A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Audit Policy | Microsoft Recommendations | Specific Policy Recs for DC, MS, WS (col. B links) | Netsurion Recs | Event ID | App L? | Metcalf BSides / AD Sec? | Palantir WEF? | ACSC WEF? | NSA WEF? | Description | Microsoft Recommendation blanks = no recommendation DC = domain controller; WS = workstation; MS = member server | Compiled by Marcus Thompson (@professorbike) | ||||||||||||||
2 | Baseline | Stronger | General | Stronger | * = information sourced from party outside of Microsoft | professor.bike | |||||||||||||||||||||
3 | Category | Subcategory | EventCategory/Task Value | Success | Failure | Success | Failure | Success | Failure | Success | Failure | Success | Failure | highlight = ID maps to at least one an additional policy | Last revised: August 15, 2023 | ||||||||||||
4 | Account Logon | Audit Credential Validation | 14336 | Yes | WS: No | Yes | Yes | Yes DC = IF | Yes | Yes | Yes | Yes | Yes | 4774 | Yes | DC | Yes | An account was mapped for logon. | |||||||||
5 | Servers: Yes | 4775 | Yes | DC | Yes | An account could not be mapped for logon. | |||||||||||||||||||||
6 | 4776 | Yes | DC | Yes | Yes | The domain controller attempted to validate the credentials for an account (NTLM) | |||||||||||||||||||||
7 | 4777 | Yes | DC | Yes | The domain controller failed to validate the credentials for an account. | ||||||||||||||||||||||
8 | Audit Kerberos Authentication Service | 14339 | Yes | Yes | DC | DC | DC | DC | Yes | Yes | 4768 | Yes | DC | Yes | A Kerberos authentication ticket (TGT) was requested | ||||||||||||
9 | 4771 | Yes | DC | Yes | Kerberos pre-authentication failed. | ||||||||||||||||||||||
10 | 4772 | Yes | DC | Yes | A Kerberos authentication ticket request failed. | ||||||||||||||||||||||
11 | Audit Kerberos Service Ticket Operations | 14337 | Yes | Yes | DC = IF | DC | DC | DC | Yes | Yes | 4769 | Yes | DC | Yes | Yes | A Kerberos service ticket was requested. | |||||||||||
12 | 4770 | Yes | DC | Yes | A Kerberos service ticket was renewed. | ||||||||||||||||||||||
13 | 4773 | No | Yes | A Kerberos service ticket request failed. | |||||||||||||||||||||||
14 | Audit Other Account Logon Events | 14338 | Yes | Yes | No | No | No | No | Yes | Yes | N/A – Future Use | N/A | N/A | ||||||||||||||
15 | Account Management | Audit Application Group Management | 13828 | Yes | Yes | 4783 | Yes | A basic application group was created. | |||||||||||||||||||
16 | 4784 | Yes | A basic application group was changed. | ||||||||||||||||||||||||
17 | 4785 | Yes | A member was added to a basic application group. | ||||||||||||||||||||||||
18 | 4786 | Yes | A member was removed from a basic application group. | ||||||||||||||||||||||||
19 | 4787 | Yes | A non-member was added to a basic application group. | ||||||||||||||||||||||||
20 | 4788 | Yes | A non-member was removed from a basic application group. | ||||||||||||||||||||||||
21 | 4789 | Yes | A basic application group was deleted. | ||||||||||||||||||||||||
22 | 4790 | Yes | An LDAP query group was created. | ||||||||||||||||||||||||
23 | 4791 | No | An LDAP query group was changed. | ||||||||||||||||||||||||
24 | 4792 | No | An LDAP query group was deleted. | ||||||||||||||||||||||||
25 | Audit Computer Account Management | 13825 | Yes | WS: No | Yes | Yes | DC | No | DC | No | Yes | Yes | 4741 | Yes | DC | Yes | A computer account was created. | ||||||||||
26 | DC: Yes | 4742 | Yes | DC | Yes | A computer account was changed. | |||||||||||||||||||||
27 | 4743 | Yes | DC | Yes | A computer account was deleted. | ||||||||||||||||||||||
28 | Audit Distribution Group Management | 13827 | DC = IF | No | DC = IF | No | Yes | Yes | 4749 | Yes | Yes | A security-disabled global group was created. | |||||||||||||||
29 | 4750 | Yes | Yes | A security-disabled global group was changed. | |||||||||||||||||||||||
30 | 4751 | Yes | Yes | A member was added to a security-disabled global group. | |||||||||||||||||||||||
