ID |
Event Description |
1100
|
The event logging service has shut down
Audit Success, PCI-DSS
|
4608
|
Windows is starting up
Audit Success, PCI-DSS
|
4610
|
An authentication package has been loaded by the Local Security Authority
Audit Success
|
4611
|
A trusted logon process has been registered with the Local Security Authority
Audit Success
|
4612
|
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3, CMMC L2
|
4614
|
A notification package has been loaded by the Security Account Manager
Audit Success
|
4615
|
Invalid use of LPC port
Audit Success
|
4616
|
The system time was changed
Audit Success
|
4618
|
A monitored security event pattern has occurred.
Audit Success
|
4621
|
Administrator recovered system from CrashOnAuditFail.
Audit Success, NIST SP 800-53, NIST 800-171, CMMC L2
|
4622
|
A security package has been loaded by the Local Security Authority
Audit Success
|
4624
|
An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
|
4626
|
User / Device claims information
Audit Success
|
4627
|
Group membership information
Audit Success
|
4634
|
An account was logged off
Audit Success
|
4646
|
n/a
Audit Success
|
4647
|
User initiated logoff
Audit Success
|
4648
|
A logon was attempted using explicit credentials
Audit Success
|
4649
|
A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
|
4650
|
An IPsec main mode security association was established
Audit Success
|
4651
|
An IPsec main mode security association was established
Audit Success
|
4655
|
An IPsec main mode security association ended
Audit Success
|
4656
|
A handle to an object was requested
Audit Failure, Audit Success, CJIS
|
4657
|
A registry value was modified
Audit Success
|
4658
|
The handle to an object was closed
Audit Success
|
4660
|
An object was deleted
Audit Success
|
4661
|
A handle to an object was requested
Domain Controller, Audit Success, Audit Failure
|
4662
|
An operation was performed on an object
Domain Controller, Audit Success, Audit Failure
|
4663
|
An attempt was made to access an object
Audit Success, CJIS
|
4664
|
An attempt was made to create a hard link
Audit Success
|
4670
|
Permissions on an object were changed
Audit Success
|
4672
|
Special privileges assigned to new logon
Audit Success
|
4673
|
A privileged service was called
Audit Success
|
4674
|
An operation was attempted on a privileged object
Audit Failure, Audit Success
|
4675
|
SIDs were filtered
Domain Controller, Audit Success
|
4688
|
A new process has been created
NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
|
4689
|
A process has exited
Audit Success
|
4690
|
An attempt was made to duplicate a handle to an object
Audit Success
|
4691
|
Indirect access to an object was requested
Audit Success
|
4692
|
Backup of data protection master key was attempted
Audit Success, Audit Failure
|
4693
|
Recovery of data protection master key was attempted
Audit Success, Audit Failure
|
4694
|
Protection of auditable protected data was attempted
Audit Success, Audit Failure
|
4695
|
Unprotection of auditable protected data was attempted
Audit Success, Audit Failure
|
4696
|
A primary token was assigned to process
Audit Success
|
4697
|
A service was installed in the system
Audit Success
|
4698
|
A scheduled task was created
Audit Success, PCI-DSS
|
4699
|
A scheduled task was deleted
Audit Success, PCI-DSS
|
4700
|
A scheduled task was enabled
Audit Success
|
4701
|
A scheduled task was disabled
Audit Success
|
4702
|
A scheduled task was updated
Audit Success, PCI-DSS
|
4703
|
A token right was adjusted
Audit Success
|
4704
|
A user right was assigned
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
4705
|
A user right was removed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
4706
|
A new trust was created to a domain
Domain Controller, Audit Success
|
4707
|
A trust to a domain was removed
Domain Controller, Audit Success
|
4713
|
Kerberos policy was changed
Domain Controller, Audit Success
|
4715
|
The audit policy (SACL) on an object was changed
Audit Success
|
4716
|
Trusted domain information was modified
Domain Controller, Audit Success
|
4717
|
System security access was granted to an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
|
4719
|
System audit policy was changed
Audit Success
|
4720
|
A user account was created
ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
|
4722
|
A user account was enabled
ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
|
4723
|
An attempt was made to change an account's password
Audit Success, Audit Failure, CJIS
|
4724
|
An attempt was made to reset an account's password
Audit Failure, Audit Success, CJIS, ISO 27001:2013
|
4725
|
A user account was disabled
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
|
4726
|
A user account was deleted
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
|
4731
|
A security-enabled local group was created
Audit Success
|
4732
|
A member was added to a security-enabled local group
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
|
4733
|
A member was removed from a security-enabled local group
Audit Success
|
4734
|
A security-enabled local group was deleted
Audit Success
|
4735
|
A security-enabled local group was changed
Audit Success
|
4738
|
A user account was changed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
|
4739
|
Domain Policy was changed
Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
|
4740
|
A user account was locked out
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
|
4741
|
A computer account was created
Domain Controller, Audit Success
|
4742
|
A computer account was changed
Domain Controller, Audit Success
