| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | EventId | Event Description | Event Audit Subcategory | Operational Functions | Event Processing Functions | Event Emission Function | Notes | ||||||||||||||||||||
2 | 4624 | An account was successfully logged on. | Audit Logon | SspirLogonUser, SspiExLogonUser, LsapAuApiDispatchLogonUser | [LsapAuGenerateLogonAudits], LsapAuditLogonHelper, LsapAdtAuditLogonEx,LsapAdtWriteLogEx | ntdll!EtwWriteUMSecurityEvent | There is a check within LsapAuditLogonHelper to see the value of LogonStatus If logon is successful | ||||||||||||||||||||
3 | 4625 | An account failed to log on. | Audit Logon | SspirLogonUser, SspiExLogonUser, LsapAuApiDispatchLogonUser | [LsapAuGenerateLogonAudits], LsapAuditLogonHelper, LsapAdtAuditLogonEx, LsapAdtWriteLogEx | ntdll!EtwWriteUMSecurityEvent | There is a check within LsapAuditLogonHelper to see the value of LogonStatus to see If logon is unsuccessful | ||||||||||||||||||||
4 | 4627 | Group membership information. | Audit Logon | LsapAuApiDispatchLogonUser LsapCreateTokenEx | [LsapReportGroupsAtLogonEvent], LsapAdtAuditGroupsInToken, LsapAdtWriteLogEx, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
5 | 4634 | An account was logged off | Audit Logoff | LsapLogonSessionDelete | [LsapAdtAuditLogoff], LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
6 | 4647 | User initiated logoff. | Audit Logoff | winlogon!WLGeneric_Logging_Off_Execute, winlogon!CUser::GenerateLogoffInitiatedAudit ExitWindowsEx, winlogon!WLGeneric_Logging_Off_Execute, winlogon!CUser::GenerateLogoffInitiatedAudit | [AuthziLogAuditEvent], AuthzpSendAuditToLsa, LsarGenAuditEvent, LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw [AuthziLogAuditEvent], AuthzpSendAuditToLsa, LsarGenAuditEvent, LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
7 | 4648 | A logon was attempted using explicit credentials. | Audit Logon | SspirLogonUser, SspiExLogonUser, LsapAuApiDispatchLogonUser, LsapAuGenerateLogonAudits | [LsaIAuditLogonUsingExplicitCred], LsapAdtInitParametersArray, LsapAdtWriteLogEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
8 | 4656 | A handle to an object was requested. | Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage | ObpCreateHandle SepAccessCheckAndAuditAlarmWithAdminlessChecks | [SepAdtOpenObjectAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SepAdtOpenObjectAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | Very valuable event as it shows request to objects like - registry, some SCM, LSASS process, removable storage. Default events will be generated due to built-in SACLs, but if you set a SACL events will trigger. | ||||||||||||||||||||
9 | 4657 | A registry value was modified. | Audit Registry | CmDeleteKeyValue CmSetValueKey | [SeAdtRegistryValueChangedAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SeAdtRegistryValueChangedAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | This event generates only if “Set Value" auditing is set in registry key’s SACL. | ||||||||||||||||||||
10 | 4660 | An object was deleted. | Audit File System, Audit Kernel Object, Audit Registry | NtDeleteObjectAuditAlarm NtDeleteKey, SeDeleteObjectAuditAlarmWithTransaction NtMakeTemporaryObject, SeDeleteObjectAuditAlarmWithTransaction SeDeleteObjectAuditAlarm, SeDeleteObjectAuditAlarmWithTransaction | [SepAdtDeleteObjectAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SepAdtDeleteObjectAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SepAdtDeleteObjectAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SepAdtDeleteObjectAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
11 | 4661 | A handle to an object was requested. | Audit Directory Service Access, Audit SAM | SampOpenAccount...SepAccessCheckAndAuditAlarm, SepAccessCheckAndAuditAlarmWithAdminlessChecks SampOpenDomain...SepAccessCheckAndAuditAlarm, SepAccessCheckAndAuditAlarmWithAdminlessChecks | SepAdtOpenObjectAuditAlarm, SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw SepAdtOpenObjectAuditAlarm, SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object. Only seen on Domain Controllers. Attach to DC kernel and check SepAdtOpenObjectAuditAlarm calls prior | ||||||||||||||||||||
