| ID |
Event Description |
|
4703
|
A token right was adjusted
Audit Success
|
|
4704
|
A user right was assigned
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
|
4705
|
A user right was removed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
|
4706
|
A new trust was created to a domain
Domain Controller, Audit Success
|
|
4707
|
A trust to a domain was removed
Domain Controller, Audit Success
|
|
4709
|
The IPsec Policy Agent service was started
|
|
4710
|
The IPsec Policy Agent service was disabled
|
|
4711
|
PAStore Engine
|
|
4712
|
IPsec Policy Agent encountered a potentially serious failure
|
|
4713
|
Kerberos policy was changed
Domain Controller, Audit Success
|
|
4714
|
Data Recovery Agent group policy for Encrypting File System (EFS) has changed
|
|
4715
|
The audit policy (SACL) on an object was changed
Audit Success
|
|
4716
|
Trusted domain information was modified
Domain Controller, Audit Success
|
|
4717
|
System security access was granted to an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
|
|
4718
|
System security access was removed from an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4719
|
System audit policy was changed
Audit Success
|
|
4739
|
Domain Policy was changed
Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
|
|
4817
|
Auditing settings on object were changed
Audit Success
|
|
4819
|
Central Access Policies on the machine have been changed
Audit Success
|
|
4826
|
Boot Configuration Data loaded
Audit Success
|
|
4864
|
A namespace collision was detected
|
|
4865
|
A trusted forest information entry was added
|
|
4866
|
A trusted forest information entry was removed
|
|
4867
|
A trusted forest information entry was modified
|
|
4902
|
The Per-user audit policy table was created
Audit Success
|
|
4904
|
An attempt was made to register a security event source
Audit Success
|
|
4905
|
An attempt was made to unregister a security event source
Audit Success
|
|
4906
|
The CrashOnAuditFail value has changed
Audit Success
|
|
4907
|
Auditing settings on object were changed
|
|
4908
|
Special Groups Logon table modified
Audit Success
|
|
4909
|
The local policy settings for the TBS were changed
Not Implemented
|
|
4910
|
The group policy settings for the TBS were changed
Not Implemented
|
|
4911
|
Resource attributes of the object were changed
Audit Success
|
|
4912
|
Per User Audit Policy was changed
Audit Success
|
|
4913
|
Central Access Policy on the object was changed
Audit Success
|
|
4944
|
The following policy was active when the Windows Firewall started
Audit Success
|
|
4945
|
A rule was listed when the Windows Firewall started
Audit Success
|
|
4946
|
A change was made to the Windows Firewall exception list. A rule was added
Audit Success
|
|
4947
|
A change was made to the Windows Firewall exception list. A rule was modified
Audit Success
|
|
4948
|
A change was made to the Windows Firewall exception list. A rule was deleted
Audit Success
|
|
4949
|
Windows Firewall settings were restored to the default values.
Audit Success
|
|
4950
|
A Windows Firewall setting was changed
Audit Success
|
|
4951
|
Windows Firewall ignored a rule because its major version number is not recognized
Audit Failure
|
|
4952
|
Windows Firewall ignored parts of a rule because its minor version number is not recognized
Audit Failure
|
|
4953
|
Windows Firewall ignored a rule because it could not be parsed
Audit Failure
|
|
4954
|
Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Audit Success
|
|
4956
|
Windows Firewall changed the active profile
Audit Success
|
|
4957
|
Windows Firewall did not apply the following rule
Audit Failure
|
|
4958
|
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Audit Failure
|
|
5040
|
A change was made to IPsec settings. An authentication set was added.
|
|
5041
|
A change was made to IPsec settings. An authentication set was modified.
|
|
5042
|
A change was made to IPsec settings. An authentication set was deleted.
|
|
5043
|
A change was made to IPsec settings. A connection security rule was added.
|
|
5044
|
A change was made to IPsec settings. A connection security rule was modified.
|
|
5045
|
A change was made to IPsec settings. A connection security rule was deleted.
|
|
5046
|
A change was made to IPsec settings. A crypto set was added.
|
|
5047
|
A change was made to IPsec settings. A crypto set was modified.
|
|
5048
|
A change was made to IPsec settings. A crypto set was deleted.
|
|
5063
|
A cryptographic provider operation was attempted.
