System32
Sysmon
Events
Compliance
Validator
TLS/SSL
GeoIP
Tools
Windows Security Events
Audit Category
Object Access
(8)
Policy Change
(8)
Logon/Logoff
(4)
Account Logon
(2)
DS Access
(1)
Detailed Tracking
(1)
Operating Systems
Windows 2012
(24)
Windows 2012 R2
(24)
Windows 2016
(24)
Windows 2019
(24)
Windows 2022
(24)
Windows 2008
(23)
Windows 2008 R2
(23)
Windows 10
(22)
Windows 8
(22)
Windows 8.1
(22)
Windows 7
(21)
Windows Vista
(21)
Windows 11
(19)
Windows 2025
(9)
Tags
Audit Success
(13)
Audit Failure
(4)
Domain Controller
(3)
ISO 27001:2013
(3)
NIST 800-171
(3)
NIST SP 800-53
(3)
CMMC L3
(2)
CJIS
(1)
CMMC L1
(1)
HIPAA
(1)
Auditing
Rarely
(24)
Volume
High
(11)
Low
(10)
Very high
(7)
Medium
(6)
Audit Subcategory
Filtering Platform Policy Change
(7)
Filtering Platform Connection
(3)
Filtering Platform Packet Drop
(2)
IPsec Quick Mode
(2)
Kerberos Service Ticket Operations
(2)
Other Logon/Logoff Events
(2)
Central Access Policy Staging
(1)
Directory Service Access
(1)
File System
(1)
Handle Manipulation
(1)
Kernel Object
(1)
Other Policy Change Events
(1)
RPC Events
(1)
Registry
(1)
SAM
(1)
AppLocker
All AppLocker events
EventSentry
All EventSentry events
Security
All Windows Security events
Sysmon
All Sysmon events
ID
Event Description
4660
An object was deleted
Audit Success
4661
A handle to an object was requested
Domain Controller, Audit Success, Audit Failure
4690
An attempt was made to duplicate a handle to an object
Audit Success
4769
A Kerberos service ticket was requested
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
4770
A Kerberos service ticket was renewed
Domain Controller, Audit Success
4802
The screen saver was invoked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4803
The screen saver was dismissed
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4818
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Audit Success
5152
The Windows Filtering Platform has blocked a packet.
Audit Failure
5153
A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Success
5156
The Windows Filtering Platform has allowed a connection.
Audit Success
5157
The Windows Filtering Platform has blocked a connection.
Audit Failure
5158
The Windows Filtering Platform has permitted a bind to a local port.
Audit Success
5440
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
5447
A Windows Filtering Platform filter has been changed.
Audit Success
5449
A Windows Filtering Platform provider context has been changed.
5451
An IPsec quick mode security association was established.
5452
An IPsec quick mode security association ended.
5462
PAStore Engine failed to apply some rules of the active IPsec policy on the computer
5712
A Remote Procedure Call (RPC) was attempted.
Audit Success