Event Log Security - Windows Event Search

ID	Event Description
1100	The event logging service has shut down Audit Success, PCI-DSS
1101	Audit Events Have Been Dropped By The Transport CJIS, PCI-DSS, ISO 27001:2013
1102	The audit log was cleared CJIS, ISO 27001:2013, PCI-DSS
1104	The security event log is now full CJIS, PCI-DSS, ISO 27001:2013
4625	An account failed to log on Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
4626	User / Device claims information Audit Success
4627	Group membership information Audit Success
4648	A logon was attempted using explicit credentials Audit Success
4649	A replay attack was detected Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
4663	An attempt was made to access an object Audit Success, CJIS
4675	SIDs were filtered Domain Controller, Audit Success
4688	A new process has been created NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
4689	A process has exited Audit Success
4692	Backup of data protection master key was attempted Audit Success, Audit Failure
4693	Recovery of data protection master key was attempted Audit Success, Audit Failure
4694	Protection of auditable protected data was attempted Audit Success, Audit Failure
4695	Unprotection of auditable protected data was attempted Audit Success, Audit Failure
4698	A scheduled task was created Audit Success, PCI-DSS
4699	A scheduled task was deleted Audit Success, PCI-DSS
4700	A scheduled task was enabled Audit Success
4701	A scheduled task was disabled Audit Success
4702	A scheduled task was updated Audit Success, PCI-DSS
4704	A user right was assigned ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
4713	Kerberos policy was changed Domain Controller, Audit Success
4717	System security access was granted to an account ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4718	System security access was removed from an account ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4719	System audit policy was changed Audit Success
4720	A user account was created ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
4722	A user account was enabled ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
4725	A user account was disabled ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4726	A user account was deleted ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4728	A member was added to a security-enabled global group Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
4732	A member was added to a security-enabled local group ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4739	Domain Policy was changed Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
4741	A computer account was created Domain Controller, Audit Success
4742	A computer account was changed Domain Controller, Audit Success
4743	A computer account was deleted Domain Controller, Audit Success
4756	A member was added to a security-enabled universal group Domain Controller, ISO 27001:2013
4778	A session was reconnected to a Window Station Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4779	A session was disconnected from a Window Station Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4780	The ACL was set on accounts which are members of administrators groups Domain Controller, Audit Success
4781	The name of an account was changed Audit Success
4782	The password hash an account was accessed Domain Controller, Audit Success
4793	The Password Policy Checking API was called Domain Controller, Audit Success
4794	An attempt was made to set the Directory Services Restore Mode administrator password Domain Controller, Audit Success, Audit Failure
4800	The workstation was locked Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4801	The workstation was unlocked ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4819	Central Access Policies on the machine have been changed Audit Success
4826	Boot Configuration Data loaded Audit Success
4902	The Per-user audit policy table was created Audit Success
4904	An attempt was made to register a security event source Audit Success
4912	Per User Audit Policy was changed Audit Success
4944	The following policy was active when the Windows Firewall started Audit Success
4945	A rule was listed when the Windows Firewall started Audit Success
4946	A change was made to the Windows Firewall exception list. A rule was added Audit Success
4947	A change was made to the Windows Firewall exception list. A rule was modified Audit Success
4948	A change was made to the Windows Firewall exception list. A rule was deleted Audit Success
4949	Windows Firewall settings were restored to the default values. Audit Success
4950	A Windows Firewall setting was changed Audit Success
4951	Windows Firewall ignored a rule because its major version number is not recognized Audit Failure
4952	Windows Firewall ignored parts of a rule because its minor version number is not recognized Audit Failure
4953	Windows Firewall ignored a rule because it could not be parsed Audit Failure
4956	Windows Firewall changed the active profile Audit Success
4957	Windows Firewall did not apply the following rule Audit Failure
4958	Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer Audit Failure
5024	The Windows Firewall service started successfully. Audit Success
5027	The Windows Firewall service was unable to retrieve the security policy from the local storage. Audit Failure
5028	Windows Firewall was unable to parse the new security policy. Audit Failure
5029	The Windows Firewall service failed to initialize the driver. Audit Failure
5030	The Windows Firewall service failed to start. Audit Failure
5032	Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. Audit Failure
5033	The Windows Firewall Driver started successfully. Audit Success
5034	The Windows Firewall Driver was stopped. Audit Success
5035	The Windows Firewall Driver failed to start. Audit Failure
5037	The Windows Firewall Driver detected a critical runtime error. Audit Failure
5050	An attempt to programmatically disable Windows Firewall was rejected.
5060	Verification operation failed. Audit Failure
5063	A cryptographic provider operation was attempted. Audit Success, Audit Failure
5064	A cryptographic context operation was attempted. Audit Success, Audit Failure
5065	A cryptographic context modification was attempted. Audit Success, Audit Failure
5066	A cryptographic function operation was attempted. Audit Success, Audit Failure
5067	A cryptographic function modification was attempted. Audit Success, Audit Failure
5068	A cryptographic function provider operation was attempted. Audit Success, Audit Failure
5069	A cryptographic function property operation was attempted. Audit Success, Audit Failure
5070	A cryptographic function property modification was attempted. Audit Success, Audit Failure
5142	A network share object was added Audit Success
5144	A network share object was deleted Audit Success
5377	Credential Manager credentials were restored from a backup. Audit Success
5478	The IPsec Policy Agent service was started. Audit Success
5480	IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
5483	The IPsec Policy Agent service failed to initialize its RPC server.
5484	The IPsec Policy Agent service experienced a critical failure and has shut down.
5485	IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
6145	One or more errors occurred while processing security policy in the group policy objects. Audit Failure

Audit Category

Audit Subcategory

Operating Systems

Tags

Auditing

Volume

EventSentry