Event Log Security - Windows Event Search

ID	Event Description
1100	The event logging service has shut down Audit Success, PCI-DSS
4608	Windows is starting up Audit Success, PCI-DSS
4610	An authentication package has been loaded by the Local Security Authority Audit Success
4611	A trusted logon process has been registered with the Local Security Authority Audit Success
4612	Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3, CMMC L2
4614	A notification package has been loaded by the Security Account Manager Audit Success
4615	Invalid use of LPC port Audit Success
4616	The system time was changed Audit Success
4618	A monitored security event pattern has occurred. Audit Success
4621	Administrator recovered system from CrashOnAuditFail. Audit Success, NIST SP 800-53, NIST 800-171, CMMC L2
4622	A security package has been loaded by the Local Security Authority Audit Success
4624	An account was successfully logged on CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
4626	User / Device claims information Audit Success
4627	Group membership information Audit Success
4634	An account was logged off Audit Success
4646	n/a Audit Success
4647	User initiated logoff Audit Success
4648	A logon was attempted using explicit credentials Audit Success
4649	A replay attack was detected Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
4650	An IPsec main mode security association was established Audit Success
4651	An IPsec main mode security association was established Audit Success
4655	An IPsec main mode security association ended Audit Success
4656	A handle to an object was requested Audit Failure, Audit Success, CJIS
4657	A registry value was modified Audit Success
4658	The handle to an object was closed Audit Success
4660	An object was deleted Audit Success
4661	A handle to an object was requested Domain Controller, Audit Success, Audit Failure
4662	An operation was performed on an object Domain Controller, Audit Success, Audit Failure
4663	An attempt was made to access an object Audit Success, CJIS
4664	An attempt was made to create a hard link Audit Success
4670	Permissions on an object were changed Audit Success
4672	Special privileges assigned to new logon Audit Success
4673	A privileged service was called Audit Success
4674	An operation was attempted on a privileged object Audit Failure, Audit Success
4675	SIDs were filtered Domain Controller, Audit Success
4688	A new process has been created NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
4689	A process has exited Audit Success
4690	An attempt was made to duplicate a handle to an object Audit Success
4691	Indirect access to an object was requested Audit Success
4692	Backup of data protection master key was attempted Audit Success, Audit Failure
4693	Recovery of data protection master key was attempted Audit Success, Audit Failure
4694	Protection of auditable protected data was attempted Audit Success, Audit Failure
4695	Unprotection of auditable protected data was attempted Audit Success, Audit Failure
4696	A primary token was assigned to process Audit Success
4697	A service was installed in the system Audit Success
4698	A scheduled task was created Audit Success, PCI-DSS
4699	A scheduled task was deleted Audit Success, PCI-DSS
4700	A scheduled task was enabled Audit Success
4701	A scheduled task was disabled Audit Success
4702	A scheduled task was updated Audit Success, PCI-DSS
4703	A token right was adjusted Audit Success
4704	A user right was assigned ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
4705	A user right was removed ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
4706	A new trust was created to a domain Domain Controller, Audit Success
4707	A trust to a domain was removed Domain Controller, Audit Success
4713	Kerberos policy was changed Domain Controller, Audit Success
4715	The audit policy (SACL) on an object was changed Audit Success
4716	Trusted domain information was modified Domain Controller, Audit Success
4717	System security access was granted to an account ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4719	System audit policy was changed Audit Success
4720	A user account was created ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
4722	A user account was enabled ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
4723	An attempt was made to change an account's password Audit Success, Audit Failure, CJIS
4724	An attempt was made to reset an account's password Audit Failure, Audit Success, CJIS, ISO 27001:2013
4725	A user account was disabled ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4726	A user account was deleted ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4731	A security-enabled local group was created Audit Success
4732	A member was added to a security-enabled local group ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4733	A member was removed from a security-enabled local group Audit Success
4734	A security-enabled local group was deleted Audit Success
4735	A security-enabled local group was changed Audit Success
4738	A user account was changed ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4739	Domain Policy was changed Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
4740	A user account was locked out ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4741	A computer account was created Domain Controller, Audit Success
4742	A computer account was changed Domain Controller, Audit Success
