Below are a few windows event logs which can help identify threats such as brute force attacks. They can also highlight suspicious activity should your group policy be ignored. Example: Admins disabling the local firewall.
Windows Event Logs
Security 4624 Account Logon Security 4625 Failed login Security 4720 A user account was created Security 4722 A user account was enabled Security 4726 A user account was deleted Security 4740 A user account was locked out Security 4724, 4738 Additional user creation events Security 4728 A member was added to a security-enabled global group Security 4732 A member was added to a security-enabled local group Security 4724 An attempt was made to reset an accounts password Security 4767 A user account was unlocked Security 4781 The name of an account was changed Security 4738 A user account was changed Security 4660 An object was deleted Security 4776 The domain controller attempted to validate the credentials for an account Security 4743 A computer account was deleted Security 1100 The event logging service has shut down Security 1102 Clear Event log Firewall 2003 Disable firewall Firewall 4948 A change has been made to Windows Firewall exception list. A rule was deleted Firewall 4950 A Windows Firewall setting has changed Firewall 5025 The Windows Firewall Service has been stopped
Windows Defender Logs
Microsoft-Windows-AppLocker/EXE and DLL 8003 (EXE/MSI) was allowed to run but would have been prevented from running if the AppLocker policy were enforced Microsoft-Windows-AppLocker/EXE and DLL 8004 (EXE/MSI) was prevented from running. Microsoft-Windows-WindowsDefender/Operational 1116 Windows Defender has detected malware or other potentially unwanted software Microsoft-Windows-WindowsDefender/Operational 1117 Windows Defender has taken action to protect this machine from malware or other potentially unwanted software