A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Audit Policy Recommendations | ||||||||||||||||||||||||
2 | Category | Subcategory | Workstation | Admin Workstation | Member Server | Critical Application Server | Domain Controller | DMZ Server (Standalone) | Event IDs | Importance by Microsoft | Importance | Filter | Expected Volume | Volume Comment | Comment | Application Limited to | Description | ||||||||
3 | Success | Failure | Success | Failure | Success | Failure | Success | Failure | Success | Failure | Success | Failure | |||||||||||||
4 | Account Logon | Audit Credential Validation | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 4774 | Low | 1 | Evaluate | High | High on DCs | An account was mapped for logon | ||||
5 | 4775 | Low | 2 | Evaluate | High | High on DCs | An account could not be mapped for logon | ||||||||||||||||||
6 | 4776 | Low | 2 | High | High on DCs | The domain controller attempted to validate the credentials for an account | |||||||||||||||||||
7 | 4777 | Low | 2 | High | High on DCs | The domain controller failed to validate the credentials for an account | |||||||||||||||||||
8 | Audit Kerberos Authentication Service | No | No | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | 4768 | Low | 3 | High | High on KDCs | A Kerberos authentication ticket (TGT) was requested | ||||||
9 | 4771 | Low | 3 | High | High on KDCs | Kerberos pre-authentication failed | |||||||||||||||||||
10 | 4772 | Low | 2 | Evaluate | High | High on KDCs | A Kerberos authentication ticket request failed | ||||||||||||||||||
11 | Audit Kerberos Service Ticket Operations | No | No | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | 4769 | Low | 0 | High | High on KDCs | Check for relevant "Failure Code"s in "Security" Tab | A Kerberos service ticket was requested | |||||
12 | 4770 | Low | 1 | Evaluate | High | High on KDCs | A Kerberos service ticket was renewed | ||||||||||||||||||
13 | Audit Other Account Logon Events | No | No | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | 4800 | Low | 1 | Medium | Varies, depends on system use | The workstation was locked | ||||||
14 | 4801 | Low | 1 | Medium | Varies, depends on system use | The workstation was unlocked | |||||||||||||||||||
15 | 4802 | Low | 1 | Medium | Varies, depends on system use | The screen saver was invoked | |||||||||||||||||||
16 | 4803 | Low | 1 | Medium | Varies, depends on system use | The screen saver was dismissed | |||||||||||||||||||
17 | 5378 | Low | 3 | Medium | Varies, depends on system use | The requested credentials delegation was disallowed by policy | |||||||||||||||||||
18 | 5632 | Low | #N/A | Medium | Varies, depends on system use | #N/A | |||||||||||||||||||
19 | 5633 | Low | #N/A | Medium | Varies, depends on system use | #N/A | |||||||||||||||||||
20 | Account Management | Audit Application Group Management | No | No | No | No | No | No | No | No | No | No | No | No | 4783 | Low | 1 | Low | A basic application group was created | ||||||
21 | 4784 | Low | 1 | Low | A basic application group was changed | ||||||||||||||||||||
22 | 4785 | Low | 1 | Low | A member was added to a basic application group | ||||||||||||||||||||
23 | 4786 | Low | 1 | Low | A member was removed from a basic application group | ||||||||||||||||||||
24 | 4787 | Low | 1 | Low | A non-member was added to a basic application group | ||||||||||||||||||||
25 | 4788 | Low | 1 | Low | A non-member was removed from a basic application group.. | ||||||||||||||||||||
26 | 4789 | Low | 1 | Low | A basic application group was deleted | ||||||||||||||||||||
27 | 4790 | Low | 1 | Low | An LDAP query group was created | ||||||||||||||||||||
28 | Audit Computer Account Management | Yes | No | Yes | Yes | Yes | No | Yes | No | Yes | Yes | Yes | No | 4741 | Low | 2 | Low | A computer account was created | |||||||
29 | 4742 | Low | 2 | Low | A computer account was changed | ||||||||||||||||||||
30 | 4743 | Low | 1 | Low | A computer account was deleted | ||||||||||||||||||||
31 | Audit Distribute Group Management | No | No | No | No | No | No | No | No | No | No | No | No | 4744 | Low | 2 | Low | A security-disabled local group was created | |||||||