12 | 4662 | An operation was performed on an object. | Audit Directory Service Access | IDL_DRSGetNCChanges More info, just not documented yet | [AuthziLogAuditEvent], AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
13 | 4663 | An attempt was made to access an object. | Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage | ObpAuditObjectAccess | [SeOperationAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
14 | 4664 | An attempt was made to create a hard link. | Audit File System | CreateHardLink, NtSetInformationFile.....Ntfs!NtfsSetLinkInfo, SeAuditHardLinkCreation | [SeAuditHardLinkCreationWithTransaction], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
15 | 4672 | Special privileges assigned to new logon. | Audit Special Logon | LsaISetSupplementalTokenInfo, LsapFilterElevatedTokenFull SspiExLogonUser, LsapAuApiDispatchLogonUser SspiExLogonUser, LsaConvertAuthDataToToken, LsapCreateToken, LsapCreateTokenEx | [LsapAdtAuditSpecialPrivileges], LsapAdtWriteLogEx [LsapAdtAuditSpecialPrivileges], LsapAdtWriteLogEx [LsapAdtAuditSpecialPrivileges], LsapAdtWriteLogEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
16 | 4673 | A privileged service was called. | Audit Sensitive Privilege Use, Audit Non Sensitive Privilege Use | ntdll!NtPrivilegedServiceAuditAlarm, nt!NtPrivilegedServiceAuditAlarm | [SepAdtPrivilegedServiceAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
17 | 4674 | An operation was attempted on a privileged object. | Audit Sensitive Privilege Use, Audit Non Sensitive Privilege Use | ObpCreateHandle NtOpenObjectAuditAlarm SeAuditHandleCreation SepAccessCheckAndAuditAlarm | [SepAdtPrivilegeObjectAuditAlarm], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
18 | 4688 | A new process has been created. | Audit Process Creation | NtCreateuserProcess, PspInsertProcess, PsCreateMinimalProcess, PspInsertProcess PspCreateProcess, PspInsertProcess | [SeAuditProcessCreation], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SeAuditProcessCreation], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SeAuditProcessCreation], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
19 | 4689 | A process has exited. | Audit Process Termination | NtTerminateProcess,PspExitThread, PspTerminateThreadByPointer, PspExitThread KiSchedulerApcTerminate, PspExitThread | [SeAuditProcessExit], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SeAuditProcessExit], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SeAuditProcessExit], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
20 | 4690 | An attempt was made to duplicate a handle to an object. | Audit Handle Manipulation | ObDuplicateObject ObCompleteObjectDuplication ObAuditInheritedHandleProcedure | [SeAuditHandleDuplication], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SeAuditHandleDuplication], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SeAuditHandleDuplication], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
21 | 4696 | A primary token was assigned to process. | Audit Process Creation | SeExchangePrimaryToken SeAssignPrimaryToken | [SepAuditAssignPrimaryToken], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw [SepAuditAssignPrimaryToken], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
22 | 4697 | A service was installed in the system. | Audit Security System Extension | RCreateService(A/W), ScCreateServiceRpc, ScCreateService RCreateServiceWOW64(A/W), ScCreateServiceRpc, ScCreateService | [ScGenerateServiceInstallAudit], AuthziLogAuditEvent, AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw [ScGenerateServiceInstallAudit], AuthziLogAuditEvent, AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
23 | 4698 | A scheduled task was created. | Audit Other Object Access Events | SchRpcRegisterTask, RpcServer::RegisterTask | [Auditor::AuditJobOperation], AuthziLogAuditEvent, AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
24 | 4699 | A scheduled task was deleted. | Audit Other Object Access Events | SchRpcDelete, JobStore::RemoveTaskOrFolder, JobStore::RemoveTaskOrFolderP | [Auditor::AuditJobOperation], AuthziLogAuditEvent, AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
25 | 4700 | A scheduled task was enabled. | Audit Other Object Access Events | SchRpcEnableTask, RpcServer::EnableTask | [Auditor::AuditJobOperation], AuthziLogAuditEvent, AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