|
4743
|
A computer account was deleted
Domain Controller, Audit Success
|
4749
|
A security-disabled global group was created
Domain Controller, Audit Success
|
4750
|
A security-disabled global group was changed
Domain Controller, Audit Success
|
4751
|
A member was added to a security-disabled global group
Domain Controller, Audit Success
|
4752
|
A member was removed from a security-disabled global group
Domain Controller, Audit Success
|
4753
|
A security-disabled global group was deleted
Domain Controller, Audit Success
|
4764
|
A group’s type was changed
Domain Controller, Audit Success
|
4765
|
SID History was added to an account
Domain Controller, Audit Success
|
4767
|
A user account was unlocked
ISO 27001:2013, Audit Success
|
4768
|
This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, NIST 800-171, NIST SP 800-53
|
4769
|
A Kerberos service ticket was requested
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
4770
|
A Kerberos service ticket was renewed
Domain Controller, Audit Success
|
4774
|
An account was mapped for logon
Domain Controller, Audit Success, Audit Failure
|
4776
|
The computer attempted to validate the credentials for an account
Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
4778
|
A session was reconnected to a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4779
|
A session was disconnected from a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4780
|
The ACL was set on accounts which are members of administrators groups
Domain Controller, Audit Success
|
4781
|
The name of an account was changed
Audit Success
|
4782
|
The password hash an account was accessed
Domain Controller, Audit Success
|
4783
|
A basic application group was created
Domain Controller, Audit Success
|
4784
|
A basic application group was changed
Domain Controller, Audit Success
|
4785
|
A member was added to a basic application group
Domain Controller, Audit Success
|
4786
|
A member was removed from a basic application group
Domain Controller, Audit Success
|
4787
|
A non-member was added to a basic application group
Domain Controller, Audit Success
|
4788
|
A non-member was removed from a basic application group
Domain Controller, Audit Success
|
4789
|
A basic application group was deleted
Domain Controller, Audit Success
|
4790
|
An LDAP query group was created
Domain Controller, Audit Success
|
4791
|
A basic application group was changed
Domain Controller, Audit Success
|
4792
|
An LDAP query group was deleted
Domain Controller, Audit Success
|
4793
|
The Password Policy Checking API was called
Domain Controller, Audit Success
|
4794
|
An attempt was made to set the Directory Services Restore Mode administrator password
Domain Controller, Audit Success, Audit Failure
|
4798
|
A user's local group membership was enumerated
Audit Success
|
4799
|
A security-enabled local group membership was enumerated
Audit Success
|
4800
|
The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
4801
|
The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4802
|
The screen saver was invoked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4803
|
The screen saver was dismissed
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4816
|
RPC detected an integrity violation while decrypting an incoming message.
Audit Success
|
4817
|
Auditing settings on object were changed
Audit Success
|
4818
|
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Audit Success
|
4819
|
Central Access Policies on the machine have been changed
Audit Success
|
4826
|
Boot Configuration Data loaded
Audit Success
|
4902
|
The Per-user audit policy table was created
Audit Success
|
4904
|
An attempt was made to register a security event source
Audit Success
|
4905
|
An attempt was made to unregister a security event source
Audit Success
|
4906
|
The CrashOnAuditFail value has changed
Audit Success
|
4908
|
Special Groups Logon table modified
Audit Success
|
4911
|
Resource attributes of the object were changed
Audit Success
|
4912
|
Per User Audit Policy was changed
Audit Success
|
4913
|
Central Access Policy on the object was changed
Audit Success
|
4928
|
An Active Directory replica source naming context was established
Domain Controller, Audit Success, Audit Failure
|
4929
|
An Active Directory replica source naming context was removed
Domain Controller, Audit Success, Audit Failure
|
4930
|
An Active Directory replica source naming context was modified
Domain Controller, Audit Success, Audit Failure
|
4931
|
An Active Directory replica destination naming context was modified
Domain Controller, Audit Success, Audit Failure
|
4932
|
Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
|
4933
|
Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
|
4934
|
Attributes of an Active Directory object were replicated
Domain Controller, Audit Success, Audit Failure
|
4935
|
Replication failure begins
Domain Controller, Audit Success, Audit Failure
|
4936
|
Replication failure ends
Domain Controller, Audit Success, Audit Failure
|
4937
|
A lingering object was removed from a replica
Audit Success
|
4944
|
The following policy was active when the Windows Firewall started
Audit Success
|
4945
|
A rule was listed when the Windows Firewall started
Audit Success
|
4946
|
A change was made to the Windows Firewall exception list. A rule was added
Audit Success
|
4947
|
A change was made to the Windows Firewall exception list. A rule was modified
Audit Success
|
4948
|
A change was made to the Windows Firewall exception list. A rule was deleted
Audit Success
|
4949
|
Windows Firewall settings were restored to the default values.
