Audit account logon events
Event ID Description
4776 - The domain controller attempted to validate the credentials for an account
4777 - The domain controller failed to validate the credentials for an account
4768 - A Kerberos authentication ticket (TGT) was requested
4769 - A Kerberos service ticket was requested
4770 - A Kerberos service ticket was renewed
Audit account management
Event ID Description
4741 - A computer account was created.
4742 - A computer account was changed.
4743 - A computer account was deleted.
4739 - Domain Policy was changed.
4782 - The password hash an account was accessed.
4727 - A security-enabled global group was created.
4728 - A member was added to a security-enabled global group.
4729 - A member was removed from a security-enabled global group.
4730 - A security-enabled global group was deleted.
4731 - A security-enabled local group was created.
4732 - A member was added to a security-enabled local group.
4733 - A member was removed from a security-enabled local group.
4734 - A security-enabled local group was deleted.
4735 - A security-enabled local group was changed.
4737 - A security-enabled global group was changed.
4754 - A security-enabled universal group was created.
4755 - A security-enabled universal group was changed.
4756 - A member was added to a security-enabled universal group.
4757 - A member was removed from a security-enabled universal group.
4758 - A security-enabled universal group was deleted.
4720 - A user account was created.
4722 - A user account was enabled.
4723 - An attempt was made to change an account's password.
4724 - An attempt was made to reset an account's password.
4725 - A user account was disabled.
4726 - A user account was deleted.
4738 - A user account was changed.
4740 - A user account was locked out.
4765 - SID History was added to an account.
4766 - An attempt to add SID History to an account failed.
4767 - A user account was unlocked.
4780 - The ACL was set on accounts which are members of administrators groups.
4781 - The name of an account was changed:
Audit directory service access
4934 - Attributes of an Active Directory object were replicated.
4935 - Replication failure begins.
4936 - Replication failure ends.
5136 - A directory service object was modified.
5137 - A directory service object was created.
5138 - A directory service object was undeleted.
5139 - A directory service object was moved.
5141 - A directory service object was deleted.
4932 - Synchronization of a replica of an Active Directory naming context has begun.
4933 - Synchronization of a replica of an Active Directory naming context has ended.
Audit logon events
4634 - An account was logged off.
4647 - User initiated logoff.
4624 - An account was successfully logged on.
4625 - An account failed to log on.
4648 - A logon was attempted using explicit credentials.
4675 - SIDs were filtered.
4649 - A replay attack was detected.
4778 - A session was reconnected to a Window Station.
4779 - A session was disconnected from a Window Station.
4800 - The workstation was locked.
4801 - The workstation was unlocked.
4802 - The screen saver was invoked.
4803 - The screen saver was dismissed.
5378 The requested credentials delegation was disallowed by policy.
5632 A request was made to authenticate to a wireless network.
5633 A request was made to authenticate to a wired network.
Audit object access
5140 - A network share object was accessed.
4664 - An attempt was made to create a hard link.
4985 - The state of a transaction has changed.
5051 - A file was virtualized.
5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network.
4698 - A scheduled task was created.
4699 - A scheduled task was deleted.
4700 - A scheduled task was enabled.
4701 - A scheduled task was disabled.
4702 - A scheduled task was updated.
4657 - A registry value was modified.
5039 - A registry key was virtualized.
4660 - An object was deleted.
4663 - An attempt was made to access an object.
Audit policy change
4715 - The audit policy (SACL) on an object was changed.
4719 - System audit policy was changed.
4902 - The Per-user audit policy table was created.
4906 - The CrashOnAuditFail value has changed.
4907 - Auditing settings on object were changed.
4706 - A new trust was created to a domain.
4707 - A trust to a domain was removed.
4713 - Kerberos policy was changed.
4716 - Trusted domain information was modified.
4717 - System security access was granted to an account.
4718 - System security access was removed from an account.
4864 - A namespace collision was detected.
4865 - A trusted forest information entry was added.
4866 - A trusted forest information entry was removed.
4867 - A trusted forest information entry was modified.
4704 - A user right was assigned.
4705 - A user right was removed.
4714 - Encrypted data recovery policy was changed.
4944 - The following policy was active when the Windows Firewall started.
4945 - A rule was listed when the Windows Firewall started.
4946 - A change has been made to Windows Firewall exception list. A rule was added.
4947 - A change has been made to Windows Firewall exception list. A rule was modified.
4948 - A change has been made to Windows Firewall exception list. A rule was deleted.
4949 - Windows Firewall settings were restored to the default values.
4950 - A Windows Firewall setting has changed.
4951 - A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952 - Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953 - A rule has been ignored by Windows Firewall because it could not parse the rule.
4954 - Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956 - Windows Firewall has changed the active profile.
4957 - Windows Firewall did not apply the following rule:
4958 - Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
6144 - Security policy in the group policy objects has been applied successfully.
6145 - One or more errors occurred while processing security policy in the group policy objects.
4670 - Permissions on an object were changed.
Audit privilege use
4672 - Special privileges assigned to new logon.
4673 - A privileged service was called.
4674 - An operation was attempted on a privileged object.
Audit system events
5024 - The Windows Firewall Service has started successfully.
5025 - The Windows Firewall Service has been stopped.
5027 - The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028 - The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029 - The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030 - The Windows Firewall Service failed to start.
5032 - Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033 - The Windows Firewall Driver has started successfully.
5034 - The Windows Firewall Driver has been stopped.
5035 - The Windows Firewall Driver failed to start.
5037 - The Windows Firewall Driver detected critical runtime error. Terminating.
4608 - Windows is starting up.
4609 - Windows is shutting down.
4616 - The system time was changed.
4621 - Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
4697 - A service was installed in the system.
4618 - A monitored security event pattern has occurred.
Hiç yorum yok:
Yorum Gönder