attempts
- It tracks object access to identify access to sensitive files