diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 66ec0206d9..5761cebb16 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -12771,94 +12771,94 @@
       "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/configure-mdt-settings.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-settings",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-settings",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/create-a-windows-10-reference-image",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/create-a-windows-10-reference-image",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-web-services-in-mdt",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-web-services-in-mdt",
+      "redirect_document_id": false
     },
     {
-     "source_path":  "windows/deployment/windows-10-poc-mdt.md",
-     "redirect_url":  "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/windows-10-poc-mdt",
-     "redirect_document_id":  false
+      "source_path": "windows/deployment/windows-10-poc-mdt.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/windows-10-poc-mdt",
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md",
@@ -12879,6 +12879,1686 @@
       "source_path": "windows/deployment/windows-10-enterprise-e3-overview.md",
       "redirect_url": "/windows/deployment/windows-enterprise-e3-overview",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/advanced-security-auditing.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-auditing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-account-lockout.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-account-lockout",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-application-generated.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-application-generated",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-application-group-management.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-application-group-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-audit-policy-change.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-audit-policy-change",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-authentication-policy-change.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-authentication-policy-change",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-authorization-policy-change.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-authorization-policy-change",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-central-access-policy-staging.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-central-access-policy-staging",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-certification-services.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-certification-services",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-computer-account-management.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-computer-account-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-credential-validation.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-credential-validation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-detailed-directory-service-replication",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-detailed-file-share.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-detailed-file-share",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-directory-service-access.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-directory-service-access",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-directory-service-changes.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-directory-service-changes",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-directory-service-replication.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-directory-service-replication",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-distribution-group-management.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-distribution-group-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-dpapi-activity.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-dpapi-activity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-file-share.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-share",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-file-system.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-system",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-filtering-platform-connection.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-filtering-platform-connection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-filtering-platform-packet-drop",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-filtering-platform-policy-change",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-group-membership.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-group-membership",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-handle-manipulation.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-handle-manipulation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-ipsec-driver.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-ipsec-driver",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-ipsec-extended-mode",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-ipsec-main-mode.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-ipsec-main-mode",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-ipsec-quick-mode",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-authentication-service",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-service-ticket-operations",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-kernel-object.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kernel-object",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-logoff.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-logoff",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-logon.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-logon",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-network-policy-server.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-network-policy-server",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-non-sensitive-privilege-use",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-other-account-logon-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-account-logon-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-other-account-management-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-account-management-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-logonlogoff-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-other-object-access-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-object-access-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-other-policy-change-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-policy-change-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-other-privilege-use-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-privilege-use-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-other-system-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-system-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-pnp-activity.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-pnp-activity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-process-creation.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-process-creation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-process-termination.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-process-termination",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-registry.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-registry",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-removable-storage.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-removable-storage",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-rpc-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-rpc-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-sam.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sam",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-security-group-management.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-security-state-change.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-state-change",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-security-system-extension.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-system-extension",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-special-logon.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-special-logon",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-system-integrity.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-system-integrity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-token-right-adjusted.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-token-right-adjusted",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-user-account-management.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-user-account-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/audit-user-device-claims.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-user-device-claims",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-account-logon-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-account-logon-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-account-management.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-account-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-directory-service-access.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-directory-service-access",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-logon-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-logon-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-object-access.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-object-access",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-policy-change.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-policy-change",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-privilege-use.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-privilege-use",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-process-tracking.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-process-tracking",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-audit-system-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-audit-system-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-security-audit-policies.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-security-audit-policies",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/basic-security-audit-policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-1100.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-1100",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-1102.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-1102",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-1104.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-1104",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-1105.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-1105",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-1108.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-1108",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4608.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4608",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4610.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4610",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4611.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4611",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4612.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4612",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4614.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4614",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4615.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4615",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4616.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4618.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4618",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4621.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4621",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4622.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4622",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4624.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4625.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4626.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4626",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4627.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4627",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4634.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4647.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4648.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4649.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4656.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4656",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4657.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4657",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4658.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4658",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4660.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4660",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4661.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4662.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4663.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4664.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4664",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4670.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4670",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4671.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4671",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4672.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4672",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4673.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4674.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4674",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4675.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4675",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4688.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4689.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4689",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4690.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4690",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4691.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4691",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4692.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4692",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4693.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4693",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4694.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4694",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4695.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4695",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4696.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4696",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4697.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4697",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4698.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4699.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4700.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4700",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4701.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4702.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4702",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4703.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4703",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4704.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4704",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4705.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4705",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4706.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4707.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4707",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4713.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4713",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4714.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4714",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4715.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4715",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4716.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4716",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4717.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4717",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4718.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4718",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4719.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4719",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4720.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4720",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4722.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4722",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4723.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4723",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4724.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4724",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4725.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4725",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4726.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4726",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4731.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4731",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4732.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4733.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4733",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4734.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4734",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4735.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4735",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4738.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4738",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4739.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4739",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4740.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4740",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4741.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4742.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4742",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4743.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4749.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4749",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4750.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4750",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4751.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4751",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4752.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4752",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4753.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4753",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4764.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4764",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4765.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4765",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4766.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4766",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4767.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4767",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4768.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4769.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4770.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4770",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4771.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4772.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4772",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4773.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4773",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4774.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4774",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4775.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4775",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4776.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4777.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4777",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4778.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4778",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4779.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4779",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4780.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4780",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4781.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4781",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4782.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4782",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4793.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4793",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4794.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4798.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4798",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4799.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4799",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4800.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4800",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4801.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4801",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4802.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4802",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4803.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4803",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4816.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4816",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4817.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4817",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4818.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4818",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4819.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4819",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4826.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4826",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4864.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4864",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4865.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4865",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4866.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4866",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4867.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4867",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4902.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4902",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4904.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4904",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4905.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4905",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4906.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4906",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4907.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4907",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4908.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4908",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4909.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4909",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4910.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4910",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4911.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4911",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4912.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4912",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4913.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4913",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4928.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4928",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4929.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4929",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4930.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4930",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4931.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4931",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4932.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4932",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4933.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4933",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4934.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4934",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4935.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4935",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4936.