| ID |
Event Description |
|
4618
|
A monitored security event pattern has occurred.
Audit Success
|
|
4624
|
An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171, PCI-DSS
|
|
4634
|
An account was logged off
Audit Success
|
|
4647
|
User initiated logoff
Audit Success
|
|
4662
|
An operation was performed on an object
Domain Controller, Audit Success, Audit Failure
|
|
4672
|
Special privileges assigned to new logon
Audit Success, CMMC L2, NIST800-171, NIST800-53
|
|
4673
|
A privileged service was called
Audit Success, CMMC L2, NIST800-171, NIST800-53
|
|
4674
|
An operation was attempted on a privileged object
Audit Failure, Audit Success, CMMC L2, NIST800-171, NIST800-53
|
|
4776
|
The computer attempted to validate the credentials for an account
Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
|
4783
|
A basic application group was created
Domain Controller, Audit Success
|
|
4784
|
A basic application group was changed
Domain Controller, Audit Success
|
|
4785
|
A member was added to a basic application group
Domain Controller, Audit Success
|
|
4786
|
A member was removed from a basic application group
Domain Controller, Audit Success
|
|
4787
|
A non-member was added to a basic application group
Domain Controller, Audit Success
|
|
4788
|
A non-member was removed from a basic application group
Domain Controller, Audit Success
|
|
4789
|
A basic application group was deleted
Domain Controller, Audit Success
|
|
4790
|
An LDAP query group was created
Domain Controller, Audit Success
|
|
4791
|
A basic application group was changed
Domain Controller, Audit Success
|
|
4792
|
An LDAP query group was deleted
Domain Controller, Audit Success
|
|
4928
|
An Active Directory replica source naming context was established
Domain Controller, Audit Success, Audit Failure
|
|
4929
|
An Active Directory replica source naming context was removed
Domain Controller, Audit Success, Audit Failure
|
|
4930
|
An Active Directory replica source naming context was modified
Domain Controller, Audit Success, Audit Failure
|
|
4931
|
An Active Directory replica destination naming context was modified
Domain Controller, Audit Success, Audit Failure
|
|
4932
|
Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
|
|
4933
|
Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
|
|
4954
|
Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Audit Success
|
|
4960
|
IPsec dropped an inbound packet that failed an integrity check
|
|
4961
|
IPsec dropped an inbound packet that failed a replay check
|
|
4962
|
IPsec dropped an inbound packet that failed a replay check
|
|
4963
|
IPsec dropped an inbound clear text packet that should have been secured
|
|
4964
|
Special groups have been assigned to a new logon
Audit Success
|
|
4965
|
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
|
|
4985
|
The state of a transaction has changed
Audit Success
|
|
5058
|
Key file operation.
Audit Success, Audit Failure
|
|
5059
|
Key migration operation.
Audit Success, Audit Failure
|
|
5136
|
A directory service object was modified
Domain Controller, Audit Success
|
|
5137
|
A directory service object was created
Domain Controller, Audit Success
|
|
5138
|
A directory service object was undeleted.
Domain Controller, Audit Success
|
|
5139
|
A directory service object was moved.
Domain Controller, Audit Success
|
|
5140
|
A network share object was accessed
Audit Success, Audit Failure
|
|
5141
|
A directory service object was deleted.
Domain Controller, Audit Success
|
|
5143
|
A network share object was modified
Audit Success
|
|
5168
|
Spn check for SMB/SMB2 fails.
Audit Failure
|
|
5169
|
A directory service object was modified.
Domain Controller, Audit Success, Audit Failure
|
|
5378
|
The requested credentials delegation was disallowed by policy.
Audit Failure
|
|
5446
|
A Windows Filtering Platform callout has been changed.
|
|
5450
|
A Windows Filtering Platform sub-layer has been changed.
|
|
5453
|
An IPsec negotiation with a remote computer failed.
Audit Success
|
|
5456
|
IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.
|
|
5457
|
IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.
|
|
5458
|
IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.
|
|
5459
|
IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
|
|
5461
|
PAStore Engine failed to apply local registry storage IPsec policy on the computer
|
|
5464
|
PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services
|
|
5465
|
PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully
|
|
5466
|
PAStore Engine polled for changes to the Active Directory IPsec policy
|
|
5467
|
PAStore Engine polled for changes to the Active Directory IPsec policy
|
|
5632
|
A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
|
|
5633
|
A request was made to authenticate to a wired network.
Audit Success, Audit Failure
|
|
6144
|
Security policy in the group policy objects has been applied successfully.
Audit Success
|
|
6272
|
Network Policy Server granted access to a user.
Audit Success, Audit Failure
|
|
6273
|
Network Policy Server denied access to a user.
Audit Success, Audit Failure
|
|
6274
|
Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
|
|
6275
|
Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
|
|
6276
|
Network Policy Server quarantined a user.
Audit Success, Audit Failure
|
|
6277
|
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
|
|
6278
|
Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
|
|
6279
|
Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
|
|
6280
|
Network Policy Server unlocked the user account.
Audit Success, Audit Failure
|