Event Log Security - Windows Event Search

ID	Event Description
4688	A new process has been created NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
4689	A process has exited Audit Success
4692	Backup of data protection master key was attempted Audit Success, Audit Failure
4693	Recovery of data protection master key was attempted Audit Success, Audit Failure
4694	Protection of auditable protected data was attempted Audit Success, Audit Failure
4695	Unprotection of auditable protected data was attempted Audit Success, Audit Failure
4696	A primary token was assigned to process Audit Success
5712	A Remote Procedure Call (RPC) was attempted. Audit Success
6416	A new external device was recognized by the system. Audit Success
6419	A request was made to disable a device. Audit Success
6420	A device was disabled. Audit Success
6421	A request was made to enable a device. Audit Success
6422	A device was enabled. Audit Success
6423	The installation of this device is forbidden by system policy. Audit Success
6424	The installation of this device was allowed, after having previously been forbidden by policy. Audit Success
592	A new process has been created
593	A process has exited
594	A handle to an object has been duplicated
595	Indirect access to an object has been obtained
596	Backup of data protection master key
600	A process was assigned a primary token
601	Attempt to install service
602	Scheduled Task created