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4936",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4937.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4937",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4944.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4944",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4945.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4945",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4946.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4946",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4947.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4947",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4948.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4948",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4949.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4949",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4950.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4950",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4951.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4951",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4952.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4952",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4953.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4953",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4954.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4954",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4956.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4956",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4957.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4957",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4958.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4958",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4964.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4964",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-4985.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4985",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5024.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5024",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5025.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5025",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5027.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5027",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5028.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5028",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5029.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5029",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5030.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5030",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5031.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5031",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5032.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5032",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5033.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5033",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5034.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5034",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5035.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5035",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5037.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5037",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5038.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5039.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5039",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5051.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5051",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5056.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5056",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5057.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5057",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5058.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5058",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5059.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5059",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5060.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5060",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5061.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5061",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5062.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5062",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5063.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5063",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5064.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5064",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5065.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5065",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5066.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5066",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5067.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5067",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5068.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5068",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5069.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5069",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5070.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5070",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5136.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5137.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5137",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5138.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5138",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5139.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5139",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5140.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5141.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5141",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5142.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5142",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5143.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5143",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5144.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5144",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5145.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5145",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5148.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5148",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5149.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5149",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5150.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5150",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5151.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5151",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5152.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5152",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5153.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5153",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5154.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5154",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5155.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5155",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5156.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5156",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5157.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5157",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5158.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5158",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5159.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5159",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5168.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5168",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5376.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5376",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5377.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5377",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5378.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5378",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5447.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5447",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5632.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5632",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5633.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5633",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5712.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5712",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5888.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5888",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5889.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5889",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-5890.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5890",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6144.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6144",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6145.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6145",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6281.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6400.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6400",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6401.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6401",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6402.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6402",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6403.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6403",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6404.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6404",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6405.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6405",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6406.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6406",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6407.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6407",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6408.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6408",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6409.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6409",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6410.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6410",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6416.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6419.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6419",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6420.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6420",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6421.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6421",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6422.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6422",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6423.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/event-6424.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6424",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/file-system-global-object-access-auditing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-claim-types.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-claim-types",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-resource-attribute-definitions",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/other-events.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/other-events",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/registry-global-object-access-auditing.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/registry-global-object-access-auditing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/security-auditing-overview.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/security-auditing-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/view-the-security-event-log.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/view-the-security-event-log",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-auditing-faq",
+      "redirect_document_id": false
     }
   ]
-}
+}
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml
deleted file mode 100644
index 4f122c5d8e..0000000000
--- a/windows/security/threat-protection/auditing/TOC.yml
+++ /dev/null
@@ -1,767 +0,0 @@
-        - name: Security auditing
-          href: security-auditing-overview.md
-          items: 
-            - name: Basic security audit policies
-              href: basic-security-audit-policies.md
-              items: 
-                - name: Create a basic audit policy for an event category
-                  href: create-a-basic-audit-policy-settings-for-an-event-category.md
-                - name: Apply a basic audit policy on a file or folder
-                  href: apply-a-basic-audit-policy-on-a-file-or-folder.md
-                - name: View the security event log
-                  href: view-the-security-event-log.md
-                - name: Basic security audit policy settings
-                  href: basic-security-audit-policy-settings.md
-                  items: 
-                    - name: Audit account logon events
-                      href: basic-audit-account-logon-events.md
-                    - name: Audit account management
-                      href: basic-audit-account-management.md
-                    - name: Audit directory service access
-                      href: basic-audit-directory-service-access.md
-                    - name: Audit logon events
-                      href: basic-audit-logon-events.md
-                    - name: Audit object access
-                      href: basic-audit-object-access.md
-                    - name: Audit policy change
-                      href: basic-audit-policy-change.md
-                    - name: Audit privilege use
-                      href: basic-audit-privilege-use.md
-                    - name: Audit process tracking
-                      href: basic-audit-process-tracking.md
-                    - name: Audit system events
-                      href: basic-audit-system-events.md
-            - name: Advanced security audit policies
-              href: advanced-security-auditing.md
-              items: 
-                - name: Planning and deploying advanced security audit policies
-                  href: planning-and-deploying-advanced-security-audit-policies.md
-                - name: Advanced security auditing FAQ
-                  href: advanced-security-auditing-faq.yml
-                  items: 
-                    - name: Which editions of Windows support advanced audit policy configuration
-                      href: which-editions-of-windows-support-advanced-audit-policy-configuration.md
-                    - name: How to list XML elements in \<EventData>
-                      href: how-to-list-xml-elements-in-eventdata.md
-                    - name: Using advanced security auditing options to monitor dynamic access control objects
-                      href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
-                      items: 
-                        - name: Monitor the central access policies that apply on a file server
-                          href: monitor-the-central-access-policies-that-apply-on-a-file-server.md
-                        - name: Monitor the use of removable storage devices
-                          href: monitor-the-use-of-removable-storage-devices.md
-                        - name: Monitor resource attribute definitions
-                          href: monitor-resource-attribute-definitions.md
-                        - name: Monitor central access policy and rule definitions
-                          href: monitor-central-access-policy-and-rule-definitions.md
-                        - name: Monitor user and device claims during sign-in
-                          href: monitor-user-and-device-claims-during-sign-in.md
-                        - name: Monitor the resource attributes on files and folders
-                          href: monitor-the-resource-attributes-on-files-and-folders.md
-                        - name: Monitor the central access policies associated with files and folders
-                          href: monitor-the-central-access-policies-associated-with-files-and-folders.md
-                        - name: Monitor claim types
-                          href: monitor-claim-types.md
-                    - name: Advanced security audit policy settings
-                      href: advanced-security-audit-policy-settings.md
-                      items: 
-                        - name: Audit Credential Validation
-                          href: audit-credential-validation.md
-                        - name: "Event 4774 S, F: An account was mapped for logon."
-                          href: event-4774.md
-                        - name: "Event 4775 F: An account could not be mapped for logon."
-                          href: event-4775.md
-                        - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account."
-                          href: event-4776.md
-                        - name: "Event 4777 F: The domain controller failed to validate the credentials for an account."
-                          href: event-4777.md
-                    - name: Audit Kerberos Authentication Service
-                      href: audit-kerberos-authentication-service.md
-                      items: 
-                        - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested."
-                          href: event-4768.md
-                        - name: "Event 4771 F: Kerberos pre-authentication failed."
-                          href: event-4771.md
-                        - name: "Event 4772 F: A Kerberos authentication ticket request failed."
-                          href: event-4772.md
-                    - name: Audit Kerberos Service Ticket Operations
-                      href: audit-kerberos-service-ticket-operations.md
-                      items: 
-                        - name: "Event 4769 S, F: A Kerberos service ticket was requested."
-                          href: event-4769.md
-                        - name: "Event 4770 S: A Kerberos service ticket was renewed."
-                          href: event-4770.md
-                        - name: "Event 4773 F: A Kerberos service ticket request failed."
-                          href: event-4773.md
-                    - name: Audit Other Account Logon Events
-                      href: audit-other-account-logon-events.md
-                    - name: Audit Application Group Management
-                      href: audit-application-group-management.md
-                    - name: Audit Computer Account Management
-                      href: audit-computer-account-management.md
-                      items: 
-                        - name: "Event 4741 S: A computer account was created."
-                          href: event-4741.md
-                        - name: "Event 4742 S: A computer account was changed."
-                          href: event-4742.md
-                        - name: "Event 4743 S: A computer account was deleted."
-                          href: event-4743.md
-                    - name: Audit Distribution Group Management
-                      href: audit-distribution-group-management.md
-                      items: 
-                        - name: "Event 4749 S: A security-disabled global group was created."
-                          href: event-4749.md
-                        - name: "Event 4750 S: A security-disabled global group was changed."
-                          href: event-4750.md
-                        - name: "Event 4751 S: A member was added to a security-disabled global group."
-                          href: event-4751.md
-                        - name: "Event 4752 S: A member was removed from a security-disabled global group."
-                          href: event-4752.md
-                        - name: "Event 4753 S: A security-disabled global group was deleted."
-                          href: event-4753.md
-                    - name: Audit Other Account Management Events
-                      href: audit-other-account-management-events.md
-                      items: 
-                        - name: "Event 4782 S: The password hash of an account was accessed."
-                          href: event-4782.md
-                        - name: "Event 4793 S: The Password Policy Checking API was called."
-                          href: event-4793.md
-                    - name: Audit Security Group Management
-                      href: audit-security-group-management.md
-                      items: 
-                        - name: "Event 4731 S: A security-enabled local group was created."
-                          href: event-4731.md
-                        - name: "Event 4732 S: A member was added to a security-enabled local group."
-                          href: event-4732.md
-                        - name: "Event 4733 S: A member was removed from a security-enabled local group."
-                          href: event-4733.md
-                        - name: "Event 4734 S: A security-enabled local group was deleted."
-                          href: event-4734.md
-                        - name: "Event 4735 S: A security-enabled local group was changed."
-                          href: event-4735.md
-                        - name: "Event 4764 S: A group�s type was changed."
-                          href: event-4764.md
-                        - name: "Event 4799 S: A security-enabled local group membership was enumerated."
-                          href: event-4799.md
-                    - name: Audit User Account Management
-                      href: audit-user-account-management.md
-                      items: 
-                        - name: "Event 4720 S: A user account was created."
-                          href: event-4720.md
-                        - name: "Event 4722 S: A user account was enabled."
-                          href: event-4722.md
-                        - name: "Event 4723 S, F: An attempt was made to change an account's password."
-                          href: event-4723.md
-                        - name: "Event 4724 S, F: An attempt was made to reset an account's password."
-                          href: event-4724.md
-                        - name: "Event 4725 S: A user account was disabled."
-                          href: event-4725.md
-                        - name: "Event 4726 S: A user account was deleted."
-                          href: event-4726.md
-                        - name: "Event 4738 S: A user account was changed."
-                          href: event-4738.md
-                        - name: "Event 4740 S: A user account was locked out."
-                          href: event-4740.md
-                        - name: "Event 4765 S: SID History was added to an account."
-                          href: event-4765.md
-                        - name: "Event 4766 F: An attempt to add SID History to an account failed."
-                          href: event-4766.md
-                        - name: "Event 4767 S: A user account was unlocked."
-                          href: event-4767.md
-                        - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups."
-                          href: event-4780.md
-                        - name: "Event 4781 S: The name of an account was changed."
-                          href: event-4781.md
-                        - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password."
-                          href: event-4794.md
-                        - name: "Event 4798 S: A user's local group membership was enumerated."
-                          href: event-4798.md
-                        - name: "Event 5376 S: Credential Manager credentials were backed up."
-                          href: event-5376.md
-                        - name: "Event 5377 S: Credential Manager credentials were restored from a backup."
-                          href: event-5377.md
-                    - name: Audit DPAPI Activity
-                      href: audit-dpapi-activity.md
-                      items: 
-                        - name: "Event 4692 S, F: Backup of data protection master key was attempted."
-                          href: event-4692.md
-                        - name: "Event 4693 S, F: Recovery of data protection master key was attempted."
-                          href: event-4693.md
-                        - name: "Event 4694 S, F: Protection of auditable protected data was attempted."
-                          href: event-4694.md
-                        - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted."
-                          href: event-4695.md
-                    - name: Audit PNP Activity
-                      href: audit-pnp-activity.md
-                      items: 
-                        - name: "Event 6416 S: A new external device was recognized by the System."
