Audit account logon events
|The domain controller attempted to validate the credentials for an account
|The domain controller failed to validate the credentials for an account
|A Kerberos authentication ticket (TGT) was requested
|A Kerberos service ticket was requested
|A Kerberos service ticket was renewed
Audit account management
|A computer account was created.
|A computer account was changed.
|A computer account was deleted.
|Domain Policy was changed.
|The password hash an account was accessed.
|A security enabled global group was created.
|A member was added to a security enabled global group.
|A member was removed from a security enabled global group.
|A security enabled global group was deleted.
|A security enabled local group was created.
|A member was added to a security enabled local group.
|A member was removed from a security enabled local group.
|A security enabled local group was deleted.
|A security enabled local group was changed.
|A security enabled global group was changed.
|A security enabled universal group was created.
|A security enabled universal group was changed.
|A member was added to a security enabled universal group.
|A member was removed from a security enabled universal group.
|A security enabled universal group was deleted.
|A user account was created.
|A user account was enabled.
|An attempt was made to change an account’s password.
|An attempt was made to reset an account’s password.
|A user account was disabled.
|A user account was deleted.
|A user account was changed.
|A user account was locked out.
|SID History was added to an account.
|An attempt to add SID History to an account failed.
|A user account was unlocked.
|The ACL was set on accounts which are members of administrators groups.
|The name of an account was changed:
Audit directory service access
|Attributes of an Active Directory object were replicated.
|Replication failure begins.
|Replication failure ends.
|A directory service object was modified.
|A directory service object was created.
|A directory service object was undeleted.
|A directory service object was moved.
|A directory service object was deleted.
|Synchronization of a replica of an Active Directory naming context has begun.
|Synchronization of a replica of an Active Directory naming context has ended.
Audit logon events
|An account was logged off.
|User initiated logoff.
|An account was successfully logged on.
|An account failed to log on.
|A logon was attempted using explicit credentials.
|SIDs were filtered.
|A replay attack was detected.
|A session was reconnected to a Window Station.
|A session was disconnected from a Window Station.
|The workstation was locked.
|The workstation was unlocked.
|The screen saver was invoked.
|The screen saver was dismissed.
|The requested credentials delegation was disallowed by policy.
|A request was made to authenticate to a wireless network.
|A request was made to authenticate to a wired network.
Audit object access
|A network share object was accessed.
|An attempt was made to create a hard link.
|The state of a transaction has changed.
|A file was virtualized.
|The Windows Firewall Service blocked an application from accepting incoming connections on the network.
|A scheduled task was created.
|A scheduled task was deleted.
|A scheduled task was enabled.
|A scheduled task was disabled.
|A scheduled task was updated.
|A registry value was modified.
|A registry key was virtualized.
|An object was deleted.
|An attempt was made to access an object.
Audit policy change
|The audit policy (SACL) on an object was changed.
|System audit policy was changed.
|The Per user audit policy table was created.
|The CrashOnAuditFail value has changed.
|Auditing settings on object were changed.
|A new trust was created to a domain.
|A trust to a domain was removed.
|Kerberos policy was changed.
|Trusted domain information was modified.
|System security access was granted to an account.
|System security access was removed from an account.
|A namespace collision was detected.
|A trusted forest information entry was added.
|A trusted forest information entry was removed.
|A trusted forest information entry was modified.
|A user right was assigned.
|A user right was removed.
|Encrypted data recovery policy was changed.
|The following policy was active when the Windows Firewall started.
|A rule was listed when the Windows Firewall started.
|A change has been made to Windows Firewall exception list. A rule was added.
|A change has been made to Windows Firewall exception list. A rule was modified.
|A change has been made to Windows Firewall exception list. A rule was deleted.
|Windows Firewall settings were restored to the default values.
|A Windows Firewall setting has changed.
|A rule has been ignored because its major version number was not recognized by Windows Firewall.
|Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
|A rule has been ignored by Windows Firewall because it could not parse the rule.
|Windows Firewall Group Policy settings have changed. The new settings have been applied.
|Windows Firewall has changed the active profile.
|Windows Firewall did not apply the following rule:
|Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
|Security policy in the group policy objects has been applied successfully.
|One or more errors occurred while processing security policy in the group policy objects.
|Permissions on an object were changed.
Audit privilege use
|Special privileges assigned to new logon.
|A privileged service was called.
|An operation was attempted on a privileged object.
Audit system events
|The Windows Firewall Service has started successfully.
|The Windows Firewall Service has been stopped.
|The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
|The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
|The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
|The Windows Firewall Service failed to start.
|Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
|The Windows Firewall Driver has started successfully.
|The Windows Firewall Driver has been stopped.
|The Windows Firewall Driver failed to start.
|The Windows Firewall Driver detected critical runtime error. Terminating.
|Windows is starting up.
|Windows is shutting down.
|The system time was changed.
|Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
|A service was installed in the system.
|A monitored security event pattern has occurred.