ID Event Description
4624 An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
4625 An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
4626 User / Device claims information
Audit Success
4627 Group membership information
Audit Success
4634 An account was logged off
Audit Success
4647 User initiated logoff
Audit Success
4648 A logon was attempted using explicit credentials
Audit Success
4649 A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
4688 A new process has been created
NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
4696 A primary token was assigned to process
Audit Success
4703 A token right was adjusted
Audit Success
4720 A user account was created
ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
4722 A user account was enabled
ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
4723 An attempt was made to change an account's password
Audit Success, Audit Failure, CJIS
4724 An attempt was made to reset an account's password
Audit Failure, Audit Success, CJIS, ISO 27001:2013
4725 A user account was disabled
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4726 A user account was deleted
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4727 A security-enabled global group was created
Domain Controller
4728 A member was added to a security-enabled global group
Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
4729 A member was removed from a security-enabled global group
Domain Controller
4730 A security-enabled global group was deleted
Domain Controller
4731 A security-enabled local group was created
Audit Success
4732 A member was added to a security-enabled local group
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4733 A member was removed from a security-enabled local group
Audit Success
4734 A security-enabled local group was deleted
Audit Success
4735 A security-enabled local group was changed
Audit Success
4737 A security-enabled global group was changed
Domain Controller
4738 A user account was changed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4740 A user account was locked out
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4741 A computer account was created
Domain Controller, Audit Success
4742 A computer account was changed
Domain Controller, Audit Success
4743 A computer account was deleted
Domain Controller, Audit Success
4744 A security-disabled local group was created
4745 A security-disabled local group was changed
4746 A member was added to a security-disabled local group
4747 A member was removed from a security-disabled local group
4748 A security-disabled local group was deleted
4749 A security-disabled global group was created
Domain Controller, Audit Success
4750 A security-disabled global group was changed
Domain Controller, Audit Success
4751 A member was added to a security-disabled global group
Domain Controller, Audit Success
4752 A member was removed from a security-disabled global group
Domain Controller, Audit Success
4753 A security-disabled global group was deleted
Domain Controller, Audit Success
4754 A security-enabled universal group was created
Domain Controller
4755 A security-enabled universal group was changed
Domain Controller
4756 A member was added to a security-enabled universal group
Domain Controller, ISO 27001:2013
4757 A member was removed from a security-enabled universal group
Domain Controller
4758 A security-enabled universal group was deleted
Domain Controller
4759 A security-disabled universal group was created
Domain Controller
4760 A security-disabled universal group was changed
Domain Controller
4761 A member was added to a security-disabled universal group
Domain Controller
4762 A member was removed from a security-disabled universal group
Domain Controller
4763 A security-disabled universal group was deleted
Domain Controller
4764 A group’s type was changed
Domain Controller, Audit Success
4767 A user account was unlocked
ISO 27001:2013, Audit Success
4768 This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, NIST 800-171, NIST SP 800-53
4769 A Kerberos service ticket was requested
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
4770 A Kerberos service ticket was renewed
Domain Controller, Audit Success
4781 The name of an account was changed
Audit Success
4782 The password hash an account was accessed
Domain Controller, Audit Success
4797 An attempt was made to query the existence of a blank password for an account
4798 A user's local group membership was enumerated
Audit Success
4799 A security-enabled local group membership was enumerated
Audit Success
4800 The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4801 The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3