Audit Success
|
4950
|
A Windows Firewall setting was changed
Audit Success
|
4954
|
Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Audit Success
|
4956
|
Windows Firewall changed the active profile
Audit Success
|
4964
|
Special groups have been assigned to a new logon
Audit Success
|
4976
|
During main mode negotiation, IPsec received an invalid negotiation packet
Audit Success
|
4985
|
The state of a transaction has changed
Audit Success
|
5024
|
The Windows Firewall service started successfully.
Audit Success
|
5025
|
The Windows Firewall service was stopped.
Audit Success
|
5033
|
The Windows Firewall Driver started successfully.
Audit Success
|
5034
|
The Windows Firewall Driver was stopped.
Audit Success
|
5049
|
An IPsec security association was deleted.
Audit Success
|
5056
|
A cryptographic self test was performed.
Audit Success
|
5058
|
Key file operation.
Audit Success, Audit Failure
|
5059
|
Key migration operation.
Audit Success, Audit Failure
|
5061
|
Cryptographic operation.
Audit Success, Audit Failure
|
5062
|
A kernel-mode cryptographic self test was performed.
Audit Success
|
5063
|
A cryptographic provider operation was attempted.
Audit Success, Audit Failure
|
5064
|
A cryptographic context operation was attempted.
Audit Success, Audit Failure
|
5065
|
A cryptographic context modification was attempted.
Audit Success, Audit Failure
|
5066
|
A cryptographic function operation was attempted.
Audit Success, Audit Failure
|
5067
|
A cryptographic function modification was attempted.
Audit Success, Audit Failure
|
5068
|
A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
|
5069
|
A cryptographic function property operation was attempted.
Audit Success, Audit Failure
|
5070
|
A cryptographic function property modification was attempted.
Audit Success, Audit Failure
|
5136
|
A directory service object was modified
Domain Controller, Audit Success
|
5137
|
A directory service object was created
Domain Controller, Audit Success
|
5138
|
A directory service object was undeleted.
Domain Controller, Audit Success
|
5139
|
A directory service object was moved.
Domain Controller, Audit Success
|
5140
|
A network share object was accessed
Audit Success, Audit Failure
|
5141
|
A directory service object was deleted.
Domain Controller, Audit Success
|
5142
|
A network share object was added
Audit Success
|
5143
|
A network share object was modified
Audit Success
|
5144
|
A network share object was deleted
Audit Success
|
5145
|
A network share object was checked to see whether client can be granted desired access.
Audit Success, Audit Failure
|
5153
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Success
|
5154
|
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Audit Success
|
5156
|
The Windows Filtering Platform has allowed a connection.
Audit Success
|
5158
|
The Windows Filtering Platform has permitted a bind to a local port.
Audit Success
|
5169
|
A directory service object was modified.
Domain Controller, Audit Success, Audit Failure
|
5376
|
Credential Manager credentials were backed up.
Audit Success
|
5377
|
Credential Manager credentials were restored from a backup.
Audit Success
|
5447
|
A Windows Filtering Platform filter has been changed.
Audit Success
|
5453
|
An IPsec negotiation with a remote computer failed.
Audit Success
|
5478
|
The IPsec Policy Agent service was started.
Audit Success
|
5632
|
A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
|
5633
|
A request was made to authenticate to a wired network.
Audit Success, Audit Failure
|
5712
|
A Remote Procedure Call (RPC) was attempted.
Audit Success
|
5888
|
An object in the COM+ Catalog was modified.
Audit Success
|
5889
|
An object was deleted from the COM+ Catalog.
Audit Success
|
5890
|
An object was added to the COM+ Catalog.
Audit Success
|
6144
|
Security policy in the group policy objects has been applied successfully.
Audit Success
|
6272
|
Network Policy Server granted access to a user.
Audit Success, Audit Failure
|
6273
|
Network Policy Server denied access to a user.
Audit Success, Audit Failure
|
6274
|
Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
|
6275
|
Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
|
6276
|
Network Policy Server quarantined a user.
Audit Success, Audit Failure
|
6277
|
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
|
6278
|
Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
|
6279
|
Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
|
6280
|
Network Policy Server unlocked the user account.
Audit Success, Audit Failure
|
6416
|
A new external device was recognized by the system.
Audit Success
|
6419
|
A request was made to disable a device.
Audit Success
|
6420
|
A device was disabled.
Audit Success
|
6421
|
A request was made to enable a device.
Audit Success
|
6422
|
A device was enabled.
Audit Success
|
6423
|
The installation of this device is forbidden by system policy.
Audit Success
|
6424
|
The installation of this device was allowed, after having previously been forbidden by policy.
Audit Success
|