4743	A computer account was deleted Domain Controller, Audit Success
4749	A security-disabled global group was created Domain Controller, Audit Success
4750	A security-disabled global group was changed Domain Controller, Audit Success
4751	A member was added to a security-disabled global group Domain Controller, Audit Success
4752	A member was removed from a security-disabled global group Domain Controller, Audit Success
4753	A security-disabled global group was deleted Domain Controller, Audit Success
4764	A group’s type was changed Domain Controller, Audit Success
4765	SID History was added to an account Domain Controller, Audit Success
4767	A user account was unlocked ISO 27001:2013, Audit Success
4768	This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, NIST 800-171, NIST SP 800-53
4769	A Kerberos service ticket was requested Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
4770	A Kerberos service ticket was renewed Domain Controller, Audit Success
4774	An account was mapped for logon Domain Controller, Audit Success, Audit Failure
4776	The computer attempted to validate the credentials for an account Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
4778	A session was reconnected to a Window Station Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4779	A session was disconnected from a Window Station Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4780	The ACL was set on accounts which are members of administrators groups Domain Controller, Audit Success
4781	The name of an account was changed Audit Success
4782	The password hash an account was accessed Domain Controller, Audit Success
4783	A basic application group was created Domain Controller, Audit Success
4784	A basic application group was changed Domain Controller, Audit Success
4785	A member was added to a basic application group Domain Controller, Audit Success
4786	A member was removed from a basic application group Domain Controller, Audit Success
4787	A non-member was added to a basic application group Domain Controller, Audit Success
4788	A non-member was removed from a basic application group Domain Controller, Audit Success
4789	A basic application group was deleted Domain Controller, Audit Success
4790	An LDAP query group was created Domain Controller, Audit Success
4791	A basic application group was changed Domain Controller, Audit Success
4792	An LDAP query group was deleted Domain Controller, Audit Success
4793	The Password Policy Checking API was called Domain Controller, Audit Success
4794	An attempt was made to set the Directory Services Restore Mode administrator password Domain Controller, Audit Success, Audit Failure
4798	A user's local group membership was enumerated Audit Success
4799	A security-enabled local group membership was enumerated Audit Success
4800	The workstation was locked Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4801	The workstation was unlocked ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4802	The screen saver was invoked ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4803	The screen saver was dismissed ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4816	RPC detected an integrity violation while decrypting an incoming message. Audit Success
4817	Auditing settings on object were changed Audit Success
4818	Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Audit Success
4819	Central Access Policies on the machine have been changed Audit Success
4826	Boot Configuration Data loaded Audit Success
4902	The Per-user audit policy table was created Audit Success
4904	An attempt was made to register a security event source Audit Success
4905	An attempt was made to unregister a security event source Audit Success
4906	The CrashOnAuditFail value has changed Audit Success
4908	Special Groups Logon table modified Audit Success
4911	Resource attributes of the object were changed Audit Success
4912	Per User Audit Policy was changed Audit Success
4913	Central Access Policy on the object was changed Audit Success
4928	An Active Directory replica source naming context was established Domain Controller, Audit Success, Audit Failure
4929	An Active Directory replica source naming context was removed Domain Controller, Audit Success, Audit Failure
4930	An Active Directory replica source naming context was modified Domain Controller, Audit Success, Audit Failure
4931	An Active Directory replica destination naming context was modified Domain Controller, Audit Success, Audit Failure
4932	Synchronization of a replica of an Active Directory naming context has begun Audit Success, Audit Failure, Domain Controller
4933	Synchronization of a replica of an Active Directory naming context has ended Audit Success, Audit Failure, Domain Controller
4934	Attributes of an Active Directory object were replicated Domain Controller, Audit Success, Audit Failure
4935	Replication failure begins Domain Controller, Audit Success, Audit Failure
4936	Replication failure ends Domain Controller, Audit Success, Audit Failure
4937	A lingering object was removed from a replica Audit Success
4944	The following policy was active when the Windows Firewall started Audit Success
4945	A rule was listed when the Windows Firewall started Audit Success
4946	A change was made to the Windows Firewall exception list. A rule was added Audit Success
4947	A change was made to the Windows Firewall exception list. A rule was modified Audit Success
