ID Event Description
4624 An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
4634 An account was logged off
Audit Success
4647 User initiated logoff
Audit Success
4662 An operation was performed on an object
Domain Controller, Audit Success, Audit Failure
4672 Special privileges assigned to new logon
Audit Success
4673 A privileged service was called
Audit Success
4674 An operation was attempted on a privileged object
Audit Failure, Audit Success
4776 The computer attempted to validate the credentials for an account
Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
4783 A basic application group was created
Domain Controller, Audit Success
4784 A basic application group was changed
Domain Controller, Audit Success
4785 A member was added to a basic application group
Domain Controller, Audit Success
4786 A member was removed from a basic application group
Domain Controller, Audit Success
4787 A non-member was added to a basic application group
Domain Controller, Audit Success
4788 A non-member was removed from a basic application group
Domain Controller, Audit Success
4789 A basic application group was deleted
Domain Controller, Audit Success
4790 An LDAP query group was created
Domain Controller, Audit Success
4791 A basic application group was changed
Domain Controller, Audit Success
4792 An LDAP query group was deleted
Domain Controller, Audit Success
4928 An Active Directory replica source naming context was established
Domain Controller, Audit Success, Audit Failure
4929 An Active Directory replica source naming context was removed
Domain Controller, Audit Success, Audit Failure
4930 An Active Directory replica source naming context was modified
Domain Controller, Audit Success, Audit Failure
4931 An Active Directory replica destination naming context was modified
Domain Controller, Audit Success, Audit Failure
4932 Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
4933 Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
4954 Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Audit Success
4960 IPsec dropped an inbound packet that failed an integrity check
4961 IPsec dropped an inbound packet that failed a replay check
4962 IPsec dropped an inbound packet that failed a replay check
4963 IPsec dropped an inbound clear text packet that should have been secured
4964 Special groups have been assigned to a new logon
Audit Success
4965 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
4985 The state of a transaction has changed
Audit Success
5058 Key file operation.
Audit Success, Audit Failure
5059 Key migration operation.
Audit Success, Audit Failure
5136 A directory service object was modified
Domain Controller, Audit Success
5137 A directory service object was created
Domain Controller, Audit Success
5138 A directory service object was undeleted.
Domain Controller, Audit Success
5139 A directory service object was moved.
Domain Controller, Audit Success
5141 A directory service object was deleted.
Domain Controller, Audit Success
5143 A network share object was modified
Audit Success
5144 A network share object was deleted
Audit Success
5378 The requested credentials delegation was disallowed by policy.
Audit Failure
5632 A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
5633 A request was made to authenticate to a wired network.
Audit Success, Audit Failure
6144 Security policy in the group policy objects has been applied successfully.
Audit Success
6272 Network Policy Server granted access to a user.
Audit Success, Audit Failure
6273 Network Policy Server denied access to a user.
Audit Success, Audit Failure
6274 Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
6275 Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
6276 Network Policy Server quarantined a user.
Audit Success, Audit Failure
6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
6278 Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
6279 Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
6280 Network Policy Server unlocked the user account.
Audit Success, Audit Failure