26 | 4701 | A scheduled task was disabled. | Audit Other Object Access Events | SchRpcEnableTask, RpcServer::EnableTask | [Auditor::AuditJobOperation], AuthziLogAuditEvent, AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
27 | 4702 | A scheduled task was updated. | Audit Other Object Access Events | SchRpcRegisterTask, RpcServer::RegisterTask | [Auditor::AuditJobOperation], AuthziLogAuditEvent, AuthzpSendAuditToLsa, LsarGenAuditEvent,LsapGenAuditEvent, LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
28 | 4703 | A user right was adjusted. | Audit Authorization Policy Change | NtAdjustPrivilegesToken, SepAdjustPrivilegesToken | [SepAdtTokenRightAdjusted], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
29 | 4741 | A computer account was created. | Audit Computer Account Management | ntdsai!LDAP_CONN::AddRequest, DirAddEntryNative...SampNotifyAuditChange | [LsaIAuditSamEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
30 | 4742 | A computer account was changed. | Audit Computer Account Management | ntdsai!LDAP_CONN::ModifyRequest.....SampNotifyAuditChange, SampAuditUserChangeDs | [LsaIAuditSamEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
31 | 4743 | A computer account was deleted. | Audit Other Object Access Events | LDAP_CONN::DelRequest, ntdsai!DirRemoveEntryNative... SampNotifyAuditChange, SampAuditUserDelete | [LsaIAuditSamEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
32 | 4768 | A Kerberos authentication ticket (TGT) was requested. | Audit Kerberos Authentication Service | I_GetASTicket | [LsaIAuditKdcEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
33 | 4769 | A Kerberos service ticket was requested. | Audit Kerberos Service Ticket Operations | HandleTGSRequest | [LsaIAuditKdcEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
34 | 4770 | A Kerberos service ticket was renewed. | Audit Kerberos Service Ticket Operations | HandleTGSRequest, I_RenewTicket, HandleTGSRequest | [LsaIAuditKdcEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
35 | 4771 | Kerberos pre-authentication failed. | Audit Kerberos Authentication Service | I_GetASTicket, FailedLogon, I_GetASTicket | [LsaIAuditKdcEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
36 | 4798 | A user's local group membership was enumerated. | Audit User Account Management | SamrGetGroupsForUser, SampAuditLocalUserGroupQuery, SampAuditAnyEvent | [LsaIAuditSamEvent], LsapAdtWriteLogEx, AdtpWriteToEtwEx | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
37 | 5145 | A network share object was checked to see whether client can be granted desired access. | Audit Detailed File Share | srv2!Smb2CreateFile, srv2!Smb2CheckShareAccess, srvnet!SrvLibAuditShareAccess | [SeReportSecurityEventWithSubCategory], SepAdtLogAuditRecord, SepQueueWorkItem, SepRmCallLsa, AdtpWriteToEtw | nt!EtwWriteKMSecurityEvent | |||||||||||||||||||||
38 | 5379 | Credential Manager credentials were read. | Other System Events | CredrRead CredrEnumerate CredrFindBestCredential CredrReadTokenHandle CredrReadDomainCredentials | [LsapAdtAuditCredentialsRead], LsapAdtWriteLogEx, AdtpWriteToEtw | ntdll!EtwWriteUMSecurityEvent | |||||||||||||||||||||
39 | |||||||||||||||||||||||||||
40 | |||||||||||||||||||||||||||
41 | |||||||||||||||||||||||||||
42 | |||||||||||||||||||||||||||
43 | |||||||||||||||||||||||||||
44 | |||||||||||||||||||||||||||
45 | |||||||||||||||||||||||||||
46 | |||||||||||||||||||||||||||
47 | |||||||||||||||||||||||||||
48 | |||||||||||||||||||||||||||
49 | |||||||||||||||||||||||||||
50 | |||||||||||||||||||||||||||
51 | |||||||||||||||||||||||||||
52 | |||||||||||||||||||||||||||
53 | |||||||||||||||||||||||||||
54 | |||||||||||||||||||||||||||
55 | |||||||||||||||||||||||||||
56 | |||||||||||||||||||||||||||
57 | |||||||||||||||||||||||||||
58 | |||||||||||||||||||||||||||
59 | |||||||||||||||||||||||||||
60 | |||||||||||||||||||||||||||
61 | |||||||||||||||||||||||||||
62 | |||||||||||||||||||||||||||
63 | |||||||||||||||||||||||||||
64 | |||||||||||||||||||||||||||
65 | |||||||||||||||||||||||||||
66 | |||||||||||||||||||||||||||
67 | |||||||||||||||||||||||||||
68 | |||||||||||||||||||||||||||
69 | |||||||||||||||||||||||||||
70 | |||||||||||||||||||||||||||
71 | |||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||
100 |