-                          href: event-6416.md
-                        - name: "Event 6419 S: A request was made to disable a device."
-                          href: event-6419.md
-                        - name: "Event 6420 S: A device was disabled."
-                          href: event-6420.md
-                        - name: "Event 6421 S: A request was made to enable a device."
-                          href: event-6421.md
-                        - name: "Event 6422 S: A device was enabled."
-                          href: event-6422.md
-                        - name: "Event 6423 S: The installation of this device is forbidden by system policy."
-                          href: event-6423.md
-                        - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy."
-                          href: event-6424.md
-                    - name: Audit Process Creation
-                      href: audit-process-creation.md
-                      items: 
-                        - name: "Event 4688 S: A new process has been created."
-                          href: event-4688.md
-                        - name: "Event 4696 S: A primary token was assigned to process."
-                          href: event-4696.md
-                    - name: Audit Process Termination
-                      href: audit-process-termination.md
-                      items: 
-                        - name: "Event 4689 S: A process has exited."
-                          href: event-4689.md
-                    - name: Audit RPC Events
-                      href: audit-rpc-events.md
-                      items: 
-                        - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted."
-                          href: event-5712.md
-                    - name: Audit Token Right Adjusted
-                      href: audit-token-right-adjusted.md
-                      items: 
-                        - name: "Event 4703 S: A user right was adjusted."
-                          href: event-4703.md
-                    - name: Audit Detailed Directory Service Replication
-                      href: audit-detailed-directory-service-replication.md
-                      items: 
-                        - name: "Event 4928 S, F: An Active Directory replica source naming context was established."
-                          href: event-4928.md
-                        - name: "Event 4929 S, F: An Active Directory replica source naming context was removed."
-                          href: event-4929.md
-                        - name: "Event 4930 S, F: An Active Directory replica source naming context was modified."
-                          href: event-4930.md
-                        - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified."
-                          href: event-4931.md
-                        - name: "Event 4934 S: Attributes of an Active Directory object were replicated."
-                          href: event-4934.md
-                        - name: "Event 4935 F: Replication failure begins."
-                          href: event-4935.md
-                        - name: "Event 4936 S: Replication failure ends."
-                          href: event-4936.md
-                        - name: "Event 4937 S: A lingering object was removed from a replica."
-                          href: event-4937.md
-                    - name: Audit Directory Service Access
-                      href: audit-directory-service-access.md
-                      items: 
-                        - name: "Event 4662 S, F: An operation was performed on an object."
-                          href: event-4662.md
-                        - name: "Event 4661 S, F: A handle to an object was requested."
-                          href: event-4661.md
-                    - name: Audit Directory Service Changes
-                      href: audit-directory-service-changes.md
-                      items: 
-                        - name: "Event 5136 S: A directory service object was modified."
-                          href: event-5136.md
-                        - name: "Event 5137 S: A directory service object was created."
-                          href: event-5137.md
-                        - name: "Event 5138 S: A directory service object was undeleted."
-                          href: event-5138.md
-                        - name: "Event 5139 S: A directory service object was moved."
-                          href: event-5139.md
-                        - name: "Event 5141 S: A directory service object was deleted."
-                          href: event-5141.md
-                    - name: Audit Directory Service Replication
-                      href: audit-directory-service-replication.md
-                      items: 
-                        - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun."
-                          href: event-4932.md
-                        - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended."
-                          href: event-4933.md
-                    - name: Audit Account Lockout
-                      href: audit-account-lockout.md
-                      items: 
-                        - name: "Event 4625 F: An account failed to log on."
-                          href: event-4625.md
-                    - name: Audit User/Device Claims
-                      href: audit-user-device-claims.md
-                      items: 
-                        - name: "Event 4626 S: User/Device claims information."
-                          href: event-4626.md
-                    - name: Audit Group Membership
-                      href: audit-group-membership.md
-                      items: 
-                        - name: "Event 4627 S: Group membership information."
-                          href: event-4627.md
-                    - name: Audit IPsec Extended Mode
-                      href: audit-ipsec-extended-mode.md
-                    - name: Audit IPsec Main Mode
-                      href: audit-ipsec-main-mode.md
-                    - name: Audit IPsec Quick Mode
-                      href: audit-ipsec-quick-mode.md
-                    - name: Audit Logoff
-                      href: audit-logoff.md
-                      items: 
-                        - name: "Event 4634 S: An account was logged off."
-                          href: event-4634.md
-                        - name: "Event 4647 S: User initiated logoff."
-                          href: event-4647.md
-                    - name: Audit Logon
-                      href: audit-logon.md
-                      items: 
-                        - name: "Event 4624 S: An account was successfully logged on."
-                          href: event-4624.md
-                        - name: "Event 4625 F: An account failed to log on."
-                          href: event-4625.md
-                        - name: "Event 4648 S: A logon was attempted using explicit credentials."
-                          href: event-4648.md
-                        - name: "Event 4675 S: SIDs were filtered."
-                          href: event-4675.md
-                    - name: Audit Network Policy Server
-                      href: audit-network-policy-server.md
-                    - name: Audit Other Logon/Logoff Events
-                      href: audit-other-logonlogoff-events.md
-                      items: 
-                        - name: "Event 4649 S: A replay attack was detected."
-                          href: event-4649.md
-                        - name: "Event 4778 S: A session was reconnected to a Window Station."
-                          href: event-4778.md
-                        - name: "Event 4779 S: A session was disconnected from a Window Station."
-                          href: event-4779.md
-                        - name: "Event 4800 S: The workstation was locked."
-                          href: event-4800.md
-                        - name: "Event 4801 S: The workstation was unlocked."
-                          href: event-4801.md
-                        - name: "Event 4802 S: The screen saver was invoked."
-                          href: event-4802.md
-                        - name: "Event 4803 S: The screen saver was dismissed."
-                          href: event-4803.md
-                        - name: "Event 5378 F: The requested credentials delegation was disallowed by policy."
-                          href: event-5378.md
-                        - name: "Event 5632 S, F: A request was made to authenticate to a wireless network."
-                          href: event-5632.md
-                        - name: "Event 5633 S, F: A request was made to authenticate to a wired network."
-                          href: event-5633.md
-                    - name: Audit Special Logon
-                      href: audit-special-logon.md
-                      items: 
-                        - name: "Event 4964 S: Special groups have been assigned to a new logon."
-                          href: event-4964.md
-                        - name: "Event 4672 S: Special privileges assigned to new logon."
-                          href: event-4672.md
-                    - name: Audit Application Generated
-                      href: audit-application-generated.md
-                    - name: Audit Certification Services
-                      href: audit-certification-services.md
-                    - name: Audit Detailed File Share
-                      href: audit-detailed-file-share.md
-                      items: 
-                        - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access."
-                          href: event-5145.md
-                    - name: Audit File Share
-                      href: audit-file-share.md
-                      items: 
-                        - name: "Event 5140 S, F: A network share object was accessed."
-                          href: event-5140.md
-                        - name: "Event 5142 S: A network share object was added."
-                          href: event-5142.md
-                        - name: "Event 5143 S: A network share object was modified."
-                          href: event-5143.md
-                        - name: "Event 5144 S: A network share object was deleted."
-                          href: event-5144.md
-                        - name: "Event 5168 F: SPN check for SMB/SMB2 failed."
-                          href: event-5168.md
-                    - name: Audit File System
-                      href: audit-file-system.md
-                      items: 
-                        - name: "Event 4656 S, F: A handle to an object was requested."
-                          href: event-4656.md
-                        - name: "Event 4658 S: The handle to an object was closed."
-                          href: event-4658.md
-                        - name: "Event 4660 S: An object was deleted."
-                          href: event-4660.md
-                        - name: "Event 4663 S: An attempt was made to access an object."
-                          href: event-4663.md
-                        - name: "Event 4664 S: An attempt was made to create a hard link."
-                          href: event-4664.md
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                        - name: "Event 5051: A file was virtualized."
-                          href: event-5051.md
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                    - name: Audit Filtering Platform Connection
-                      href: audit-filtering-platform-connection.md
-                      items: 
-                        - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network."
-                          href: event-5031.md
-                        - name: "Event 5150: The Windows Filtering Platform blocked a packet."
-                          href: event-5150.md
-                        - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet."
-                          href: event-5151.md
-                        - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections."
-                          href: event-5154.md
-                        - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections."
-                          href: event-5155.md
-                        - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection."
-                          href: event-5156.md
-                        - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection."
-                          href: event-5157.md
-                        - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port."
-                          href: event-5158.md
-                        - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port."
-                          href: event-5159.md
-                    - name: Audit Filtering Platform Packet Drop
-                      href: audit-filtering-platform-packet-drop.md
-                      items: 
-                        - name: "Event 5152 F: The Windows Filtering Platform blocked a packet."
