Event Log Security - Windows Event Search

ID	Event Description
4656	A handle to an object was requested Audit Failure, Audit Success, CJIS
4657	A registry value was modified Audit Success
4658	The handle to an object was closed Audit Success
4659	A handle to an object was requested with intent to delete
4660	An object was deleted Audit Success
4663	An attempt was made to access an object Audit Success, CJIS
4664	An attempt was made to create a hard link Audit Success
4665	An attempt was made to create an application client context
4666	An application attempted an operation
4667	An application client context was deleted
4668	An application was initialized
4670	Permissions on an object were changed Audit Success
4671	An application attempted to access a blocked ordinal through the TBS
4690	An attempt was made to duplicate a handle to an object Audit Success
4691	Indirect access to an object was requested Audit Success
4698	A scheduled task was created Audit Success, PCI-DSS
4699	A scheduled task was deleted Audit Success, PCI-DSS
4700	A scheduled task was enabled Audit Success
4701	A scheduled task was disabled Audit Success
4702	A scheduled task was updated Audit Success, PCI-DSS
4818	Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Audit Success
4868	The certificate manager denied a pending certificate request
4869	Certificate Services received a resubmitted certificate request
4870	Certificate Services revoked a certificate
4871	Certificate Services received a request to publish the certificate revocation list (CRL)
4872	Certificate Services published the certificate revocation list (CRL)
4873	A certificate request extension changed
4874	One or more certificate request attributes changed
4875	Certificate Services received a request to shut down
4876	Certificate Services backup started
4877	Certificate Services backup completed
4878	Certificate Services restore started
4879	Certificate Services restore completed
4880	Certificate Services started
4881	Certificate Services stopped
4882	The security permissions for Certificate Services changed
4883	Certificate Services retrieved an archived key
4884	Certificate Services imported a certificate into its database
4885	The audit filter for Certificate Services changed
4886	Certificate Services received a certificate request
4887	Certificate Services approved a certificate request and issued a certificate
4888	Certificate Services denied a certificate request
4889	Certificate Services set the status of a certificate request to pending
4890	The certificate manager settings for Certificate Services changed
4891	A configuration entry changed in Certificate Services
4892	A property of Certificate Services changed
4893	Certificate Services archived a key
4894	Certificate Services imported and archived a key
4895	Certificate Services published the CA certificate to Active Directory Domain Services
4896	One or more rows have been deleted from the certificate database
4897	Role separation enabled
4898	Certificate Services loaded a template
4899	A Certificate Services template was updated
4900	Certificate Services template security was updated
4985	The state of a transaction has changed Audit Success
5031	Windows Firewall blocked an application from accepting incoming connections on the network. Audit Failure
5039	A registry key was virtualized.
5051	A file was virtualized.
5120	OCSP Responder Service Started.
5121	OCSP Responder Service Stopped.
5122	A Configuration entry changed in the OCSP Responder Service.
5123	A configuration entry changed in the OCSP Responder Service.
5124	A security setting was updated on OCSP Responder Service.
5125	A request was submitted to OCSP Responder Service.
5126	Signing Certificate was automatically updated by the OCSP Responder Service.
5127	The OCSP Revocation Provider successfully updated the revocation information.
5140	A network share object was accessed Audit Success, Audit Failure
5142	A network share object was added Audit Success
5143	A network share object was modified Audit Success
5144	A network share object was deleted Audit Success
5145	A network share object was checked to see whether client can be granted desired access. Audit Success, Audit Failure
5146	The Windows Filtering Platform has blocked a packet.
5147	A more restrictive Windows Filtering Platform filter has blocked a packet.
5148	The Windows Filtering Platform has detected a DoS attack. Audit Failure
5149	The DoS attack has subsided and normal processing is being resumed. Audit Failure
5150	The Windows Filtering Platform has blocked a packet.
5151	A more restrictive Windows Filtering Platform filter has blocked a packet.
5152	The Windows Filtering Platform has blocked a packet. Audit Failure
5153	A more restrictive Windows Filtering Platform filter has blocked a packet. Audit Success
5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. Audit Success
5155	The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. Audit Failure
5156	The Windows Filtering Platform has allowed a connection. Audit Success
5157	The Windows Filtering Platform has blocked a connection. Audit Failure
5158	The Windows Filtering Platform has permitted a bind to a local port. Audit Success
5168	Spn check for SMB/SMB2 fails. Audit Failure
5888	An object in the COM+ Catalog was modified. Audit Success
5889	An object was deleted from the COM+ Catalog. Audit Success
5890	An object was added to the COM+ Catalog. Audit Success
560	Object Open
561	Handle Allocated
562	Handle Closed
563	Object Open for Delete
564	Object Deleted
565	Object Open
566	Object Operation
567	Object Access Attempt
568	Hard link creation attempt
569	Application client context creation attempt

Audit Category

Audit Subcategory

Operating Systems

Tags

Auditing

Volume

EventSentry