Audit account logon events
| Event ID | Description |
| 4776 | The domain controller attempted to validate the credentials for an account |
| 4777 | The domain controller failed to validate the credentials for an account |
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4769 | A Kerberos service ticket was requested |
| 4770 | A Kerberos service ticket was renewed |
Audit account management
| Event ID | Description |
| 4741 | A computer account was created. |
| 4742 | A computer account was changed. |
| 4743 | A computer account was deleted. |
| 4739 | Domain Policy was changed. |
| 4782 | The password hash an account was accessed. |
| 4727 | A security enabled global group was created. |
| 4728 | A member was added to a security enabled global group. |
| 4729 | A member was removed from a security enabled global group. |
| 4730 | A security enabled global group was deleted. |
| 4731 | A security enabled local group was created. |
| 4732 | A member was added to a security enabled local group. |
| 4733 | A member was removed from a security enabled local group. |
| 4734 | A security enabled local group was deleted. |
| 4735 | A security enabled local group was changed. |
| 4737 | A security enabled global group was changed. |
| 4754 | A security enabled universal group was created. |
| 4755 | A security enabled universal group was changed. |
| 4756 | A member was added to a security enabled universal group. |
| 4757 | A member was removed from a security enabled universal group. |
| 4758 | A security enabled universal group was deleted. |
| 4720 | A user account was created. |
| 4722 | A user account was enabled. |
| 4723 | An attempt was made to change an account’s password. |
| 4724 | An attempt was made to reset an account’s password. |
| 4725 | A user account was disabled. |
| 4726 | A user account was deleted. |
| 4738 | A user account was changed. |
| 4740 | A user account was locked out. |
| 4765 | SID History was added to an account. |
| 4766 | An attempt to add SID History to an account failed. |
| 4767 | A user account was unlocked. |
| 4780 | The ACL was set on accounts which are members of administrators groups. |
| 4781 | The name of an account was changed: |
Audit directory service access
| Event ID | Description |
| 4934 | Attributes of an Active Directory object were replicated. |
| 4935 | Replication failure begins. |
| 4936 | Replication failure ends. |
| 5136 | A directory service object was modified. |
| 5137 | A directory service object was created. |
| 5138 | A directory service object was undeleted. |
| 5139 | A directory service object was moved. |
| 5141 | A directory service object was deleted. |
| 4932 | Synchronization of a replica of an Active Directory naming context has begun. |
| 4933 | Synchronization of a replica of an Active Directory naming context has ended. |
Audit logon events
| Event ID | Description |
| 4634 | An account was logged off. |
| 4647 | User initiated logoff. |
| 4624 | An account was successfully logged on. |
| 4625 | An account failed to log on. |
| 4648 | A logon was attempted using explicit credentials. |
| 4675 | SIDs were filtered. |
| 4649 | A replay attack was detected. |
| 4778 | A session was reconnected to a Window Station. |
| 4779 | A session was disconnected from a Window Station. |
| 4800 | The workstation was locked. |
| 4801 | The workstation was unlocked. |
| 4802 | The screen saver was invoked. |
| 4803 | The screen saver was dismissed. |
| 5378 | The requested credentials delegation was disallowed by policy. |
| 5632 | A request was made to authenticate to a wireless network. |
| 5633 | A request was made to authenticate to a wired network. |
Audit object access
| Event ID | Description |
| 5140 | A network share object was accessed. |
| 4664 | An attempt was made to create a hard link. |
| 4985 | The state of a transaction has changed. |
| 5051 | A file was virtualized. |
| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
| 4698 | A scheduled task was created. |
| 4699 | A scheduled task was deleted. |
| 4700 | A scheduled task was enabled. |
| 4701 | A scheduled task was disabled. |
| 4702 | A scheduled task was updated. |
| 4657 | A registry value was modified. |
| 5039 | A registry key was virtualized. |
| 4660 | An object was deleted. |
| 4663 | An attempt was made to access an object. |
Audit policy change
| Event ID | Description |
| 4715 | The audit policy (SACL) on an object was changed. |
| 4719 | System audit policy was changed. |
| 4902 | The Per user audit policy table was created. |
| 4906 | The CrashOnAuditFail value has changed. |
| 4907 | Auditing settings on object were changed. |
| 4706 | A new trust was created to a domain. |
| 4707 | A trust to a domain was removed. |
| 4713 | Kerberos policy was changed. |
| 4716 | Trusted domain information was modified. |
| 4717 | System security access was granted to an account. |
| 4718 | System security access was removed from an account. |
| 4864 | A namespace collision was detected. |
| 4865 | A trusted forest information entry was added. |
| 4866 | A trusted forest information entry was removed. |
| 4867 | A trusted forest information entry was modified. |
| 4704 | A user right was assigned. |
| 4705 | A user right was removed. |
| 4714 | Encrypted data recovery policy was changed. |
| 4944 | The following policy was active when the Windows Firewall started. |
| 4945 | A rule was listed when the Windows Firewall started. |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added. |
| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. |
| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. |
| 4949 | Windows Firewall settings were restored to the default values. |
| 4950 | A Windows Firewall setting has changed. |
| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. |
| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. |
| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. |
| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. |
| 4956 | Windows Firewall has changed the active profile. |
| 4957 | Windows Firewall did not apply the following rule: |
| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: |
| 6144 | Security policy in the group policy objects has been applied successfully. |
| 6145 | One or more errors occurred while processing security policy in the group policy objects. |
| 4670 | Permissions on an object were changed. |
Audit privilege use
| Event ID | Description |
| 4672 | Special privileges assigned to new logon. |
| 4673 | A privileged service was called. |
| 4674 | An operation was attempted on a privileged object. |
Audit system events
| Event ID | Description |
| 5024 | The Windows Firewall Service has started successfully. |
| 5025 | The Windows Firewall Service has been stopped. |
| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. |
| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. |
| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. |
| 5030 | The Windows Firewall Service failed to start. |
| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. |
| 5033 | The Windows Firewall Driver has started successfully. |
| 5034 | The Windows Firewall Driver has been stopped. |
| 5035 | The Windows Firewall Driver failed to start. |
| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating. |
| 4608 | Windows is starting up. |
| 4609 | Windows is shutting down. |
| 4616 | The system time was changed. |
| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. |
| 4697 | A service was installed in the system. |
| 4618 | A monitored security event pattern has occurred. |