-                          href: event-5152.md
-                        - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet."
-                          href: event-5153.md
-                    - name: Audit Handle Manipulation
-                      href: audit-handle-manipulation.md
-                      items: 
-                        - name: "Event 4690 S: An attempt was made to duplicate a handle to an object."
-                          href: event-4690.md
-                    - name: Audit Kernel Object
-                      href: audit-kernel-object.md
-                      items: 
-                        - name: "Event 4656 S, F: A handle to an object was requested."
-                          href: event-4656.md
-                        - name: "Event 4658 S: The handle to an object was closed."
-                          href: event-4658.md
-                        - name: "Event 4660 S: An object was deleted."
-                          href: event-4660.md
-                        - name: "Event 4663 S: An attempt was made to access an object."
-                          href: event-4663.md
-                    - name: Audit Other Object Access Events
-                      href: audit-other-object-access-events.md
-                      items: 
-                        - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS."
-                          href: event-4671.md
-                        - name: "Event 4691 S: Indirect access to an object was requested."
-                          href: event-4691.md
-                        - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."
-                          href: event-5148.md
-                        - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed."
-                          href: event-5149.md
-                        - name: "Event 4698 S: A scheduled task was created."
-                          href: event-4698.md
-                        - name: "Event 4699 S: A scheduled task was deleted."
-                          href: event-4699.md
-                        - name: "Event 4700 S: A scheduled task was enabled."
-                          href: event-4700.md
-                        - name: "Event 4701 S: A scheduled task was disabled."
-                          href: event-4701.md
-                        - name: "Event 4702 S: A scheduled task was updated."
-                          href: event-4702.md
-                        - name: "Event 5888 S: An object in the COM+ Catalog was modified."
-                          href: event-5888.md
-                        - name: "Event 5889 S: An object was deleted from the COM+ Catalog."
-                          href: event-5889.md
-                        - name: "Event 5890 S: An object was added to the COM+ Catalog."
-                          href: event-5890.md
-                    - name: Audit Registry
-                      href: audit-registry.md
-                      items: 
-                        - name: "Event 4663 S: An attempt was made to access an object."
-                          href: event-4663.md
-                        - name: "Event 4656 S, F: A handle to an object was requested."
-                          href: event-4656.md
-                        - name: "Event 4658 S: The handle to an object was closed."
-                          href: event-4658.md
-                        - name: "Event 4660 S: An object was deleted."
-                          href: event-4660.md
-                        - name: "Event 4657 S: A registry value was modified."
-                          href: event-4657.md
-                        - name: "Event 5039: A registry key was virtualized."
-                          href: event-5039.md
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                    - name: Audit Removable Storage
-                      href: audit-removable-storage.md
-                    - name: Audit SAM
-                      href: audit-sam.md
-                      items: 
-                        - name: "Event 4661 S, F: A handle to an object was requested."
-                          href: event-4661.md
-                    - name: Audit Central Access Policy Staging
-                      href: audit-central-access-policy-staging.md
-                      items: 
-                        - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy."
-                          href: event-4818.md
-                    - name: Audit Audit Policy Change
-                      href: audit-audit-policy-change.md
-                      items: 
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                        - name: "Event 4715 S: The audit policy, SACL, on an object was changed."
-                          href: event-4715.md
-                        - name: "Event 4719 S: System audit policy was changed."
-                          href: event-4719.md
-                        - name: "Event 4817 S: Auditing settings on object were changed."
-                          href: event-4817.md
-                        - name: "Event 4902 S: The Per-user audit policy table was created."
-                          href: event-4902.md
-                        - name: "Event 4906 S: The CrashOnAuditFail value has changed."
-                          href: event-4906.md
-                        - name: "Event 4907 S: Auditing settings on object were changed."
-                          href: event-4907.md
-                        - name: "Event 4908 S: Special Groups Logon table modified."
-                          href: event-4908.md
-                        - name: "Event 4912 S: Per User Audit Policy was changed."
-                          href: event-4912.md
-                        - name: "Event 4904 S: An attempt was made to register a security event source."
-                          href: event-4904.md
-                        - name: "Event 4905 S: An attempt was made to unregister a security event source."
-                          href: event-4905.md
-                    - name: Audit Authentication Policy Change
-                      href: audit-authentication-policy-change.md
-                      items: 
-                        - name: "Event 4706 S: A new trust was created to a domain."
-                          href: event-4706.md
-                        - name: "Event 4707 S: A trust to a domain was removed."
-                          href: event-4707.md
-                        - name: "Event 4716 S: Trusted domain information was modified."
-                          href: event-4716.md
-                        - name: "Event 4713 S: Kerberos policy was changed."
-                          href: event-4713.md
-                        - name: "Event 4717 S: System security access was granted to an account."
-                          href: event-4717.md
-                        - name: "Event 4718 S: System security access was removed from an account."
-                          href: event-4718.md
-                        - name: "Event 4739 S: Domain Policy was changed."
-                          href: event-4739.md
-                        - name: "Event 4864 S: A namespace collision was detected."
-                          href: event-4864.md
-                        - name: "Event 4865 S: A trusted forest information entry was added."
-                          href: event-4865.md
-                        - name: "Event 4866 S: A trusted forest information entry was removed."
-                          href: event-4866.md
-                        - name: "Event 4867 S: A trusted forest information entry was modified."
-                          href: event-4867.md
-                    - name: Audit Authorization Policy Change
-                      href: audit-authorization-policy-change.md
-                      items: 
-                        - name: "Event 4703 S: A user right was adjusted."
-                          href: event-4703.md
-                        - name: "Event 4704 S: A user right was assigned."
-                          href: event-4704.md
-                        - name: "Event 4705 S: A user right was removed."
-                          href: event-4705.md
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                        - name: "Event 4911 S: Resource attributes of the object were changed."
-                          href: event-4911.md
-                        - name: "Event 4913 S: Central Access Policy on the object was changed."
-                          href: event-4913.md
-                    - name: Audit Filtering Platform Policy Change
-                      href: audit-filtering-platform-policy-change.md
-                    - name: Audit MPSSVC Rule-Level Policy Change
-                      href: audit-mpssvc-rule-level-policy-change.md
-                      items: 
-                        - name: "Event 4944 S: The following policy was active when the Windows Firewall started."
-                          href: event-4944.md
-                        - name: "Event 4945 S: A rule was listed when the Windows Firewall started."
-                          href: event-4945.md
-                        - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added."
-                          href: event-4946.md
-                        - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified."
-                          href: event-4947.md
-                        - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted."
-                          href: event-4948.md
-                        - name: "Event 4949 S: Windows Firewall settings were restored to the default values."
-                          href: event-4949.md
-                        - name: "Event 4950 S: A Windows Firewall setting has changed."
-                          href: event-4950.md
-                        - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall."
-                          href: event-4951.md
-                        - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced."
-                          href: event-4952.md
-                        - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed."
-                          href: event-4953.md
-                        - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied."
-                          href: event-4954.md
-                        - name: "Event 4956 S: Windows Firewall has changed the active profile."
-                          href: event-4956.md
-                        - name: "Event 4957 F: Windows Firewall did not apply the following rule."
-                          href: event-4957.md
-                        - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer."
-                          href: event-4958.md
-                    - name: Audit Other Policy Change Events
-                      href: audit-other-policy-change-events.md
-                      items: 
-                        - name: "Event 4714 S: Encrypted data recovery policy was changed."
-                          href: event-4714.md
-                        - name: "Event 4819 S: Central Access Policies on the machine have been changed."
-                          href: event-4819.md
-                        - name: "Event 4826 S: Boot Configuration Data loaded."
-                          href: event-4826.md
-                        - name: "Event 4909: The local policy settings for the TBS were changed."
-                          href: event-4909.md
-                        - name: "Event 4910: The group policy settings for the TBS were changed."
-                          href: event-4910.md
-                        - name: "Event 5063 S, F: A cryptographic provider operation was attempted."
-                          href: event-5063.md
-                        - name: "Event 5064 S, F: A cryptographic context operation was attempted."
-                          href: event-5064.md
-                        - name: "Event 5065 S, F: A cryptographic context modification was attempted."
-                          href: event-5065.md
-                        - name: "Event 5066 S, F: A cryptographic function operation was attempted."
-                          href: event-5066.md
-                        - name: "Event 5067 S, F: A cryptographic function modification was attempted."
-                          href: event-5067.md
-                        - name: "Event 5068 S, F: A cryptographic function provider operation was attempted."
-                          href: event-5068.md
-                        - name: "Event 5069 S, F: A cryptographic function property operation was attempted."
