ABCDEFGHIJKLMNOPQRSTUVWX
1
Audit Policy Recommendations
2
CategorySubcategoryWorkstationAdmin WorkstationMember ServerCritical Application ServerDomain ControllerDMZ Server (Standalone)Event IDsImportance by MicrosoftImportanceFilterExpected VolumeVolume CommentCommentApplication Limited toDescription
3
Success
Failure
Success
Failure
Success
Failure
Success
Failure
Success
Failure
Success
Failure
4
Account Logon
Audit Credential ValidationNoNoNoNoYesYesYesYesYesYesYesYes4774Low1EvaluateHighHigh on DCs
An account was mapped for logon
5
4775Low2EvaluateHighHigh on DCs
An account could not be mapped for logon
6
4776Low2HighHigh on DCs
The domain controller attempted to validate the credentials for an account
7
4777Low2HighHigh on DCs
The domain controller failed to validate the credentials for an account
8
Audit Kerberos Authentication Service
NoNoNoNoNoNoYesYesYesYesYesYes4768Low3HighHigh on KDCs
A Kerberos authentication ticket (TGT) was requested
9
4771Low3HighHigh on KDCs
Kerberos pre-authentication failed
10
4772Low2EvaluateHighHigh on KDCs
A Kerberos authentication ticket request failed
11
Audit Kerberos Service Ticket Operations
NoNoNoNoNoNoYesYesYesYesYesYes4769Low0HighHigh on KDCs
Check for relevant "Failure Code"s in "Security" Tab
A Kerberos service ticket was requested
12
4770Low1EvaluateHighHigh on KDCs
A Kerberos service ticket was renewed
13
Audit Other Account Logon Events
NoNoNoNoNoNoYesYesYesYesYesYes4800Low1Medium
Varies, depends on system use
The workstation was locked
14
4801Low1Medium
Varies, depends on system use
The workstation was unlocked
15
4802Low1Medium
Varies, depends on system use
The screen saver was invoked
16
4803Low1Medium
Varies, depends on system use
The screen saver was dismissed
17
5378Low3Medium
Varies, depends on system use
The requested credentials delegation was disallowed by policy
18
5632Low#N/AMedium
Varies, depends on system use
#N/A
19
5633Low#N/AMedium
Varies, depends on system use
#N/A
20
Account Management
Audit Application Group Management
NoNoNoNoNoNoNoNoNoNoNoNo4783Low1Low
A basic application group was created
21
4784Low1Low
A basic application group was changed
22
4785Low1Low
A member was added to a basic application group
23
4786Low1Low
A member was removed from a basic application group
24
4787Low1Low
A non-member was added to a basic application group
25
4788Low1Low
A non-member was removed from a basic application group..
26
4789Low1Low
A basic application group was deleted
27
4790Low1Low
An LDAP query group was created
28
Audit Computer Account Management
YesNoYesYesYesNoYesNoYesYesYesNo4741Low2Low
A computer account was created
29
4742Low2Low
A computer account was changed
30
4743Low1Low
A computer account was deleted
31
Audit Distribute Group Management
NoNoNoNoNoNoNoNoNoNoNoNo4744Low2Low
A security-disabled local group was created
32
4745Low1Low
A security-disabled local group was changed
33
4746Low1Low
A member was added to a security-disabled local group
34
4747Low1Low
A member was removed from a security-disabled local group
35
4748Low1Low
A security-disabled local group was deleted
36
4749Low1Low
A security-disabled global group was created
37
4750Low1Low
A security-disabled global group was changed
38
4751Low1Low
A member was added to a security-disabled global group
39
4752Low1Low
A member was removed from a security-disabled global group
40
4753Low1Low
A security-disabled global group was deleted
41
4759Low2Low
A security-disabled universal group was created
42
4760Low2Low
A security-disabled universal group was changed
43
4761Low2Low
A member was added to a security-disabled universal group
44
4762Low1Low
A member was removed from a security-disabled universal group
45
Audit Other Account Management Events
YesNoYesYesYesYesYesYesYesYesYesYes4782Low3Low
The password hash an account was accessed
46
4793Low2Low
The Password Policy Checking API was called
47
Audit Security Group Management
YesYes*YesYesYesYes*YesYesYesYesYesYes4727Medium2Low
A security-enabled global group was created
48
4728Low3Low
A member was added to a security-enabled global group
49
4729Low1Low
A member was removed from a security-enabled global group
50
4730Low1Low