32 | 4745 | Low | 1 | Low | A security-disabled local group was changed | ||||||||||||||||||||
33 | 4746 | Low | 1 | Low | A member was added to a security-disabled local group | ||||||||||||||||||||
34 | 4747 | Low | 1 | Low | A member was removed from a security-disabled local group | ||||||||||||||||||||
35 | 4748 | Low | 1 | Low | A security-disabled local group was deleted | ||||||||||||||||||||
36 | 4749 | Low | 1 | Low | A security-disabled global group was created | ||||||||||||||||||||
37 | 4750 | Low | 1 | Low | A security-disabled global group was changed | ||||||||||||||||||||
38 | 4751 | Low | 1 | Low | A member was added to a security-disabled global group | ||||||||||||||||||||
39 | 4752 | Low | 1 | Low | A member was removed from a security-disabled global group | ||||||||||||||||||||
40 | 4753 | Low | 1 | Low | A security-disabled global group was deleted | ||||||||||||||||||||
41 | 4759 | Low | 2 | Low | A security-disabled universal group was created | ||||||||||||||||||||
42 | 4760 | Low | 2 | Low | A security-disabled universal group was changed | ||||||||||||||||||||
43 | 4761 | Low | 2 | Low | A member was added to a security-disabled universal group | ||||||||||||||||||||
44 | 4762 | Low | 1 | Low | A member was removed from a security-disabled universal group | ||||||||||||||||||||
45 | Audit Other Account Management Events | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | 4782 | Low | 3 | Low | The password hash an account was accessed | |||||||
46 | 4793 | Low | 2 | Low | The Password Policy Checking API was called | ||||||||||||||||||||
47 | Audit Security Group Management | Yes | Yes* | Yes | Yes | Yes | Yes* | Yes | Yes | Yes | Yes | Yes | Yes | 4727 | Medium | 2 | Low | A security-enabled global group was created | |||||||
48 | 4728 | Low | 3 | Low | A member was added to a security-enabled global group | ||||||||||||||||||||
49 | 4729 | Low | 1 | Low | A member was removed from a security-enabled global group | ||||||||||||||||||||
50 | 4730 | Low | 1 | Low | A security-enabled global group was deleted | ||||||||||||||||||||
51 | 4731 | Low | 2 | Low | A security-enabled local group was created | ||||||||||||||||||||
52 | 4732 | Low | 3 | Low | A member was added to a security-enabled local group | ||||||||||||||||||||
53 | 4733 | Low | 1 | Low | A member was removed from a security-enabled local group | ||||||||||||||||||||
54 | 4734 | Low | 1 | Low | A security-enabled local group was deleted | ||||||||||||||||||||
55 | 4735 | Medium | 2 | Low | A security-enabled local group was changed | ||||||||||||||||||||
56 | 4736 | #N/A | #N/A | Low | #N/A | ||||||||||||||||||||
57 | 4737 | Medium | 2 | Low | A security-enabled global group was changed | ||||||||||||||||||||
58 | 4754 | Medium | 2 | Low | A security-enabled universal group was created | ||||||||||||||||||||
59 | 4755 | Medium | 2 | Low | A security-enabled universal group was changed | ||||||||||||||||||||
60 | 4756 | Low | 3 | Low | A member was added to a security-enabled universal group | ||||||||||||||||||||
61 | 4757 | Low | 1 | Low | A member was removed from a security-enabled universal group | ||||||||||||||||||||
62 | 4758 | Low | 1 | Low | A security-enabled universal group was deleted | ||||||||||||||||||||
63 | 4764 | Medium | 2 | Low | A groups type was changed | ||||||||||||||||||||
64 | Audit User Account Management | Yes | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | 4720 | Low | 3 | Low | A user account was created | |||||||
65 | 4722 | Low | 2 | Low | A user account was enabled | ||||||||||||||||||||
66 | 4723 | Low | 2 | Low | An attempt was made to change an account's password | ||||||||||||||||||||
67 | 4724 | Medium | 2 | Low | An attempt was made to reset an accounts password | ||||||||||||||||||||
68 | 4725 | Low | 2 | Low | A user account was disabled | ||||||||||||||||||||
69 | 4726 | Low | 2 | Low | A user account was deleted | ||||||||||||||||||||
70 | 4738 | Low | 2 | Low | A user account was changed | ||||||||||||||||||||
71 | 4740 | Low | 3 | Low | A user account was locked out | ||||||||||||||||||||