4948	A change was made to the Windows Firewall exception list. A rule was deleted Audit Success
4949	Windows Firewall settings were restored to the default values. Audit Success
4950	A Windows Firewall setting was changed Audit Success
4954	Group Policy settings for Windows Firewall were changed, and the new settings were applied. Audit Success
4956	Windows Firewall changed the active profile Audit Success
4964	Special groups have been assigned to a new logon Audit Success
4976	During main mode negotiation, IPsec received an invalid negotiation packet Audit Success
4985	The state of a transaction has changed Audit Success
5024	The Windows Firewall service started successfully. Audit Success
5025	The Windows Firewall service was stopped. Audit Success
5033	The Windows Firewall Driver started successfully. Audit Success
5034	The Windows Firewall Driver was stopped. Audit Success
5049	An IPsec security association was deleted. Audit Success
5056	A cryptographic self test was performed. Audit Success
5058	Key file operation. Audit Success, Audit Failure
5059	Key migration operation. Audit Success, Audit Failure
5061	Cryptographic operation. Audit Success, Audit Failure
5062	A kernel-mode cryptographic self test was performed. Audit Success
5063	A cryptographic provider operation was attempted. Audit Success, Audit Failure
5064	A cryptographic context operation was attempted. Audit Success, Audit Failure
5065	A cryptographic context modification was attempted. Audit Success, Audit Failure
5066	A cryptographic function operation was attempted. Audit Success, Audit Failure
5067	A cryptographic function modification was attempted. Audit Success, Audit Failure
5068	A cryptographic function provider operation was attempted. Audit Success, Audit Failure
5069	A cryptographic function property operation was attempted. Audit Success, Audit Failure
5070	A cryptographic function property modification was attempted. Audit Success, Audit Failure
5136	A directory service object was modified Domain Controller, Audit Success
5137	A directory service object was created Domain Controller, Audit Success
5138	A directory service object was undeleted. Domain Controller, Audit Success
5139	A directory service object was moved. Domain Controller, Audit Success
5140	A network share object was accessed Audit Success, Audit Failure
5141	A directory service object was deleted. Domain Controller, Audit Success
5142	A network share object was added Audit Success
5143	A network share object was modified Audit Success
5144	A network share object was deleted Audit Success
5145	A network share object was checked to see whether client can be granted desired access. Audit Success, Audit Failure
5153	A more restrictive Windows Filtering Platform filter has blocked a packet. Audit Success
5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. Audit Success
5156	The Windows Filtering Platform has allowed a connection. Audit Success
5158	The Windows Filtering Platform has permitted a bind to a local port. Audit Success
5169	A directory service object was modified. Domain Controller, Audit Success, Audit Failure
5376	Credential Manager credentials were backed up. Audit Success
5377	Credential Manager credentials were restored from a backup. Audit Success
5447	A Windows Filtering Platform filter has been changed. Audit Success
5453	An IPsec negotiation with a remote computer failed. Audit Success
5478	The IPsec Policy Agent service was started. Audit Success
5632	A request was made to authenticate to a wireless network. Audit Success, Audit Failure
5633	A request was made to authenticate to a wired network. Audit Success, Audit Failure
5712	A Remote Procedure Call (RPC) was attempted. Audit Success
5888	An object in the COM+ Catalog was modified. Audit Success
5889	An object was deleted from the COM+ Catalog. Audit Success
5890	An object was added to the COM+ Catalog. Audit Success
6144	Security policy in the group policy objects has been applied successfully. Audit Success
6272	Network Policy Server granted access to a user. Audit Success, Audit Failure
6273	Network Policy Server denied access to a user. Audit Success, Audit Failure
6274	Network Policy Server discarded the request for a user. Audit Success, Audit Failure
6275	Network Policy Server discarded the accounting request for a user. Audit Success, Audit Failure
6276	Network Policy Server quarantined a user. Audit Success, Audit Failure
6277	Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Audit Success, Audit Failure
6278	Network Policy Server granted full access to a user because the host met the defined health policy. Audit Success, Audit Failure
6279	Network Policy Server locked the user account due to repeated failed authentication attempts. Audit Success, Audit Failure
6280	Network Policy Server unlocked the user account. Audit Success, Audit Failure
6416	A new external device was recognized by the system. Audit Success
6419	A request was made to disable a device. Audit Success
6420	A device was disabled. Audit Success
6421	A request was made to enable a device. Audit Success
6422	A device was enabled. Audit Success
6423	The installation of this device is forbidden by system policy. Audit Success
6424	The installation of this device was allowed, after having previously been forbidden by policy. Audit Success

Audit Category

Audit Subcategory

Operating Systems

Tags

Auditing

Volume

EventSentry