A security-enabled global group was deleted
51
4731Low2Low
A security-enabled local group was created
52
4732Low3Low
A member was added to a security-enabled local group
53
4733Low1Low
A member was removed from a security-enabled local group
54
4734Low1Low
A security-enabled local group was deleted
55
4735Medium2Low
A security-enabled local group was changed
56
4736#N/A#N/ALow#N/A
57
4737Medium2Low
A security-enabled global group was changed
58
4754Medium2Low
A security-enabled universal group was created
59
4755Medium2Low
A security-enabled universal group was changed
60
4756Low3Low
A member was added to a security-enabled universal group
61
4757Low1Low
A member was removed from a security-enabled universal group
62
4758Low1Low
A security-enabled universal group was deleted
63
4764Medium2Low
A groups type was changed
64
Audit User Account Management
YesNoYesYesYesNoYesYesYesYesYesYes4720Low3Low
A user account was created
65
4722Low2Low
A user account was enabled
66
4723Low2Low
An attempt was made to change an account's password
67
4724Medium2Low
An attempt was made to reset an accounts password
68
4725Low2Low
A user account was disabled
69
4726Low2Low
A user account was deleted
70
4738Low2Low
A user account was changed
71
4740Low3Low
A user account was locked out
72
4765High3Low
SID History was added to an account
73
4766High4Low
An attempt to add SID History to an account failed
74
4767Low1Low
A user account was unlocked
75
4780Medium2Low
The ACL was set on accounts which are members of administrators groups
76
4781Low2Low
The name of an account was changed
77
4794High2Low
An attempt was made to set the Directory Services Restore Mode administrator password
78
5376Medium1Low
Credential Manager credentials were backed up
79
5377Medium3Low
Credential Manager credentials were restored from a backup
80
Detailed Tracking
Audit DPAPI ActivityNoNoYesNoNoNoYesYesYesYesYesYes4692Medium3Low
Backup of data protection master key was attempted
81
4693Medium3Low
Recovery of data protection master key was attempted
82
4694Low3Low
Protection of auditable protected data was attempted
83
4695Low3Low
Unprotection of auditable protected data was attempted
84
Audit Process CreationYesNoYesYesYesNoYesYesYesYesYesYes4688Low3Medium
Varies, depends on system use
Apply special GPO; check: https://technet.microsoft.com/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
A new process has been created
85
4696Low2Low
A primary token was assigned to process
86
Audit Process TerminationNoNoNoNoNoNoNoNoNoNoNoNo4689Low1Medium
Varies, depends on system use
A process has exited
87
Audit RPC EventsNoNoNoNoNoNoNoNoNoNoNoNo5712Low#N/AHigh
High on RPC servers
#N/A
88
DS Access
Audit Detailed Directory Service Resplication
NoNoNoNoNoNoNoNoNoNoNoNo4928Low2High
Very high volume (for debugging only)
An Active Directory replica source naming context was established
89
4929Low2High
Very high volume (for debugging only)
An Active Directory replica source naming context was removed
90
4930Low2High
Very high volume (for debugging only)
An Active Directory replica source naming context was modified
91
4931Low2High
Very high volume (for debugging only)
An Active Directory replica destination naming context was modified
92
4932Low1High
Very high volume (for debugging only)
Synchronization of a replica of an Active Directory naming context has begun
93
4933Low1High
Very high volume (for debugging only)
Synchronization of a replica of an Active Directory naming context has ended
94
4934Low1High
Very high volume (for debugging only)
Attributes of an Active Directory object were replicated
95
4935Low2High
Very high volume (for debugging only)
Replication failure begins
96
4936Low2High
Very high volume (for debugging only)
Replication failure ends
97
4937Low2High
Very high volume (for debugging only)
A lingering object was removed from a replica
98
Audit Directory Service Access
NoNoNoNoNoNoNoNoYesYesNoNo4662Low1EvaluateHighHigh on DCs
An operation was performed on an object
99
Audit Directory Service Changes
NoNoNoNoNoNoNoNoYesYesNoNo5136Low1EvaluateHighHigh on DCs
A directory service object was modified
100
5137Low2EvaluateHighHigh on DCs
A directory service object was created