-                          href: event-5069.md
-                        - name: "Event 5070 S, F: A cryptographic function property modification was attempted."
-                          href: event-5070.md
-                        - name: "Event 5447 S: A Windows Filtering Platform filter has been changed."
-                          href: event-5447.md
-                        - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully."
-                          href: event-6144.md
-                        - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects."
-                          href: event-6145.md
-                    - name: Audit Sensitive Privilege Use
-                      href: audit-sensitive-privilege-use.md
-                      items: 
-                        - name: "Event 4673 S, F: A privileged service was called."
-                          href: event-4673.md
-                        - name: "Event 4674 S, F: An operation was attempted on a privileged object."
-                          href: event-4674.md
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                    - name: Audit Non Sensitive Privilege Use
-                      href: audit-non-sensitive-privilege-use.md
-                      items: 
-                        - name: "Event 4673 S, F: A privileged service was called."
-                          href: event-4673.md
-                        - name: "Event 4674 S, F: An operation was attempted on a privileged object."
-                          href: event-4674.md
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                    - name: Audit Other Privilege Use Events
-                      href: audit-other-privilege-use-events.md
-                      items: 
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                    - name: Audit IPsec Driver
-                      href: audit-ipsec-driver.md
-                    - name: Audit Other System Events
-                      href: audit-other-system-events.md
-                      items: 
-                        - name: "Event 5024 S: The Windows Firewall Service has started successfully."
-                          href: event-5024.md
-                        - name: "Event 5025 S: The Windows Firewall Service has been stopped."
-                          href: event-5025.md
-                        - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy."
-                          href: event-5027.md
-                        - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy."
-                          href: event-5028.md
-                        - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy."
-                          href: event-5029.md
-                        - name: "Event 5030 F: The Windows Firewall Service failed to start."
-                          href: event-5030.md
-                        - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network."
-                          href: event-5032.md
-                        - name: "Event 5033 S: The Windows Firewall Driver has started successfully."
-                          href: event-5033.md
-                        - name: "Event 5034 S: The Windows Firewall Driver was stopped."
-                          href: event-5034.md
-                        - name: "Event 5035 F: The Windows Firewall Driver failed to start."
-                          href: event-5035.md
-                        - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating."
-                          href: event-5037.md
-                        - name: "Event 5058 S, F: Key file operation."
-                          href: event-5058.md
-                        - name: "Event 5059 S, F: Key migration operation."
-                          href: event-5059.md
-                        - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content."
-                          href: event-6400.md
-                        - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded."
-                          href: event-6401.md
-                        - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted."
-                          href: event-6402.md
-                        - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client."
-                          href: event-6403.md
-                        - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."
-                          href: event-6404.md
-                        - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred."
-                          href: event-6405.md
-                        - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2."
-                          href: event-6406.md
-                        - name: "Event 6407: 1%."
-                          href: event-6407.md
-                        - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."
-                          href: event-6408.md
-                        - name: "Event 6409: BranchCache: A service connection point object could not be parsed."
-                          href: event-6409.md
-                    - name: Audit Security State Change
-                      href: audit-security-state-change.md
-                      items: 
-                        - name: "Event 4608 S: Windows is starting up."
-                          href: event-4608.md
-                        - name: "Event 4616 S: The system time was changed."
-                          href: event-4616.md
-                        - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail."
-                          href: event-4621.md
-                    - name: Audit Security System Extension
-                      href: audit-security-system-extension.md
-                      items: 
-                        - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority."
-                          href: event-4610.md
-                        - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority."
-                          href: event-4611.md
-                        - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager."
-                          href: event-4614.md
-                        - name: "Event 4622 S: A security package has been loaded by the Local Security Authority."
-                          href: event-4622.md
-                        - name: "Event 4697 S: A service was installed in the system."
-                          href: event-4697.md
-                    - name: Audit System Integrity
-                      href: audit-system-integrity.md
-                      items: 
-                        - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits."
-                          href: event-4612.md
-                        - name: "Event 4615 S: Invalid use of LPC port."
-                          href: event-4615.md
-                        - name: "Event 4618 S: A monitored security event pattern has occurred."
-                          href: event-4618.md
-                        - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message."
-                          href: event-4816.md
-                        - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid."
-                          href: event-5038.md
-                        - name: "Event 5056 S: A cryptographic self-test was performed."
-                          href: event-5056.md
-                        - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed."
-                          href: event-5062.md
-                        - name: "Event 5057 F: A cryptographic primitive operation failed."
-                          href: event-5057.md
-                        - name: "Event 5060 F: Verification operation failed."
-                          href: event-5060.md
-                        - name: "Event 5061 S, F: Cryptographic operation."
-                          href: event-5061.md
-                        - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid."
-                          href: event-6281.md
-                        - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process."
-                          href: event-6410.md
-                    - name: Other Events
-                      href: other-events.md
-                      items: 
-                        - name: "Event 1100 S: The event logging service has shut down."
-                          href: event-1100.md
-                        - name: "Event 1102 S: The audit log was cleared."
-                          href: event-1102.md
-                        - name: "Event 1104 S: The security log is now full."
-                          href: event-1104.md
-                        - name: "Event 1105 S: Event log automatic backup."
-                          href: event-1105.md
-                        - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1."
-                          href: event-1108.md
-                    - name: "Appendix A: Security monitoring recommendations for many audit events"
-                      href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md
-                    - name: Registry (Global Object Access Auditing)
-                      href: registry-global-object-access-auditing.md
-                    - name: File System (Global Object Access Auditing)
-                      href: file-system-global-object-access-auditing.md
-        - name: Windows security
-          href: /windows/security/
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
deleted file mode 100644
index 4c63211e0c..0000000000
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-title: Advanced security audit policy settings
-description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
-ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Advanced security audit policy settings (Windows 10)
-
-This reference for IT professionals provides information about:
-- The advanced audit policy settings available in Windows
-- The audit events that these settings generate.
-
-The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
-
--   A group administrator has modified settings or data on servers that contain finance information.
--   An employee within a defined group has accessed an important file.
--   The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
-    -  every file and folder
-    -  registry key on a computer
-    -  file share.
-
-You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
-
-These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
-- That are of little or no concern to you
-- That create an excessive number of log entries.
-
-In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
-Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
-
-## Account Logon
-
-Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, Account Logon settings and events focus on the account database that is used. This category includes the following subcategories:
-
--   [Audit Credential Validation](audit-credential-validation.md)
--   [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
--   [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
--   [Audit Other Account Logon Events](audit-other-account-logon-events.md)
-
-## Account Management
-
-The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
-
--   [Audit Application Group Management](audit-application-group-management.md)
--   [Audit Computer Account Management](audit-computer-account-management.md)
--   [Audit Distribution Group Management](audit-distribution-group-management.md)
--   [Audit Other Account Management Events](audit-other-account-management-events.md)
--   [Audit Security Group Management](audit-security-group-management.md)
--   [Audit User Account Management](audit-user-account-management.md)
-
-## Detailed Tracking
-
-Detailed Tracking security policy settings and audit events can be used for the following purposes:
-- To monitor the activities of individual applications and users on that computer
-- To understand how a computer is being used.
-
-This category includes the following subcategories:
-
-- [Audit DPAPI Activity](audit-dpapi-activity.md)
-- [Audit PNP activity](audit-pnp-activity.md)
-- [Audit Process Creation](audit-process-creation.md)
-- [Audit Process Termination](audit-process-termination.md)
-- [Audit RPC Events](audit-rpc-events.md)
-- [Audit Token Right Adjusted](audit-token-right-adjusted.md)
-
-## DS Access
-
-DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
-
--   [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
--   [Audit Directory Service Access](audit-directory-service-access.md)
--   [Audit Directory Service Changes](audit-directory-service-changes.md)
--   [Audit Directory Service Replication](audit-directory-service-replication.md)
-
-## Logon/Logoff
-
-Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
-
--   [Audit Account Lockout](audit-account-lockout.md)
--   [Audit User/Device Claims](audit-user-device-claims.md)
--   [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
--   [Audit Group Membership](audit-group-membership.md)
--   [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
--   [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
--   [Audit Logoff](audit-logoff.md)
--   [Audit Logon](audit-logon.md)
--   [Audit Network Policy Server](audit-network-policy-server.md)
--   [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
--   [Audit Special Logon](audit-special-logon.md)
-
-## Object Access
-
-Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to audit registry accesses.