72 | 4765 | High | 3 | Low | SID History was added to an account | ||||||||||||||||||||
73 | 4766 | High | 4 | Low | An attempt to add SID History to an account failed | ||||||||||||||||||||
74 | 4767 | Low | 1 | Low | A user account was unlocked | ||||||||||||||||||||
75 | 4780 | Medium | 2 | Low | The ACL was set on accounts which are members of administrators groups | ||||||||||||||||||||
76 | 4781 | Low | 2 | Low | The name of an account was changed | ||||||||||||||||||||
77 | 4794 | High | 2 | Low | An attempt was made to set the Directory Services Restore Mode administrator password | ||||||||||||||||||||
78 | 5376 | Medium | 1 | Low | Credential Manager credentials were backed up | ||||||||||||||||||||
79 | 5377 | Medium | 3 | Low | Credential Manager credentials were restored from a backup | ||||||||||||||||||||
80 | Detailed Tracking | Audit DPAPI Activity | No | No | Yes | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | 4692 | Medium | 3 | Low | Backup of data protection master key was attempted | ||||||
81 | 4693 | Medium | 3 | Low | Recovery of data protection master key was attempted | ||||||||||||||||||||
82 | 4694 | Low | 3 | Low | Protection of auditable protected data was attempted | ||||||||||||||||||||
83 | 4695 | Low | 3 | Low | Unprotection of auditable protected data was attempted | ||||||||||||||||||||
84 | Audit Process Creation | Yes | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | 4688 | Low | 3 | Medium | Varies, depends on system use | Apply special GPO; check: https://technet.microsoft.com/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing | A new process has been created | |||||
85 | 4696 | Low | 2 | Low | A primary token was assigned to process | ||||||||||||||||||||
86 | Audit Process Termination | No | No | No | No | No | No | No | No | No | No | No | No | 4689 | Low | 1 | Medium | Varies, depends on system use | A process has exited | ||||||
87 | Audit RPC Events | No | No | No | No | No | No | No | No | No | No | No | No | 5712 | Low | #N/A | High | High on RPC servers | #N/A | ||||||
88 | DS Access | Audit Detailed Directory Service Resplication | No | No | No | No | No | No | No | No | No | No | No | No | 4928 | Low | 2 | High | Very high volume (for debugging only) | An Active Directory replica source naming context was established | |||||
89 | 4929 | Low | 2 | High | Very high volume (for debugging only) | An Active Directory replica source naming context was removed | |||||||||||||||||||
90 | 4930 | Low | 2 | High | Very high volume (for debugging only) | An Active Directory replica source naming context was modified | |||||||||||||||||||
91 | 4931 | Low | 2 | High | Very high volume (for debugging only) | An Active Directory replica destination naming context was modified | |||||||||||||||||||
92 | 4932 | Low | 1 | High | Very high volume (for debugging only) | Synchronization of a replica of an Active Directory naming context has begun | |||||||||||||||||||
93 | 4933 | Low | 1 | High | Very high volume (for debugging only) | Synchronization of a replica of an Active Directory naming context has ended | |||||||||||||||||||
94 | 4934 | Low | 1 | High | Very high volume (for debugging only) | Attributes of an Active Directory object were replicated | |||||||||||||||||||
95 | 4935 | Low | 2 | High | Very high volume (for debugging only) | Replication failure begins | |||||||||||||||||||
96 | 4936 | Low | 2 | High | Very high volume (for debugging only) | Replication failure ends | |||||||||||||||||||
97 | 4937 | Low | 2 | High | Very high volume (for debugging only) | A lingering object was removed from a replica | |||||||||||||||||||
98 | Audit Directory Service Access | No | No | No | No | No | No | No | No | Yes | Yes | No | No | 4662 | Low | 1 | Evaluate | High | High on DCs | An operation was performed on an object | |||||
99 | Audit Directory Service Changes | No | No | No | No | No | No | No | No | Yes | Yes | No | No | 5136 | Low | 1 | Evaluate | High | High on DCs | A directory service object was modified | |||||
100 | 5137 | Low | 2 | Evaluate | High | High on DCs | A directory service object was created |