Audit Success, Audit Failure
|
|
5064
|
A cryptographic context operation was attempted.
Audit Success, Audit Failure
|
|
5065
|
A cryptographic context modification was attempted.
Audit Success, Audit Failure
|
|
5066
|
A cryptographic function operation was attempted.
Audit Success, Audit Failure
|
|
5067
|
A cryptographic function modification was attempted.
Audit Success, Audit Failure
|
|
5068
|
A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
|
|
5069
|
A cryptographic function property operation was attempted.
Audit Success, Audit Failure
|
|
5070
|
A cryptographic function property modification was attempted.
Audit Success, Audit Failure
|
|
5440
|
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5441
|
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5442
|
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5443
|
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5444
|
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5446
|
A Windows Filtering Platform callout has been changed.
|
|
5447
|
A Windows Filtering Platform filter has been changed.
Audit Success
|
|
5448
|
A Windows Filtering Platform provider has been changed.
|
|
5449
|
A Windows Filtering Platform provider context has been changed.
|
|
5450
|
A Windows Filtering Platform sub-layer has been changed.
|
|
5456
|
IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.
|
|
5457
|
IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.
|
|
5458
|
IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.
|
|
5459
|
IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
|
|
5460
|
IPsec Policy Agent applied local registry storage IPsec policy on the computer.
|
|
5461
|
IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer
|
|
5462
|
IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer.
|
|
5463
|
IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.
|
|
5464
|
IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.
|
|
5465
|
IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.
|
|
5466
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
|
5467
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
|
5468
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
|
5471
|
IPsec Policy Agent loaded local storage IPsec policy on the computer.
|
|
5472
|
IPsec Policy Agent failed to load local storage IPsec policy on the computer.
|
|
5473
|
IPsec Policy Agent loaded directory storage IPsec policy on the computer.
|
|
5474
|
IPsec Policy Agent failed to load directory storage IPsec policy on the computer.
|
|
5477
|
IPsec Policy Agent failed to add quick mode filter.
|
|
6144
|
Security policy in the group policy objects has been applied successfully.
Audit Success
|
|
6145
|
One or more errors occurred while processing security policy in the group policy objects.
Audit Failure
|
|
608
|
User Right Assigned
|
|
609
|
User Right Removed
|
|
610
|
New Trusted Domain
|
|
611
|
Trusted Domain Removed
|
|
612
|
Audit Policy Change
|
|
613
|
IPSec Services started
|
|
614
|
IPSec Services disabled
|
|
616
|
IPSec Services encountered a potentially serious failure
|
|
617
|
Kerberos Policy Changed
|
|
618
|
Encrypted Data Recovery Policy Changed
|
|
619
|
Audit Security Object changed
|
|
620
|
Trusted Domain Information Modified
|
|
621
|
System Security Access Granted
|
|
622
|
System Security Access Removed
|
|
623
|
System Audit Policy Change
|
|
806
|
Per User Audit Policy table created
|
|
807
|
Per user auditing policy set for user
|
|
808
|
A security event source has attempted to register
|
|
809
|
A security event source has attempted to unregister
|
|
848
|
The following policy was active when the Windows Firewall started
|
|
849
|
A rule was listed when the Windows Firewall started
|
|
850
|
A change has been made to Windows Firewall exception list
|
|
851
|
A change has been made to Windows Firewall exception list. A rule was modified
|
|
852
|
A change has been made to Windows Firewall exception list. A rule was deleted
|
|
853
|
A change has been made to Windows Firewall settings. Settings restored to factory defaults.
|
|
854
|
A Windows Firewall setting has changed
|
|
855
|
A rule has been ignored because its major version number was not recognized by Windows Firewall
|
|
856
|
A rule has been partially ignored because its minor version number was not recognized by Windows Firewall
|
|
857
|
A rule has been rejected by Windows Firewall
|
|
858
|
Windows Firewall group policy settings have been applied
|
|
859
|
The Windows Firewall group policy settings have been removed.
|