-
-Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
-
-This category includes the following subcategories:
-
--   [Audit Application Generated](audit-application-generated.md)
--   [Audit Certification Services](audit-certification-services.md)
--   [Audit Detailed File Share](audit-detailed-file-share.md)
--   [Audit File Share](audit-file-share.md)
--   [Audit File System](audit-file-system.md)
--   [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
--   [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
--   [Audit Handle Manipulation](audit-handle-manipulation.md)
--   [Audit Kernel Object](audit-kernel-object.md)
--   [Audit Other Object Access Events](audit-other-object-access-events.md)
--   [Audit Registry](audit-registry.md)
--   [Audit Removable Storage](audit-removable-storage.md)
--   [Audit SAM](audit-sam.md)
--   [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
-
-## Policy Change
-
-Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, tracking changes (or its attempts) to these policies is an important aspect of security management for a network. This category includes the following subcategories:
-
--   [Audit Audit Policy Change](audit-audit-policy-change.md)
--   [Audit Authentication Policy Change](audit-authentication-policy-change.md)
--   [Audit Authorization Policy Change](audit-authorization-policy-change.md)
--   [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
--   [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
--   [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-## Privilege Use
-
-Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
-
--   [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
--   [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
--   [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
-
-## System
-
-System security policy settings and audit events allow you to track the following types of system-level changes to a computer:
-- Not included in other categories
-- Have potential security implications.
-
-This category includes the following subcategories:
-
--   [Audit IPsec Driver](audit-ipsec-driver.md)
--   [Audit Other System Events](audit-other-system-events.md)
--   [Audit Security State Change](audit-security-state-change.md)
--   [Audit Security System Extension](audit-security-system-extension.md)
--   [Audit System Integrity](audit-system-integrity.md)
-
-## Global Object Access Auditing
-
-Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
-Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
-
-Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
-- Setting the Global Object Access Auditing policy to log all the activities for a specific user
-- Enabling the policy to track "Access denied" events for the file system or registry can help
-
-> [!NOTE]
-> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
-
-This category includes the following subcategories:
--   [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
--   [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
-
-## Related topics
-
--   [Basic security audit policy settings](basic-security-audit-policy-settings.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
deleted file mode 100644
index 768de067a0..0000000000
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ /dev/null
@@ -1,175 +0,0 @@
-### YamlMime:FAQ
-metadata:
-  title: Advanced security auditing FAQ
-  description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
-  author: vinaypamnani-msft
-  ms.author: vinpa
-  manager: aaroncz
-  ms.topic: faq
-  ms.date: 05/24/2022
-
-title: Advanced security auditing FAQ
-
-summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.  
-
-sections:
-  - name: Ignored
-    questions:
-      - question: |
-          What is Windows security auditing and why might I want to use it?
-        answer: |
-          Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is the features and services for an administrator to log and review events for specified security-related activities.
-          
-          Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
-          
-      - question: |
-          What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
-        answer: |
-          The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
-          
-          There are several other differences between the security audit policy settings in these two locations.
-          
-          There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
-          Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking.
-          
-          In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
-          
-          The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows.
-          
-      - question: |
-          What is the interaction between basic audit policy settings and advanced audit policy settings?
-        answer: |
-          Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
-          
-          Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied.
-          
-          > [!Important]
-          > Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
-          
-          If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
-           
-      - question: |
-          How are audit settings merged by group policy?
-        answer: |
-          By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
-          
-          For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing.
-          
-          The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
-          
-          
-          | Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
-          | - | - | - | -|
-          | Detailed File Share Auditing | Success | Failure | Success |
-          | Process Creation Auditing | Disabled | Success | Disabled |
-          | Logon Auditing | Failure | Success | Failure |
-          
-      - question: |
-          What is the difference between an object DACL and an object SACL?
-        answer: |
-          All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
-          
-          -   A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
-          -   A system access control list (SACL) that controls how access is audited
-          
-          The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
-          
-          If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
-          
-      - question: |
-          Why are audit policies applied on a per-computer basis rather than per user?
-        answer: |
-          In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
-          
-          Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
-          
-          However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
-          
-      - question: |
-          Are there any differences in auditing functionality between versions of Windows?
-        answer: |
-          No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings.
-
-      - question: |
-          What is the difference between success and failure events? Is something wrong if I get a failure audit?
-        answer: |
-          A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
-          
-          A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully.
-          
-          The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
-          
-      - question: |
-          How can I set an audit policy that affects all objects on a computer?
-        answer: |
-          System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
-
-          Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
-          
-      - question: |
-          How do I figure out why someone was able to access a resource?
-        answer: |
-          Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
-
-      - question: |
-          How do I know when changes are made to access control settings, by whom, and what the changes were?
-        answer: |
-          To track access control changes, you need to enable the following settings, which track changes to DACLs:
-          -   **Audit File System** subcategory: Enable for success, failure, or success and failure
-          -   **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
-          -   A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
-
-      - question: |
-          How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
-        answer: |
-          Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
-          
-          1.  Set all Advanced Audit Policy subcategories to **Not configured**.
-          2.  Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller.
-          3.  Reconfigure and apply the basic audit policy settings.
-          
-          Unless you complete all of these steps, the basic audit policy settings won't be restored.
-          
-      - question: |
-          How can I monitor if changes are made to audit policy settings?
-        answer: |
-          Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
-          
-          -   Permissions and audit settings on the audit policy object are changed
-          -   The system audit policy is changed
-          -   Security event sources are registered or unregistered
-          -   Per-user audit settings are changed
-          -   The value of **CrashOnAuditFail** is modified
-          -   Audit settings on a file or registry key are changed
-          -   A Special Groups list is changed
-          
-      - question: |
-          How can I minimize the number of events that are generated?
-        answer: |
-          Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
-          
-      - question: |
-          What are the best tools to model and manage audit policies?
-        answer: |
-          The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies.
-          On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks.
-          
-          There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs).
-          
-      - question: |
-          Where can I find information about all the possible events that I might receive?
-        answer: |
-          Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources:
-          
-          - [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034)
-          - [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
-          - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-          
-      - question: |
-          Where can I find more detailed information?
-        answer: |
-          To learn more about security audit policies, see the following resources:
-          
-          - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
-          - [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753)
-          - [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
deleted file mode 100644
index 84c93ea504..0000000000
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Advanced security audit policies
-description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here.
-ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/6/2021
----
-
-# Advanced security audit policies
-
-Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently.
-When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
-
-## In this section
-
-| Article | Description |
-| - | - |
-| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies |
-| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
-| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate.
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
deleted file mode 100644
index 2ddc4a8249..0000000000
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Appendix A, Security monitoring recommendations for many audit events 
-description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# Appendix A: Security monitoring recommendations for many audit events
-
-
-This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                              |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.     |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the allowlist of accounts.                                                                 |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                         |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                 |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                        |
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
deleted file mode 100644
index 5e7b8bfd19..0000000000
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Apply a basic audit policy on a file or folder
-description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
-ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.collection:
-  - highpri
-  - tier3
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Apply a basic audit policy on a file or folder
-
-You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
-
-To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
-
-**To apply or modify auditing policy settings for a local file or folder**
-
-1.  Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
-2.  Select **Advanced**.
-3.  In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
-4.  Do one of the following tasks:
-    -   To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
-    -   To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
-    -   To view or change auditing for an existing group or user, select its name, and then select **Edit.**
-5.  In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
-    -   To audit successful events, select **Success.**
-    -   To audit failure events, select **Fail.**
-    -   To audit all events, select **All.**
-
-
-
-6.  In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
-
-    -   **This folder only**
-    -   **This folder, subfolders and files**
-    -   **This folder and subfolders**
-    -   **This folder and files**
-    -   **Subfolders and files only**
-    -   **Subfolders only**
-    -   **Files only**
-
-7.  By default, the selected **Basic Permissions** to audit are the following:
-    -   **Read and execute**
-    -   **List folder contents**
-    -   **Read**
-    -   Additionally, with your selected audit combination, you can select any combination of the following permissions:
-          - **Full control**
-          - **Modify**
-          - **Write**
-
-> [!IMPORTANT]
-> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
- 
-## More considerations
-
--   After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
--   You can set up file and folder auditing only on NTFS drives.
--   Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
- 
- 
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
deleted file mode 100644
index e4bbde6028..0000000000
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Audit Account Lockout 
-description: The policy setting, Audit Account Lockout, enables you to audit security events  generated by a failed attempt to log on to an account that is locked out.
-ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Account Lockout
-
-Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
-
-If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. 
-
-Account lockout events are essential for understanding user activity and detecting potential attacks.
-
-**Event volume**: Low.
-
-This subcategory failure logon attempts, when account was already locked out.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                          |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | Yes             | No               | Yes              | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
-| Member Server     | No              | Yes             | No               | Yes              | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
-| Workstation       | No              | Yes             | No               | Yes              | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
-
-**Events List:**
-
--   [4625](event-4625.md)(F): An account failed to log on.
-
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
deleted file mode 100644
index 3c22b0237f..0000000000
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Audit Application Generated 
-description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
-ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Application Generated
-
-Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)).
