| ID |
Event Description |
|
4625
|
An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
|
|
4649
|
A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
|
|
4652
|
An IPsec main mode negotiation failed
Audit Failure
|
|
4653
|
An IPsec main mode negotiation failed
Audit Failure
|
|
4654
|
An IPsec quick mode negotiation failed
Audit Failure
|
|
4656
|
A handle to an object was requested
Audit Failure, Audit Success, CJIS
|
|
4661
|
A handle to an object was requested
Domain Controller, Audit Success, Audit Failure
|
|
4662
|
An operation was performed on an object
Domain Controller, Audit Success, Audit Failure
|
|
4674
|
An operation was attempted on a privileged object
Audit Failure, Audit Success
|
|
4692
|
Backup of data protection master key was attempted
Audit Success, Audit Failure
|
|
4693
|
Recovery of data protection master key was attempted
Audit Success, Audit Failure
|
|
4694
|
Protection of auditable protected data was attempted
Audit Success, Audit Failure
|
|
4695
|
Unprotection of auditable protected data was attempted
Audit Success, Audit Failure
|
|
4723
|
An attempt was made to change an account's password
Audit Success, Audit Failure, CJIS
|
|
4724
|
An attempt was made to reset an account's password
Audit Failure, Audit Success, CJIS, ISO 27001:2013
|
|
4766
|
An attempt to add SID History to an account failed
Domain Controller, Audit Failure
|
|
4768
|
This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, NIST 800-171, NIST SP 800-53
|
|
4769
|
A Kerberos service ticket was requested
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
|
4771
|
Kerberos pre-authentication failed
Domain Controller, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4772
|
A Kerberos authentication ticket request failed
Domain Controller, Audit Failure, Not Implemented
|
|
4773
|
A Kerberos service ticket request failed
Domain Controller, Audit Failure, Not Implemented
|
|
4774
|
An account was mapped for logon
Domain Controller, Audit Success, Audit Failure
|
|
4775
|
An account could not be mapped for logon
Domain Controller, Audit Failure
|
|
4776
|
The computer attempted to validate the credentials for an account
Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
|
4777
|
The domain controller failed to validate the credentials for an account
Audit Failure
|
|
4794
|
An attempt was made to set the Directory Services Restore Mode administrator password
Domain Controller, Audit Success, Audit Failure
|
|
4928
|
An Active Directory replica source naming context was established
Domain Controller, Audit Success, Audit Failure
|
|
4929
|
An Active Directory replica source naming context was removed
Domain Controller, Audit Success, Audit Failure
|
|
4930
|
An Active Directory replica source naming context was modified
Domain Controller, Audit Success, Audit Failure
|
|
4931
|
An Active Directory replica destination naming context was modified
Domain Controller, Audit Success, Audit Failure
|
|
4932
|
Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
|
|
4933
|
Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
|
|
4934
|
Attributes of an Active Directory object were replicated
Domain Controller, Audit Success, Audit Failure
|
|
4935
|
Replication failure begins
Domain Controller, Audit Success, Audit Failure
|
|
4936
|
Replication failure ends
Domain Controller, Audit Success, Audit Failure
|
|
4951
|
Windows Firewall ignored a rule because its major version number is not recognized
Audit Failure
|
|
4952
|
Windows Firewall ignored parts of a rule because its minor version number is not recognized
Audit Failure
|
|
4953
|
Windows Firewall ignored a rule because it could not be parsed
Audit Failure
|
|
4957
|
Windows Firewall did not apply the following rule
Audit Failure
|
|
4958
|
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Audit Failure
|
|
5027
|
The Windows Firewall service was unable to retrieve the security policy from the local storage.
Audit Failure
|
|
5028
|
Windows Firewall was unable to parse the new security policy.
Audit Failure
|
|
5029
|
The Windows Firewall service failed to initialize the driver.
Audit Failure
|
|
5030
|
The Windows Firewall service failed to start.
Audit Failure
|
|
5031
|
Windows Firewall blocked an application from accepting incoming connections on the network.
Audit Failure
|
|
5032
|
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Audit Failure
|
|
5035
|
The Windows Firewall Driver failed to start.
Audit Failure
|
|
5037
|
The Windows Firewall Driver detected a critical runtime error.
Audit Failure
|
|
5038
|
Code integrity determined that the image hash of a file is not valid.
Audit Failure
|
|
5057
|
A cryptographic primitive operation failed.
Audit Failure
|
|
5058
|
Key file operation.
Audit Success, Audit Failure
|
|
5059
|
Key migration operation.
Audit Success, Audit Failure
|
|
5060
|
Verification operation failed.
Audit Failure
|
|
5061
|
Cryptographic operation.
Audit Success, Audit Failure
|
|
5063
|
A cryptographic provider operation was attempted.
Audit Success, Audit Failure
|
|
5064
|
A cryptographic context operation was attempted.
Audit Success, Audit Failure
|
|
5065
|
A cryptographic context modification was attempted.
Audit Success, Audit Failure
|
|
5066
|
A cryptographic function operation was attempted.
Audit Success, Audit Failure
|
|
5067
|
A cryptographic function modification was attempted.
Audit Success, Audit Failure
|
|
5068
|
A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
|
|
5069
|
A cryptographic function property operation was attempted.
Audit Success, Audit Failure
|
|
5070
|
A cryptographic function property modification was attempted.
Audit Success, Audit Failure
|
|
5140
|
A network share object was accessed
Audit Success, Audit Failure
|
|
5145
|
A network share object was checked to see whether client can be granted desired access.
Audit Success, Audit Failure
|
|
5148
|
The Windows Filtering Platform has detected a DoS attack.
Audit Failure
|
|
5149
|
The DoS attack has subsided and normal processing is being resumed.
Audit Failure
|
|
5152
|
The Windows Filtering Platform has blocked a packet.
Audit Failure
|
|
5155
|
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Audit Failure
|
|
5157
|
The Windows Filtering Platform has blocked a connection.
Audit Failure
|
|
5168
|
Spn check for SMB/SMB2 fails.
Audit Failure
|
|
5169
|
A directory service object was modified.
Domain Controller, Audit Success, Audit Failure
|
|
5378
|
The requested credentials delegation was disallowed by policy.
Audit Failure
|
|
5632
|
A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
|
|
5633
|
A request was made to authenticate to a wired network.
Audit Success, Audit Failure
|
|
6145
|
One or more errors occurred while processing security policy in the group policy objects.
Audit Failure
|
|
6272
|
Network Policy Server granted access to a user.
Audit Success, Audit Failure
|
|
6273
|
Network Policy Server denied access to a user.
Audit Success, Audit Failure
|
|
6274
|
Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
|
|
6275
|
Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
|
|
6276
|
Network Policy Server quarantined a user.
Audit Success, Audit Failure
|
|
6277
|
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
|
|
6278
|
Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
|
|
6279
|
Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
|
|
6280
|
Network Policy Server unlocked the user account.
Audit Success, Audit Failure
|
|
6281
|
Code Integrity determined that the page hashes of an image file are not valid.
Audit Failure
|
|
6410
|
Code integrity determined that a file does not meet the security requirements to load into a process.
Audit Failure
|