Event Log Security - Windows Event Search

ID	Event Description
4649	A replay attack was detected Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
4661	A handle to an object was requested Domain Controller, Audit Success, Audit Failure
4662	An operation was performed on an object Domain Controller, Audit Success, Audit Failure
4675	SIDs were filtered Domain Controller, Audit Success
4706	A new trust was created to a domain Domain Controller, Audit Success
4707	A trust to a domain was removed Domain Controller, Audit Success
4713	Kerberos policy was changed Domain Controller, Audit Success
4716	Trusted domain information was modified Domain Controller, Audit Success
4727	A security-enabled global group was created Domain Controller
4728	A member was added to a security-enabled global group Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
4729	A member was removed from a security-enabled global group Domain Controller
4730	A security-enabled global group was deleted Domain Controller
4737	A security-enabled global group was changed Domain Controller
4739	Domain Policy was changed Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
4741	A computer account was created Domain Controller, Audit Success
4742	A computer account was changed Domain Controller, Audit Success
4743	A computer account was deleted Domain Controller, Audit Success
4749	A security-disabled global group was created Domain Controller, Audit Success
4750	A security-disabled global group was changed Domain Controller, Audit Success
4751	A member was added to a security-disabled global group Domain Controller, Audit Success
4752	A member was removed from a security-disabled global group Domain Controller, Audit Success
4753	A security-disabled global group was deleted Domain Controller, Audit Success
4754	A security-enabled universal group was created Domain Controller
4755	A security-enabled universal group was changed Domain Controller
4756	A member was added to a security-enabled universal group Domain Controller, ISO 27001:2013
4757	A member was removed from a security-enabled universal group Domain Controller
4758	A security-enabled universal group was deleted Domain Controller
4759	A security-disabled universal group was created Domain Controller
4760	A security-disabled universal group was changed Domain Controller
4761	A member was added to a security-disabled universal group Domain Controller
4762	A member was removed from a security-disabled universal group Domain Controller
4763	A security-disabled universal group was deleted Domain Controller
4764	A group’s type was changed Domain Controller, Audit Success
4765	SID History was added to an account Domain Controller, Audit Success
4766	An attempt to add SID History to an account failed Domain Controller, Audit Failure
4768	This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, NIST 800-171, NIST SP 800-53
4769	A Kerberos service ticket was requested Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
4770	A Kerberos service ticket was renewed Domain Controller, Audit Success
4771	Kerberos pre-authentication failed Domain Controller, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L3
4772	A Kerberos authentication ticket request failed Domain Controller, Audit Failure, Not Implemented
4773	A Kerberos service ticket request failed Domain Controller, Audit Failure, Not Implemented
4774	An account was mapped for logon Domain Controller, Audit Success, Audit Failure
4775	An account could not be mapped for logon Domain Controller, Audit Failure
4780	The ACL was set on accounts which are members of administrators groups Domain Controller, Audit Success
4782	The password hash an account was accessed Domain Controller, Audit Success
4783	A basic application group was created Domain Controller, Audit Success
4784	A basic application group was changed Domain Controller, Audit Success
4785	A member was added to a basic application group Domain Controller, Audit Success
4786	A member was removed from a basic application group Domain Controller, Audit Success
4787	A non-member was added to a basic application group Domain Controller, Audit Success
4788	A non-member was removed from a basic application group Domain Controller, Audit Success
4789	A basic application group was deleted Domain Controller, Audit Success
4790	An LDAP query group was created Domain Controller, Audit Success
4791	A basic application group was changed Domain Controller, Audit Success
4792	An LDAP query group was deleted Domain Controller, Audit Success
4793	The Password Policy Checking API was called Domain Controller, Audit Success
4794	An attempt was made to set the Directory Services Restore Mode administrator password Domain Controller, Audit Success, Audit Failure
4820	A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions Domain Controller
4821	A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions Domain Controller
4824	Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group Domain Controller
4928	An Active Directory replica source naming context was established Domain Controller, Audit Success, Audit Failure
4929	An Active Directory replica source naming context was removed Domain Controller, Audit Success, Audit Failure
4930	An Active Directory replica source naming context was modified Domain Controller, Audit Success, Audit Failure
4931	An Active Directory replica destination naming context was modified Domain Controller, Audit Success, Audit Failure
4932	Synchronization of a replica of an Active Directory naming context has begun Audit Success, Audit Failure, Domain Controller
4933	Synchronization of a replica of an Active Directory naming context has ended Audit Success, Audit Failure, Domain Controller
4934	Attributes of an Active Directory object were replicated Domain Controller, Audit Success, Audit Failure
4935	Replication failure begins Domain Controller, Audit Success, Audit Failure
4936	Replication failure ends Domain Controller, Audit Success, Audit Failure
5136	A directory service object was modified Domain Controller, Audit Success
5137	A directory service object was created Domain Controller, Audit Success
5138	A directory service object was undeleted. Domain Controller, Audit Success
5139	A directory service object was moved. Domain Controller, Audit Success
5141	A directory service object was deleted. Domain Controller, Audit Success
5169	A directory service object was modified. Domain Controller, Audit Success, Audit Failure

Audit Category

Audit Subcategory

Operating Systems

Tags

Auditing

Volume

EventSentry