-
-Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
-| Member Server     | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
-| Workstation       | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
-
-**Events List:**
-
-- 4665: An attempt was made to create an application client context.
-
-- 4666: An application attempted an operation.
-
-- 4667: An application client context was deleted.
-
-- 4668: An application was initialized.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
deleted file mode 100644
index fd489adaac..0000000000
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Audit Application Group Management 
-description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
-ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Application Group Management
-
-Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions.
-
-[Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)).
-
-Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
-| Domain Controller | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
-| Member Server     | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
-| Workstation       | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
-
-- 4783(S): A basic application group was created.
-
-- 4784(S): A basic application group was changed.
-
-- 4785(S): A member was added to a basic application group.
-
-- 4786(S): A member was removed from a basic application group.
-
-- 4787(S): A non-member was added to a basic application group.
-
-- 4788(S): A non-member was removed from a basic application group.
-
-- 4789(S): A basic application group was deleted.
-
-- 4790(S): An LDAP query group was created.
-
-- 4791(S): An LDAP query group was changed.
-
-- 4792(S): An LDAP query group was deleted.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
deleted file mode 100644
index d1291e568e..0000000000
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Audit Audit Policy Change 
-description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
-ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Audit Policy Change
-
-
-Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                      |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | Yes             | No              | Yes              | No               | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-Changes to audit policy that are audited include:
-
--   Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).
-
--   Changing the system audit policy.
-
--   Registering and unregistering security event sources.
-
--   Changing per-user audit settings.
-
--   Changing the value of CrashOnAuditFail.
-
--   Changing audit settings on an object (for example, modifying the system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) for a file or registry key).
-
-> **Note**&nbsp;&nbsp;[SACL](/windows/win32/secauthz/access-control-lists) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
-
--   Changing anything in the Special Groups list.
-
-The following events will be enabled with Success auditing in this subcategory:
-
--   [4902](event-4902.md)(S): The Per-user audit policy table was created.
-
--   [4907](event-4907.md)(S): Auditing settings on object were changed.
-
--   [4904](event-4904.md)(S): An attempt was made to register a security event source.
-
--   [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
-
-All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
-
-**Events List:**
-
--   [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed.
-
--   [4719](event-4719.md)(S): System audit policy was changed.
-
--   [4817](event-4817.md)(S): Auditing settings on object were changed.
-
--   [4902](event-4902.md)(S): The Per-user audit policy table was created.
-
--   [4906](event-4906.md)(S): The CrashOnAuditFail value has changed.
-
--   [4907](event-4907.md)(S): Auditing settings on object were changed.
-
--   [4908](event-4908.md)(S): Special Groups Logon table modified.
-
--   [4912](event-4912.md)(S): Per User Audit Policy was changed.
-
--   [4904](event-4904.md)(S): An attempt was made to register a security event source.
-
--   [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
deleted file mode 100644
index 7ab38720e0..0000000000
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Audit Authentication Policy Change 
-description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
-ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Authentication Policy Change
-
-Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
-
-Changes made to authentication policy include:
-
--   Creation, modification, and removal of forest and domain trusts.
-
--   Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy.
-
--   When any of the following user logon rights is granted to a user or group:
-
-    -   Access this computer from the network
-
-    -   Allow logon locally
-
-    -   Allow logon through Remote Desktop
-
-    -   Logon as a batch job
-
-    -   Logon as a service
-
--   Namespace collision, such as when an added trust collides with an existing namespace name.
-
-This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                    |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                            |
-| Workstation       | Yes             | No              | Yes              | No               | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                              |
-
-**Events List:**
-
--   [4670](event-4670.md)(S): Permissions on an object were changed
-
--   [4706](event-4706.md)(S): A new trust was created to a domain.
-
--   [4707](event-4707.md)(S): A trust to a domain was removed.
-
--   [4716](event-4716.md)(S): Trusted domain information was modified.
-
--   [4713](event-4713.md)(S): Kerberos policy was changed.
-
--   [4717](event-4717.md)(S): System security access was granted to an account.
-
--   [4718](event-4718.md)(S): System security access was removed from an account.
-
--   [4739](event-4739.md)(S): Domain Policy was changed.
-
--   [4864](event-4864.md)(S): A namespace collision was detected.
-
--   [4865](event-4865.md)(S): A trusted forest information entry was added.
-
--   [4866](event-4866.md)(S): A trusted forest information entry was removed.
-
--   [4867](event-4867.md)(S): A trusted forest information entry was modified.
-
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
deleted file mode 100644
index 5ad0e5fff3..0000000000
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Audit Authorization Policy Change 
-description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
-ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Authorization Policy Change
-
-Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
-
-**Event volume**: Medium to High.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4703](event-4703.md)(S): A user right was adjusted.
-
--   [4704](event-4704.md)(S): A user right was assigned.
-
--   [4705](event-4705.md)(S): A user right was removed.
-
--   [4670](event-4670.md)(S): Permissions on an object were changed.
-
--   [4911](event-4911.md)(S): Resource attributes of the object were changed.
-
--   [4913](event-4913.md)(S): Central Access Policy on the object was changed.
-
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
deleted file mode 100644
index dbadfb80dd..0000000000
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Audit Central Access Policy Staging 
-description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
-ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Central Access Policy Staging
-
-Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
-
-If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
-
--   Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access.
-
--   Failure audits, when configured, record access attempts when:
-
-    -   The current central access policy does not grant access, but the proposed policy grants access.
-
-    -   A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                     |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | No              | IF               | No               | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | IF              | No              | IF               | No               | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | IF              | No              | IF               | No               | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
deleted file mode 100644
index 1818d6abea..0000000000
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: Audit Certification Services 
-description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
-ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Certification Services
-
-Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
-
-Examples of AD CS operations include:
-
--   AD CS starts, shuts down, is backed up, or is restored.
-
--   Certificate revocation list (CRL)-related tasks are performed.
-
--   Certificates are requested, issued, or revoked.
-
--   Certificate manager settings for AD CS are changed.
-
--   The configuration and properties of the certification authority (CA) are changed.
-
--   AD CS templates are modified.
-
--   Certificates are imported.
-
--   A CA certificate is published to Active Directory Domain Services.
-
--   Security permissions for AD CS role services are modified.
-
--   Keys are archived, imported, or retrieved.
-
--   The OCSP Responder Service is started or stopped.
-
-Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
-
-**Event volume: Low to medium on servers that provide AD CS role services.**
-
-Role-specific subcategories are outside the scope of this document.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                        |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | IF              | IF               | IF               | IF – if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
-| Member Server     | IF              | IF              | IF               | IF               | IF – if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
-| Workstation       | No              | No              | No               | No               | [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role cannot be installed on client OS.                                                                         |
-
-- 4868: The certificate manager denied a pending certificate request.
-
-- 4869: Certificate Services received a resubmitted certificate request.
-
-- 4870: Certificate Services revoked a certificate.
-
-- 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
-
-- 4872: Certificate Services published the certificate revocation list (CRL).
-
-- 4873: A certificate request extension changed.
-
-- 4874: One or more certificate request attributes changed.
-
-- 4875: Certificate Services received a request to shut down.
-
-- 4876: Certificate Services backup started.
-
-- 4877: Certificate Services backup completed.
-
-- 4878: Certificate Services restore started.
-
-- 4879: Certificate Services restore completed.
-
-- 4880: Certificate Services started.
-
-- 4881: Certificate Services stopped.
-
-- 4882: The security permissions for Certificate Services changed.
-
-- 4883: Certificate Services retrieved an archived key.
-
-- 4884: Certificate Services imported a certificate into its database.
-
-- 4885: The audit filter for Certificate Services changed.
-
-- 4886: Certificate Services received a certificate request.
-
-- 4887: Certificate Services approved a certificate request and issued a certificate.
-
-- 4888: Certificate Services denied a certificate request.
-
-- 4889: Certificate Services set the status of a certificate request to pending.
-
-- 4890: The certificate manager settings for Certificate Services changed.
-
-- 4891: A configuration entry changed in Certificate Services.
-
-- 4892: A property of Certificate Services changed.
-
-- 4893: Certificate Services archived a key.
-
-- 4894: Certificate Services imported and archived a key.
-
-- 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
-
-- 4896: One or more rows have been deleted from the certificate database.
-
-- 4897: Role separation enabled.
-
-- 4898: Certificate Services loaded a template.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
deleted file mode 100644
index 836f66077c..0000000000
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Audit Computer Account Management 
-description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
-ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Computer Account Management
-
-
-Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
-
-This policy setting is useful for tracking account-related changes to computers that are members of a domain.
-
-**Event volume**: Low on domain controllers.
-
-This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.<br>Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| Workstation       | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-
-**Events List:**
-
--   [4741](event-4741.md)(S): A computer account was created.
-
--   [4742](event-4742.md)(S): A computer account was changed.
