Key Security Events for All Windows Networks

Account Management
User Account Management
A user account was created
A user account was enabled
A user account was disabled
A user account was deleted
Security Group Management
A member was added to a security-enabled global group
A member was added to a security-enabled local group
Computer Account Management
A computer account was created
A computer account was changed
A computer account was deleted
Security Group Management
A member was added to a security-enabled universal group
Other Logon/Logoff Events
The ACL was set on accounts which are members of administrators groups
Other Account Management Events
The password hash an account was accessed
The Password Policy Checking API was called
Detailed Tracking
Process Creation
A new process has been created
Process Termination
A process has exited
DPAPI Activity
Backup of data protection master key was attempted
Recovery of data protection master key was attempted
Protection of auditable protected data was attempted
Unprotection of auditable protected data was attempted
Logon/Logoff
Logon, Account Lockout
An account failed to log on
User / Device Claims
User / Device claims information
Group Membership
Group membership information
Logon
A logon was attempted using explicit credentials
Other Logon/Logoff Events
A replay attack was detected
Logon
SIDs were filtered
Other Logon/Logoff Events
A session was reconnected to a Window Station
A session was disconnected from a Window Station
The workstation was locked
The workstation was unlocked
Object Access
File Share
A network share object was added
File System, Kernel Object, Registry, Removable Storage
An attempt was made to access an object
Other Object Access Events
A scheduled task was created
A scheduled task was deleted
A scheduled task was enabled
A scheduled task was disabled
A scheduled task was updated
Policy Change
Other Policy Change Events
One or more errors occurred while processing security policy in the group policy objects.
Audit Policy Change
The Per-user audit policy table was created
An attempt was made to register a security event source
Per User Audit Policy was changed
MPSSVC Rule-Level Policy Change
The following policy was active when the Windows Firewall started
A rule was listed when the Windows Firewall started
A change was made to the Windows Firewall exception list. A rule was added
A change was made to the Windows Firewall exception list. A rule was modified
A change was made to the Windows Firewall exception list. A rule was deleted
Windows Firewall settings were restored to the default values.
A Windows Firewall setting was changed
Windows Firewall ignored a rule because its major version number is not recognized
Windows Firewall ignored parts of a rule because its minor version number is not recognized
Windows Firewall ignored a rule because it could not be parsed
Windows Firewall changed the active profile
Windows Firewall did not apply the following rule
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Authentication Policy Change
Kerberos policy was changed
Audit Policy Change
System audit policy was changed
Authentication Policy Change
Domain Policy was changed
Other Policy Change Events
A cryptographic provider operation was attempted.
A cryptographic context operation was attempted.
A cryptographic context modification was attempted.
A cryptographic function operation was attempted.
A cryptographic function modification was attempted.
A cryptographic function provider operation was attempted.
A cryptographic function property operation was attempted.
A cryptographic function property modification was attempted.
Central Access Policies on the machine have been changed
Boot Configuration Data loaded
System
Other System Events
The event logging service has shut down
The audit log was cleared
IPsec Driver
The IPsec Policy Agent service was started.
IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
The IPsec Policy Agent service failed to initialize its RPC server.
The IPsec Policy Agent service experienced a critical failure and has shut down.
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
Other System Events
The Windows Firewall service started successfully.
The Windows Firewall service was unable to retrieve the security policy from the local storage.
Windows Firewall was unable to parse the new security policy.
The Windows Firewall service failed to initialize the driver.
The Windows Firewall service failed to start.
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
The Windows Firewall Driver started successfully.
The Windows Firewall Driver was stopped.
The Windows Firewall Driver failed to start.
The Windows Firewall Driver detected a critical runtime error.
An attempt to programmatically disable Windows Firewall was rejected.
System Integrity
Verification operation failed.

Are you compliant?

Check your audit settings now

Validator

How to Enable Auditing

System / Group Policy instructions

Group Policy Auditpol.exe


How to enable auditing with Group Policy

  • Open the “Group Policy Management” application
  • Navigate to the “Group Policy Objects” container of the applicable domain
  • Right-click the container and add a new GPO object with a descriptive name (e.g. “Mandatory Auditing”)
  • Right-click the newly created GPO object and select “Import Settings”
  • Proceed with the wizard and point the “Backup Folder” path to the folder where the zip file was extracted to
  • The GPO object will now contain all audit policies for all events listed above
  • Link the GPO to the domain or select OUs
Download Group Policy Object

How to enable auditing with auditpol.exe

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:enable auditpol /set /subcategory:"Group Membership" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"File Share" /success:enable /failure:enable auditpol /set /subcategory:"File System" /success:enable /failure:enable auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable auditpol /set /subcategory:"Registry" /success:enable /failure:enable auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
How to enable Windows Auditing via Group Policy