31 | 4752 | Yes | Yes | A member was removed from a security-disabled global group. | |||||||||||||||||||||||
32 | 4753 | Yes | Yes | A security-disabled global group was deleted. | |||||||||||||||||||||||
33 | 4759 | Yes | DC | Yes | A security-disabled universal group was created. | ||||||||||||||||||||||
34 | 4760 | Yes | DC | Yes | A security-disabled universal group was changed. | ||||||||||||||||||||||
35 | 4761 | Yes | Yes | A member was added to a security-disabled universal group. | |||||||||||||||||||||||
36 | 4762 | Yes | Yes | A member was removed from a security-disabled universal group. | |||||||||||||||||||||||
37 | 4763 | No | Yes | A security-disabled universal group was deleted. | |||||||||||||||||||||||
38 | 4744 | Yes | Yes | A security-disabled local group was created. | |||||||||||||||||||||||
39 | 4745 | Yes | Yes | A security-disabled local group was changed. | |||||||||||||||||||||||
40 | 4746 | Yes | Yes | A member was added to a security-disabled local group. | |||||||||||||||||||||||
41 | 4747 | Yes | Yes | A member was removed from a security-disabled local group. | |||||||||||||||||||||||
42 | 4748 | Yes | Yes | A security-disabled local group was deleted. | |||||||||||||||||||||||
43 | Audit Other Account Management Events | 13829 | Yes | WS: No | Yes | Yes | DC | No | DC | No | Yes | Yes | 4782 | Yes | DC | Yes | Yes | The password hash of an account was accessed. | |||||||||
44 | Servers: Yes | 4793 | Yes | DC | Yes | Yes | The Password Policy Checking API was called. | ||||||||||||||||||||
45 | Audit Security Group Management | 13826 | Yes | WS: No | Yes | Yes | Yes | No | Yes | No | Yes | Yes | 4731 | Yes | DC | Yes | Yes | A security-enabled local group was created. | |||||||||
46 | Servers: Yes | 4732 | Yes | Yes | Yes | Yes | A member was added to a security-enabled local group | ||||||||||||||||||||
47 | 4733 | Yes | DC | Yes | Yes | A member was removed from a security-enabled local group. | |||||||||||||||||||||
48 | 4734 | Yes | DC | Yes | A security-enabled local group was deleted. | ||||||||||||||||||||||
49 | 4735 | Yes | DC | Yes | Yes | A security-enabled local group was changed. | |||||||||||||||||||||
50 | 4764 | Yes | DC | Yes | Yes | A group's type was changed. | |||||||||||||||||||||
51 | 4799 | No | Yes | A security-enabled local group or account membership was enumerated | |||||||||||||||||||||||
52 | 4727 | Yes | DC | Yes | A security-enabled global group was created. | ||||||||||||||||||||||
53 | 4737 | Yes | DC | Yes | A security-enabled global group was changed. | ||||||||||||||||||||||
54 | 4728 | Yes | DC | Yes | Yes | A member was added to a security-enabled global group | |||||||||||||||||||||
55 | 4729 | Yes | DC | Yes | A member was removed from a security-enabled global group. | ||||||||||||||||||||||
56 | 4730 | Yes | DC | Yes | A security-enabled global group was deleted. | ||||||||||||||||||||||
57 | 4754 | Yes | DC | Yes | A security-enabled universal group was created. | ||||||||||||||||||||||
58 | 4755 | Yes | DC | Yes | A security-enabled universal group was changed. | ||||||||||||||||||||||
59 | 4756 | Yes | DC | Yes | Yes | A member was added to a security-enabled universal group. | |||||||||||||||||||||
60 | 4757 | Yes | DC | Yes | A member was removed from a security-enabled universal group. | ||||||||||||||||||||||
61 | 4758 | Yes | DC | Yes | A security-enabled universal group was deleted. | ||||||||||||||||||||||
62 | Audit User Account Management | 13824 | Yes | WS: No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 4720 | Yes | Yes | Yes | Yes | Yes | A (local) user account was created | ||||||||
63 | Servers: Yes | 4722 | Yes | DC | Yes | Yes | A user account was enabled | ||||||||||||||||||||
64 | 4723 | Yes | Yes | Yes | An attempt was made to change an account's password. | ||||||||||||||||||||||
65 | 4724 | Yes | DC | Yes | An attempt was made to reset an account's password. | ||||||||||||||||||||||
66 | 4725 | Yes | DC | Yes | Yes | A user account was disabled. | |||||||||||||||||||||
67 | 4726 | Yes | DC | Yes | Yes | A user account was deleted. | |||||||||||||||||||||
68 | 4738 | Yes | DC | Yes | A user account was changed | ||||||||||||||||||||||
69 | 4740 | Yes | DC | Yes | Yes | Yes | A user account was locked out. | ||||||||||||||||||||
70 | 4765 | Yes | DC | Yes | Yes | SID History was added to an account. | |||||||||||||||||||||
71 | 4766 | Yes | DC | Yes | Yes | An attempt to add SID History to an account failed. | |||||||||||||||||||||
72 | 4767 | Yes | DC | Yes | Yes | Yes | A user account was unlocked. | ||||||||||||||||||||
73 | 4780 | Yes | DC | Yes | The ACL was set on accounts which are members of administrators groups. | ||||||||||||||||||||||
74 | 4781 | Yes | Yes | Yes | The name of an account was changed. | ||||||||||||||||||||||
75 | 4794 | Yes | DC | Yes | An attempt was made to set the Directory Services Restore Mode administrator password. | ||||||||||||||||||||||
76 | 4798 | No | New | Yes | A security-enabled local group or account membership was enumerated. | ||||||||||||||||||||||
77 | 5376 | Yes | Yes | Yes | Credential Manager credentials were backed up. | ||||||||||||||||||||||
78 | 5377 | Yes | Yes | Yes | Credential Manager credentials were restored from a backup. | ||||||||||||||||||||||
79 | DS Access | Audit Detailed Directory Service Replication | 14083 | No | No | DC = IF | DC = IF | No | No | 4928 | Yes | An Active Directory replica source naming context was established. | |||||||||||||||
80 | 4929 | Yes | An Active Directory replica source naming context was removed. | ||||||||||||||||||||||||
81 | 4930 | Yes | An Active Directory replica source naming context was modified. | ||||||||||||||||||||||||
82 | 4931 | Yes | An Active Directory replica destination naming context was modified. | ||||||||||||||||||||||||
83 | 4934 | Yes | Attributes of an Active Directory object were replicated. | ||||||||||||||||||||||||
84 | 4935 | Yes | Replication failure begins. | ||||||||||||||||||||||||
85 | 4936 | Yes | Replication failure ends. | ||||||||||||||||||||||||
86 | 4937 | Yes | A lingering object was removed from a replica. | ||||||||||||||||||||||||
87 | Audit Directory Service Access | 14080 | DC | DC | DC | DC | No | DC | No | DC | Yes | Yes | 4662 | Yes | Yes | An operation was performed on an object. | |||||||||||
88 | 4661 | Yes | A handle to an object was requested. | ||||||||||||||||||||||||
89 | Audit Directory Service Changes | 14081 | DC | DC | DC | DC | DC | No | DC | No | Yes | Yes | 5136 | Yes | DC | Yes | Yes | A directory service object was modified. | |||||||||
90 | 5137 | Yes | Yes | Yes | A directory service object was created. | ||||||||||||||||||||||
91 | 5138 | Yes | Yes | Yes | A directory service object was undeleted. | ||||||||||||||||||||||
92 | 5139 | Yes | Yes | Yes | A directory service object was moved. | ||||||||||||||||||||||
93 | 5141 | Yes | Yes | Yes | A directory service object was deleted. | ||||||||||||||||||||||
94 | Audit Directory Service Replication | 14082 | No | No | DC = IF | DC = IF | No | No | 4932 | Yes | Synchronization of a replica of an Active Directory naming context has begun. | ||||||||||||||||
95 | 4933 | Yes | Synchronization of a replica of an Active Directory naming context has ended. | ||||||||||||||||||||||||
96 | Detailed Tracking | Audit DPAPI Activity | 13314 | Yes | Yes | IF | IF | IF | IF | No | No | 4692 | Yes | DC | Backup of data protection master key was attempted. | ||||||||||||
97 | 4693 | Yes | DC | Recovery of data protection master key was attempted. | |||||||||||||||||||||||
98 | 4694 | Yes | Protection of auditable protected data was attempted. | ||||||||||||||||||||||||
99 | 4695 | Yes | DC | Unprotection of auditable protected data was attempted. | |||||||||||||||||||||||
100 | Audit PNP Activity | 13316 | Yes | No | Yes | No | 6416 | No | Yes | A new external device was recognized by the System. |