Key Security Events for All Windows Networks

System
Other System Events
1100
The event logging service has shut down
Non Audit (Event Log)
Other Events (Log Clear)
1102
The audit log was cleared
Logon/Logoff
Logon, Account Lockout
4625
An account failed to log on
User / Device Claims
4626
User / Device claims information
Group Membership
4627
Group membership information
Logon
4648
A logon was attempted using explicit credentials
Other Logon/Logoff Events
4649
A replay attack was detected
Object Access
File System, Kernel Object, Registry, Removable Storage
4663
An attempt was made to access an object
Logon/Logoff
Logon
4675
SIDs were filtered
Detailed Tracking
Process Creation
4688
A new process has been created
Process Termination
4689
A process has exited
DPAPI Activity
4692
Backup of data protection master key was attempted
4693
Recovery of data protection master key was attempted
4694
Protection of auditable protected data was attempted
4695
Unprotection of auditable protected data was attempted
Object Access
Other Object Access Events
4698
A scheduled task was created
4699
A scheduled task was deleted
4700
A scheduled task was enabled
4701
A scheduled task was disabled
4702
A scheduled task was updated
Policy Change
Authentication Policy Change
4713
Kerberos policy was changed
Audit Policy Change
4719
System audit policy was changed
Account Management
User Account Management
4720
A user account was created
4722
A user account was enabled
4725
A user account was disabled
4726
A user account was deleted
Security Group Management
4728
A member was added to a security-enabled global group
4732
A member was added to a security-enabled local group
Policy Change
Authentication Policy Change
4739
Domain Policy was changed
Account Management
Computer Account Management
4741
A computer account was created
4742
A computer account was changed
4743
A computer account was deleted
Security Group Management
4756
A member was added to a security-enabled universal group
Logon/Logoff
Other Logon/Logoff Events
4778
A session was reconnected to a Window Station
4779
A session was disconnected from a Window Station
Account Management
4780
The ACL was set on accounts which are members of administrators groups
Other Account Management Events
4782
The password hash an account was accessed
4793
The Password Policy Checking API was called
Logon/Logoff
Other Logon/Logoff Events
4800
The workstation was locked
4801
The workstation was unlocked
Policy Change
Other Policy Change Events
4819
Central Access Policies on the machine have been changed
4826
Boot Configuration Data loaded
Audit Policy Change
4902
The Per-user audit policy table was created
4904
An attempt was made to register a security event source
4912
Per User Audit Policy was changed
MPSSVC Rule-Level Policy Change
4944
The following policy was active when the Windows Firewall started
4945
A rule was listed when the Windows Firewall started
4946
A change was made to the Windows Firewall exception list. A rule was added
4947
A change was made to the Windows Firewall exception list. A rule was modified
4948
A change was made to the Windows Firewall exception list. A rule was deleted
4949
Windows Firewall settings were restored to the default values.
4950
A Windows Firewall setting was changed
4951
Windows Firewall ignored a rule because its major version number is not recognized
4952
Windows Firewall ignored parts of a rule because its minor version number is not recognized
4953
Windows Firewall ignored a rule because it could not be parsed
4956
Windows Firewall changed the active profile
4957
Windows Firewall did not apply the following rule
4958
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
System
Other System Events
5024
The Windows Firewall service started successfully.
5027
The Windows Firewall service was unable to retrieve the security policy from the local storage.
5028
Windows Firewall was unable to parse the new security policy.
5029
The Windows Firewall service failed to initialize the driver.
5030
The Windows Firewall service failed to start.
5032
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033
The Windows Firewall Driver started successfully.
5034
The Windows Firewall Driver was stopped.
5035
The Windows Firewall Driver failed to start.
5037
The Windows Firewall Driver detected a critical runtime error.
5050
An attempt to programmatically disable Windows Firewall was rejected.
System Integrity
5060
Verification operation failed.
Policy Change
Other Policy Change Events
5063
A cryptographic provider operation was attempted.
5064
A cryptographic context operation was attempted.
5065
A cryptographic context modification was attempted.
5066
A cryptographic function operation was attempted.
5067
A cryptographic function modification was attempted.
5068
A cryptographic function provider operation was attempted.
5069
A cryptographic function property operation was attempted.
5070
A cryptographic function property modification was attempted.
Object Access
File Share
5142
A network share object was added
System
IPsec Driver
5478
The IPsec Policy Agent service was started.
5480
IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
5483
The IPsec Policy Agent service failed to initialize its RPC server.
5484
The IPsec Policy Agent service experienced a critical failure and has shut down.
5485
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
Policy Change
Other Policy Change Events
6145
One or more errors occurred while processing security policy in the group policy objects.

Are you compliant?

Check your audit settings now

Validator


How to Enable Auditing

System / Group Policy instructions

Auditing

How to enable auditing with auditpol.exe

auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Events (Log Clear)" /success:enable /failure:enable auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:enable auditpol /set /subcategory:"Group Membership" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"File System" /success:enable /failure:enable auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable auditpol /set /subcategory:"Registry" /success:enable /failure:enable auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable auditpol /set /subcategory:"File Share" /success:enable /failure:enable auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
How to enable Windows Auditing via Group Policy