Event Log Security - Windows Event Search

ID	Event Description
1102	The audit log was cleared CJIS, ISO 27001:2013, PCI-DSS
4611	A trusted logon process has been registered with the Local Security Authority Audit Success
4616	The system time was changed Audit Success
4624	An account was successfully logged on CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
4625	An account failed to log on Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
4626	User / Device claims information Audit Success
4627	Group membership information Audit Success
4648	A logon was attempted using explicit credentials Audit Success
4649	A replay attack was detected Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
4656	A handle to an object was requested Audit Failure, Audit Success, CJIS
4657	A registry value was modified Audit Success
4658	The handle to an object was closed Audit Success
4659	A handle to an object was requested with intent to delete
4660	An object was deleted Audit Success
4661	A handle to an object was requested Domain Controller, Audit Success, Audit Failure
4662	An operation was performed on an object Domain Controller, Audit Success, Audit Failure
4663	An attempt was made to access an object Audit Success, CJIS
4664	An attempt was made to create a hard link Audit Success
4670	Permissions on an object were changed Audit Success
4672	Special privileges assigned to new logon Audit Success
4673	A privileged service was called Audit Success
4674	An operation was attempted on a privileged object Audit Failure, Audit Success
4688	A new process has been created NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
4689	A process has exited Audit Success
4690	An attempt was made to duplicate a handle to an object Audit Success
4692	Backup of data protection master key was attempted Audit Success, Audit Failure
4693	Recovery of data protection master key was attempted Audit Success, Audit Failure
4696	A primary token was assigned to process Audit Success
4697	A service was installed in the system Audit Success
4698	A scheduled task was created Audit Success, PCI-DSS
4699	A scheduled task was deleted Audit Success, PCI-DSS
4700	A scheduled task was enabled Audit Success
4701	A scheduled task was disabled Audit Success
4702	A scheduled task was updated Audit Success, PCI-DSS
4703	A token right was adjusted Audit Success
4704	A user right was assigned ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
4705	A user right was removed ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
4713	Kerberos policy was changed Domain Controller, Audit Success
4717	System security access was granted to an account ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4718	System security access was removed from an account ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4719	System audit policy was changed Audit Success
4720	A user account was created ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
4722	A user account was enabled ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
4723	An attempt was made to change an account's password Audit Success, Audit Failure, CJIS
4725	A user account was disabled ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4726	A user account was deleted ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4727	A security-enabled global group was created Domain Controller
4728	A member was added to a security-enabled global group Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
4729	A member was removed from a security-enabled global group Domain Controller
4730	A security-enabled global group was deleted Domain Controller
4731	A security-enabled local group was created Audit Success
4732	A member was added to a security-enabled local group ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4733	A member was removed from a security-enabled local group Audit Success
4734	A security-enabled local group was deleted Audit Success
4735	A security-enabled local group was changed Audit Success
4737	A security-enabled global group was changed Domain Controller
4738	A user account was changed ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4739	Domain Policy was changed Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
4740	A user account was locked out ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4741	A computer account was created Domain Controller, Audit Success
4742	A computer account was changed Domain Controller, Audit Success
4743	A computer account was deleted Domain Controller, Audit Success
4744	A security-disabled local group was created
4745	A security-disabled local group was changed
4746	A member was added to a security-disabled local group
4747	A member was removed from a security-disabled local group
4748	A security-disabled local group was deleted
4749	A security-disabled global group was created Domain Controller, Audit Success
4750	A security-disabled global group was changed Domain Controller, Audit Success
4751	A member was added to a security-disabled global group Domain Controller, Audit Success
4752	A member was removed from a security-disabled global group Domain Controller, Audit Success
4753	A security-disabled global group was deleted Domain Controller, Audit Success
4754	A security-enabled universal group was created Domain Controller
4755	A security-enabled universal group was changed Domain Controller
4756	A member was added to a security-enabled universal group Domain Controller, ISO 27001:2013
4757	A member was removed from a security-enabled universal group Domain Controller
4758	A security-enabled universal group was deleted Domain Controller
4759	A security-disabled universal group was created Domain Controller
4760	A security-disabled universal group was changed Domain Controller
4761	A member was added to a security-disabled universal group Domain Controller
4762	A member was removed from a security-disabled universal group Domain Controller
4763	A security-disabled universal group was deleted Domain Controller
4764	A group’s type was changed Domain Controller, Audit Success
4767	A user account was unlocked ISO 27001:2013, Audit Success
4781	The name of an account was changed Audit Success
4782	The password hash an account was accessed Domain Controller, Audit Success
4793	The Password Policy Checking API was called Domain Controller, Audit Success
4794	An attempt was made to set the Directory Services Restore Mode administrator password Domain Controller, Audit Success, Audit Failure
4797	An attempt was made to query the existence of a blank password for an account
4798	A user's local group membership was enumerated Audit Success
4799	A security-enabled local group membership was enumerated Audit Success
4819	Central Access Policies on the machine have been changed Audit Success
4826	Boot Configuration Data loaded Audit Success
4904	An attempt was made to register a security event source Audit Success
4905	An attempt was made to unregister a security event source Audit Success
4912	Per User Audit Policy was changed Audit Success
4985	The state of a transaction has changed Audit Success
5136	A directory service object was modified Domain Controller, Audit Success
5137	A directory service object was created Domain Controller, Audit Success
5140	A network share object was accessed Audit Success, Audit Failure
5142	A network share object was added Audit Success
5143	A network share object was modified Audit Success
5144	A network share object was deleted Audit Success
6416	A new external device was recognized by the system. Audit Success

Audit Category

Audit Subcategory

Operating Systems

Tags

Auditing

Volume

EventSentry