Key Security Events for All Windows Networks
System
Other System Events
Non Audit (Event Log)
Other Events (Log Clear)
Logon/Logoff
Logon, Account Lockout
User / Device Claims
Group Membership
Logon
Other Logon/Logoff Events
Object Access
File System, Kernel Object, Registry, Removable Storage
Logon/Logoff
Logon
Detailed Tracking
Process Creation
Process Termination
DPAPI Activity
Object Access
Other Object Access Events
Policy Change
Authentication Policy Change
Audit Policy Change
Account Management
User Account Management
Security Group Management
Policy Change
Authentication Policy Change
Account Management
Computer Account Management
Security Group Management
Logon/Logoff
Other Logon/Logoff Events
Account Management
Other Account Management Events
Logon/Logoff
Other Logon/Logoff Events
Policy Change
Other Policy Change Events
Audit Policy Change
MPSSVC Rule-Level Policy Change
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
System
Other System Events
The Windows Firewall service was unable to retrieve the security policy from the local storage.
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
System Integrity
Policy Change
Other Policy Change Events
Object Access
File Share
System
IPsec Driver
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
Policy Change
Other Policy Change Events
How to enable auditing with auditpol.exe
auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
auditpol /set /subcategory:"Other Events (Log Clear)" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:enable
auditpol /set /subcategory:"Group Membership" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable
auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
auditpol /set /subcategory:"File Share" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable