ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
Audit PolicyMicrosoft RecommendationsSpecific Policy Recs for DC, MS, WS (col. B links)Netsurion RecsEvent IDApp L?Metcalf BSides / AD Sec?Palantir WEF?ACSC WEF?NSA WEF?Description
Microsoft Recommendation blanks = no recommendation
DC = domain controller; WS = workstation; MS = member server
Compiled by Marcus Thompson (@professorbike)
2
BaselineStrongerGeneralStronger* = information sourced from party outside of Microsoftprofessor.bike
3
CategorySubcategory EventCategory/Task ValueSuccessFailureSuccessFailureSuccessFailureSuccessFailureSuccessFailurehighlight = ID maps to at least one an additional policyLast revised: August 15, 2023
4
Account LogonAudit Credential Validation14336YesWS: NoYesYesYes
DC = IF		YesYesYesYesYes4774YesDCYesAn account was mapped for logon.
5
Servers: Yes4775YesDCYesAn account could not be mapped for logon.
6
4776YesDCYesYesThe domain controller attempted to validate the credentials for an account (NTLM)
7
4777YesDCYesThe domain controller failed to validate the credentials for an account.
8
Audit Kerberos Authentication Service14339YesYesDCDCDCDCYesYes4768YesDCYesA Kerberos authentication ticket (TGT) was requested
9
4771YesDCYesKerberos pre-authentication failed.
10
4772YesDCYesA Kerberos authentication ticket request failed.
11
Audit Kerberos Service Ticket Operations14337YesYesDC = IFDCDCDCYesYes4769YesDCYesYesA Kerberos service ticket was requested.
12
4770YesDCYesA Kerberos service ticket was renewed.
13
4773NoYesA Kerberos service ticket request failed.
14
Audit Other Account Logon Events14338YesYesNoNoNoNoYesYesN/A – Future UseN/AN/A
15
Account ManagementAudit Application Group Management13828YesYes4783YesA basic application group was created.
16
4784YesA basic application group was changed.
17
4785YesA member was added to a basic application group.
18
4786YesA member was removed from a basic application group.
19
4787YesA non-member was added to a basic application group.
20
4788YesA non-member was removed from a basic application group.
21
4789YesA basic application group was deleted.
22
4790YesAn LDAP query group was created.
23
4791NoAn LDAP query group was changed.
24
4792NoAn LDAP query group was deleted.
25
Audit Computer Account Management13825YesWS: NoYesYesDCNoDCNoYesYes4741YesDCYesA computer account was created.
26
DC: Yes4742YesDCYesA computer account was changed.
27
4743YesDCYesA computer account was deleted.
28
Audit Distribution Group Management13827DC = IFNoDC = IFNoYesYes4749YesYesA security-disabled global group was created.
29
4750YesYesA security-disabled global group was changed.
30
4751YesYesA member was added to a security-disabled global group.
31
4752YesYesA member was removed from a security-disabled global group.
32
4753YesYesA security-disabled global group was deleted.
33
4759YesDCYesA security-disabled universal group was created.
34
4760YesDCYesA security-disabled universal group was changed.
35
4761YesYesA member was added to a security-disabled universal group.
36
4762YesYesA member was removed from a security-disabled universal group.
37
4763NoYesA security-disabled universal group was deleted.
38
4744YesYesA security-disabled local group was created.
39
4745YesYesA security-disabled local group was changed.
40
4746YesYesA member was added to a security-disabled local group.
41
4747YesYesA member was removed from a security-disabled local group.
42
4748YesYesA security-disabled local group was deleted.
43
Audit Other Account Management Events13829YesWS: NoYesYesDCNoDCNoYesYes4782YesDCYesYesThe password hash of an account was accessed.
44
Servers: Yes4793YesDCYesYesThe Password Policy Checking API was called.
45
Audit Security Group Management13826YesWS: NoYesYesYesNoYesNoYesYes4731YesDCYesYesA security-enabled local group was created.
46
Servers: Yes4732YesYesYesYesA member was added to a security-enabled local group
47
4733YesDCYesYesA member was removed from a security-enabled local group.
48
4734YesDCYesA security-enabled local group was deleted.
49
4735YesDCYesYesA security-enabled local group was changed.
50
4764YesDCYesYesA group's type was changed.
51
4799NoYesA security-enabled local group or account membership was enumerated
52
4727YesDCYesA security-enabled global group was created.
53
4737YesDCYesA security-enabled global group was changed.
54
4728YesDCYesYesA member was added to a security-enabled global group
55
4729YesDCYesA member was removed from a security-enabled global group.
56
4730YesDCYesA security-enabled global group was deleted.
57
4754YesDCYesA security-enabled universal group was created.
58
4755YesDCYesA security-enabled universal group was changed.
59
4756YesDCYesYesA member was added to a security-enabled universal group.
60
4757YesDCYesA member was removed from a security-enabled universal group.
61
4758YesDCYesA security-enabled universal group was deleted.
62
Audit User Account Management13824YesWS: NoYesYesYesYesYesYesYesYes4720YesYesYesYesYesA (local) user account was created
63
Servers: Yes4722YesDCYesYesA user account was enabled
64
4723YesYesYesAn attempt was made to change an account's password.
65
4724YesDCYesAn attempt was made to reset an account's password.
66
4725YesDCYesYesA user account was disabled.
67
4726YesDCYesYesA user account was deleted.
68
4738YesDCYesA user account was changed
69
4740YesDCYesYesYesA user account was locked out.
70
4765YesDCYesYesSID History was added to an account.
71
4766YesDCYesYesAn attempt to add SID History to an account failed.
72
4767YesDCYesYesYesA user account was unlocked.
73
4780YesDCYesThe ACL was set on accounts which are members of administrators groups.
74
4781YesYesYesThe name of an account was changed.
75
4794YesDCYesAn attempt was made to set the Directory Services Restore Mode administrator password.
76
4798NoNewYesA security-enabled local group or account membership was enumerated.
77
5376YesYesYesCredential Manager credentials were backed up.
78
5377YesYesYesCredential Manager credentials were restored from a backup.
79
DS AccessAudit Detailed Directory Service Replication14083NoNoDC = IFDC = IFNoNo4928YesAn Active Directory replica source naming context was established.
80
4929YesAn Active Directory replica source naming context was removed.
81
4930YesAn Active Directory replica source naming context was modified.
82
4931YesAn Active Directory replica destination naming context was modified.
83
4934YesAttributes of an Active Directory object were replicated.
84
4935YesReplication failure begins.
85
4936YesReplication failure ends.
86
4937YesA lingering object was removed from a replica.
87
Audit Directory Service Access14080DCDCDCDCNoDCNoDCYesYes4662YesYesAn operation was performed on an object.
88
4661YesA handle to an object was requested.
89
Audit Directory Service Changes14081DCDCDCDCDCNoDCNoYesYes5136YesDCYesYesA directory service object was modified.
90
5137YesYesYesA directory service object was created.
91
5138YesYesYesA directory service object was undeleted.
92
5139YesYesYesA directory service object was moved.
93
5141YesYesYesA directory service object was deleted.
94
Audit Directory Service Replication14082NoNoDC = IFDC = IFNoNo4932YesSynchronization of a replica of an Active Directory naming context has begun.
95
4933YesSynchronization of a replica of an Active Directory naming context has ended.
96
Detailed TrackingAudit DPAPI Activity13314YesYesIFIFIFIFNoNo4692YesDCBackup of data protection master key was attempted.
97
4693YesDCRecovery of data protection master key was attempted.
98
4694YesProtection of auditable protected data was attempted.
99
4695YesDCUnprotection of auditable protected data was attempted.
100
Audit PNP Activity13316YesNoYesNo6416NoYesA new external device was recognized by the System.