Key Security Events for All Windows Networks

System
Other System Events
The event logging service has shut down
Non Audit (Event Log)
Other Events (Log Clear)
The audit log was cleared
Logon/Logoff
Logon, Account Lockout
An account failed to log on
User / Device Claims
User / Device claims information
Group Membership
Group membership information
Logon
A logon was attempted using explicit credentials
Other Logon/Logoff Events
A replay attack was detected
Object Access
File System, Kernel Object, Registry, Removable Storage
An attempt was made to access an object
Logon/Logoff
Logon
SIDs were filtered
Detailed Tracking
Process Creation
A new process has been created
Process Termination
A process has exited
DPAPI Activity
Backup of data protection master key was attempted
Recovery of data protection master key was attempted
Protection of auditable protected data was attempted
Unprotection of auditable protected data was attempted
Object Access
Other Object Access Events
A scheduled task was created
A scheduled task was deleted
A scheduled task was enabled
A scheduled task was disabled
A scheduled task was updated
Policy Change
Authentication Policy Change
Kerberos policy was changed
Audit Policy Change
System audit policy was changed
Account Management
User Account Management
A user account was created
A user account was enabled
A user account was disabled
A user account was deleted
Security Group Management
A member was added to a security-enabled global group
A member was added to a security-enabled local group
Policy Change
Authentication Policy Change
Domain Policy was changed
Account Management
Computer Account Management
A computer account was created
A computer account was changed
A computer account was deleted
Security Group Management
A member was added to a security-enabled universal group
Logon/Logoff
Other Logon/Logoff Events
A session was reconnected to a Window Station
A session was disconnected from a Window Station
Account Management
The ACL was set on accounts which are members of administrators groups
Other Account Management Events
The password hash an account was accessed
The Password Policy Checking API was called
Logon/Logoff
Other Logon/Logoff Events
The workstation was locked
The workstation was unlocked
Policy Change
Other Policy Change Events
Central Access Policies on the machine have been changed
Boot Configuration Data loaded
Audit Policy Change
The Per-user audit policy table was created
An attempt was made to register a security event source
Per User Audit Policy was changed
MPSSVC Rule-Level Policy Change
The following policy was active when the Windows Firewall started
A rule was listed when the Windows Firewall started
A change was made to the Windows Firewall exception list. A rule was added
A change was made to the Windows Firewall exception list. A rule was modified
A change was made to the Windows Firewall exception list. A rule was deleted
Windows Firewall settings were restored to the default values.
A Windows Firewall setting was changed
Windows Firewall ignored a rule because its major version number is not recognized
Windows Firewall ignored parts of a rule because its minor version number is not recognized
Windows Firewall ignored a rule because it could not be parsed
Windows Firewall changed the active profile
Windows Firewall did not apply the following rule
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
System
Other System Events
The Windows Firewall service started successfully.
The Windows Firewall service was unable to retrieve the security policy from the local storage.
Windows Firewall was unable to parse the new security policy.
The Windows Firewall service failed to initialize the driver.
The Windows Firewall service failed to start.
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
The Windows Firewall Driver started successfully.
The Windows Firewall Driver was stopped.
The Windows Firewall Driver failed to start.
The Windows Firewall Driver detected a critical runtime error.
An attempt to programmatically disable Windows Firewall was rejected.
System Integrity
Verification operation failed.
Policy Change
Other Policy Change Events
A cryptographic provider operation was attempted.
A cryptographic context operation was attempted.
A cryptographic context modification was attempted.
A cryptographic function operation was attempted.
A cryptographic function modification was attempted.
A cryptographic function provider operation was attempted.
A cryptographic function property operation was attempted.
A cryptographic function property modification was attempted.
Object Access
File Share
A network share object was added
System
IPsec Driver
The IPsec Policy Agent service was started.
IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
The IPsec Policy Agent service failed to initialize its RPC server.
The IPsec Policy Agent service experienced a critical failure and has shut down.
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
Policy Change
Other Policy Change Events
One or more errors occurred while processing security policy in the group policy objects.

Are you compliant?

Check your audit settings now

Validator


How to Enable Auditing

System / Group Policy instructions

Auditing


How to enable auditing with auditpol.exe

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Events (Log Clear)" /success:enable /failure:enable auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:enable auditpol /set /subcategory:"Group Membership" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"File System" /success:enable /failure:enable auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable auditpol /set /subcategory:"Registry" /success:enable /failure:enable auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable auditpol /set /subcategory:"File Share" /success:enable /failure:enable auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
How to enable Windows Auditing via Group Policy