-
--   [4743](event-4743.md)(S): A computer account was deleted.
-
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
deleted file mode 100644
index 776717c166..0000000000
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Audit Credential Validation 
-description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
-ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Credential Validation
-
-
-Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
-
-These events occur on the computer that is authoritative for the credentials as follows:
-
--   For domain accounts, the domain controller is authoritative.
-
--   For local accounts, the local computer is authoritative.
-
-**Event volume**:
-
--   High on domain controllers.
-
--   Low on member servers and workstations.
-
-Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
-
-The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | Yes             | Yes              | Yes              | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication. <br>IF – We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.<br>We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-
-**Events List:**
-
--   [4774](event-4774.md)(S, F): An account was mapped for logon.
-
--   [4775](event-4775.md)(F): An account could not be mapped for logon.
-
--   [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account.
-
--   [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account.
-
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
deleted file mode 100644
index 7f07a68413..0000000000
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Audit Detailed Directory Service Replication 
-description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
-ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Detailed Directory Service Replication
-
-
-Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
-
-This audit subcategory can be useful to diagnose replication issues.
-
-**Event volume**: These events can create a very high volume of event data on domain controllers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                            |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | IF               | IF               | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
-| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
-| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
-
-**Events List:**
-
--   [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established.
-
--   [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed.
-
--   [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified.
-
--   [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified.
-
--   [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated.
-
--   [4935](event-4935.md)(F): Replication failure begins.
-
--   [4936](event-4936.md)(S): Replication failure ends.
-
--   [4937](event-4937.md)(S): A lingering object was removed from a replica.
-
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
deleted file mode 100644
index 0b41ec8acd..0000000000
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Audit Detailed File Share 
-description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
-ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Detailed File Share
-
-
-Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
-
-The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
-
-There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
-
-**Event volume**:
-
--   High on file servers.
-
--   High on domain controllers because of SYSVOL network access required by Group Policy.
-
--   Low on member servers and workstations.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | Yes             | No               | Yes              | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume shouldn't be high. You will be able to see who wasn't able to get access to a file or folder on a network share on a computer.                                                                                                                                                                                                                                                                                                                                                                                              |
-| Member Server     | IF              | Yes             | IF               | Yes              | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for member servers shouldn't be high (if they aren't File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
-| Workstation       | IF              | Yes             | IF               | Yes              | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for workstations shouldn't be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer.                                                                                   |
-
-**Events List:**
-
--   [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access.
-
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
deleted file mode 100644
index 2a83b4b3ec..0000000000
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Audit Directory Service Access 
-description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed.
-ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Directory Service Access
-
-
-Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
-
-**Event volume**: High on servers running AD DS role services.
-
-This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | Yes             | No               | Yes              | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
-| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-
-**Events List:**
-
--   [4662](event-4662.md)(S, F): An operation was performed on an object.
-
--   [4661](event-4661.md)(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
deleted file mode 100644
index d746cc2a12..0000000000
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Audit Directory Service Changes 
-description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed
-ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Directory Service Changes
-
-
-Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
-
-Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.
-
-Audit events are generated only for objects with configured system access control lists ([SACLs](/windows/win32/secauthz/access-control-lists)), and only when they are accessed in a manner that matches their [SACL](/windows/win32/secauthz/access-control-lists) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
-
-This subcategory only logs events on domain controllers.
-
-**Event volume**: High on domain controllers.
-
-This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) container or Domain Admins group objects. <br>This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-
-**Events List:**
-
--   [5136](event-5136.md)(S): A directory service object was modified.
-
--   [5137](event-5137.md)(S): A directory service object was created.
-
--   [5138](event-5138.md)(S): A directory service object was undeleted.
-
--   [5139](event-5139.md)(S): A directory service object was moved.
-
--   [5141](event-5141.md)(S): A directory service object was deleted.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
deleted file mode 100644
index c3efe2134f..0000000000
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Audit Directory Service Replication 
-description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends.
-ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Directory Service Replication
-
-
-Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
-
-**Event volume**: Medium on domain controllers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                            |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | IF               | IF               | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
-| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
-| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
-
-**Events List:**
-
--   [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun.
-
--   [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended.
-
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
deleted file mode 100644
index 87cfeca376..0000000000
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Audit Distribution Group Management 
-description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks.
-ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Distribution Group Management
-
-
-Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
-
-This subcategory generates events only on domain controllers.
-
-**Event volume**: Low on domain controllers.
-
-This subcategory allows you to audit events generated by changes to distribution groups such as the following:
-
-- Distribution group is created, changed, or deleted.
-
-- Member is added or removed from a distribution group.
-
-If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | IF              | No              | IF               | No               | IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically, volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | No              | No              | No               | No               | This subcategory generates events only on domain controllers.  |
-| Workstation       | No              | No              | No               | No               | This subcategory generates events only on domain controllers.  |
-
-**Events List:**
-
-- [4749](event-4749.md)(S): A security-disabled global group was created.
-
-- [4750](event-4750.md)(S): A security-disabled global group was changed.
-
-- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
-
-- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
-
-- [4753](event-4753.md)(S): A security-disabled global group was deleted.
-
-- 4759(S): A security-disabled universal group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4759 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4760(S): A security-disabled universal group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4760 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4761(S): A member was added to a security-disabled universal group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4761 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4762(S): A member was removed from a security-disabled universal group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4762 is the same, except  it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4763(S): A security-disabled universal group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4763 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4744(S): A security-disabled local group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4744 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4745(S): A security-disabled local group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4745 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4746(S): A member was added to a security-disabled local group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4746 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4747(S): A member was removed from a security-disabled local group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4747 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-- 4748(S): A security-disabled local group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4748 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
deleted file mode 100644
index f7a7cf3eaa..0000000000
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Audit DPAPI Activity 
-description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls  to the data protection application interface (DPAPI) generate audit events.
-ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit DPAPI Activity
-
-
-Audit [DPAPI](/previous-versions/ms995355(v=msdn.10)) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](/previous-versions/ms995355(v=msdn.10))).
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                     |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | IF              | IF               | IF               | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
-| Member Server     | IF              | IF              | IF               | IF               | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
-| Workstation       | IF              | IF              | IF               | IF               | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
-
-**Events List:**
-
--   [4692](event-4692.md)(S, F): Backup of data protection master key was attempted.
-
--   [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted.
-
--   [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted.
-
--   [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
deleted file mode 100644
index c57ba2e002..0000000000
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Audit File Share 
-description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
-ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit File Share
-
-
-Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks.
-
-There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
-
-Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
-
-**Event volume**:
-
--   High on file servers.
-
--   High on domain controllers because of SYSVOL network access required by Group Policy.
-
--   Low on member servers and workstations.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                  |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing for domain controllers, because it’s important to track deletion, creation, and modification events for network shares.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares.                                |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares.                                 |
-
-**Events List:**
-
--   [5140](event-5140.md)(S, F): A network share object was accessed.
-
--   [5142](event-5142.md)(S): A network share object was added.
-
--   [5143](event-5143.md)(S): A network share object was modified.
-
--   [5144](event-5144.md)(S): A network share object was deleted.
-
--   [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed.
-
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
deleted file mode 100644
index 689b7bd0e5..0000000000
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Audit File System 
-description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
-ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit File System
-
-
-> [!NOTE]
-> For more details about applicability on older operating system versions, read the article [Audit File System](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
-
-Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
-
-Audit events are generated only for objects that have configured system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](/windows/win32/secauthz/access-control-lists).
-
-If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
-
-These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
-
-**Event volume**: Varies, depending on how file system [SACL](/windows/win32/secauthz/access-control-lists)s are configured.
-
-No audit events are generated for the default file system [SACL](/windows/win32/secauthz/access-control-lists)s.
-
-This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.
-
-Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | IF              | IF               | IF               | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific file system objects.<br>Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
-| Member Server     | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| Workstation       | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-
-**Events List:**
-
--   [4656](event-4656.md)(S, F): A handle to an object was requested.
-
--   [4658](event-4658.md)(S): The handle to an object was closed.
-
--   [4660](event-4660.md)(S): An object was deleted.
-
--   [4663](event-4663.md)(S): An attempt was made to access an object.
-
--   [4664](event-4664.md)(S): An attempt was made to create a hard link.
-
--   [4985](event-4985.md)(S): The state of a transaction has changed.
-
--   [5051](event-5051.md)(-): A file was virtualized.
-
--   [4670](event-4670.md)(S): Permissions on an object were changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
deleted file mode 100644
index 8393e5be1c..0000000000
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Audit Filtering Platform Connection 
-description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
-ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Filtering Platform Connection
-
-
-Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
-
-Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-
-This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
-
-**Event volume**: High.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | Yes             | IF               | Yes              | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
-| Member Server     | No              | Yes             | IF               | