| ID |
Event Description |
|
4624
|
An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
|
|
4625
|
An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
|
|
4626
|
User / Device claims information
Audit Success
|
|
4627
|
Group membership information
Audit Success
|
|
4634
|
An account was logged off
Audit Success
|
|
4646
|
n/a
Audit Success
|
|
4647
|
User initiated logoff
Audit Success
|
|
4648
|
A logon was attempted using explicit credentials
Audit Success
|
|
4649
|
A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
|
|
4650
|
An IPsec main mode security association was established
Audit Success
|
|
4651
|
An IPsec main mode security association was established
Audit Success
|
|
4652
|
An IPsec main mode negotiation failed
Audit Failure
|
|
4653
|
An IPsec main mode negotiation failed
Audit Failure
|
|
4654
|
An IPsec quick mode negotiation failed
Audit Failure
|
|
4655
|
An IPsec main mode security association ended
Audit Success
|
|
4672
|
Special privileges assigned to new logon
Audit Success
|
|
4675
|
SIDs were filtered
Domain Controller, Audit Success
|
|
4775
|
An account could not be mapped for logon
Domain Controller, Audit Failure
|
|
4777
|
The domain controller failed to validate the credentials for an account
Audit Failure
|
|
4778
|
A session was reconnected to a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4779
|
A session was disconnected from a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4800
|
The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4801
|
The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4802
|
The screen saver was invoked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4803
|
The screen saver was dismissed
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4825
|
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
|
|
4964
|
Special groups have been assigned to a new logon
Audit Success
|
|
4976
|
During main mode negotiation, IPsec received an invalid negotiation packet
Audit Success
|
|
4977
|
During quick mode negotiation, IPsec received an invalid negotiation packet
|
|
4978
|
During extended mode negotiation, IPsec received an invalid negotiation packet
|
|
4979
|
IPsec main mode and extended mode security associations were established
|
|
4980
|
IPsec main mode and extended mode security associations were established
|
|
4981
|
IPsec main mode and extended mode security associations were established
|
|
4982
|
IPsec main mode and extended mode security associations were established
|
|
4983
|
An IPsec extended mode negotiation failed
|
|
4984
|
An IPsec extended mode negotiation failed
|
|
5049
|
An IPsec security association was deleted.
Audit Success
|
|
5378
|
The requested credentials delegation was disallowed by policy.
Audit Failure
|
|
5451
|
An IPsec quick mode security association was established.
|
|
5452
|
An IPsec quick mode security association ended.
|
|
5453
|
An IPsec negotiation with a remote computer failed.
Audit Success
|
|
5632
|
A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
|
|
5633
|
A request was made to authenticate to a wired network.
Audit Success, Audit Failure
|
|
6272
|
Network Policy Server granted access to a user.
Audit Success, Audit Failure
|
|
6273
|
Network Policy Server denied access to a user.
Audit Success, Audit Failure
|
|
6274
|
Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
|
|
6275
|
Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
|
|
6276
|
Network Policy Server quarantined a user.
Audit Success, Audit Failure
|
|
6277
|
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
|
|
6278
|
Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
|
|
6279
|
Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
|
|
6280
|
Network Policy Server unlocked the user account.
Audit Success, Audit Failure
|
|
528
|
Successful Logon
|
|
529
|
Logon Failure : Unknown username or bad password
|
|
530
|
Logon Failure : Account logon time restriction violation
|
|
531
|
Logon Failure : Account currently disabled
|
|
532
|
Logon Failure : The specified user account has expired
|
|
533
|
Logon Failure : User not allowed to logon at this computer
|
|
534
|
Logon Failure : The user has note been granted the requested logon type at this machine
|
|
535
|
Logon Failure : The specified account's password has expired
|
|
536
|
Logon Failure : The NetLogon component is not active
|
|
537
|
The logon attempt failed for other reasons
|
|
538
|
The user has logged off
|
|
539
|
Logon Failure : Account locked out
|
|
540
|
Successful Network Logon
|
|
548
|
Logon Failure : Domain SID inconsistent
|
|
549
|
Logon Failure : All SIDs were filtered out
|
|
551
|
User initiated logoff
|
|
552
|
Logon attempt using explicit credentials
|
|
672
|
Authentication Ticket Request
|
|
673
|
Service Ticket Request
|
|
674
|
Service Ticket Renewed
|
|
675
|
Pre-authentication failed
|
|
676
|
Authentication Ticket Request Failed
|
|
677
|
Service Ticket Request Failed
|
|
678
|
Account Mapped for Logon
|
|
679
|
The name could not be mapped for logon
|
|
680
|
Logon attempt
|
|
681
|
The logon to account from workstation
|
|
682
|
Session reconnected to winstation
|
|
683
|
Session disconnected from winstation
|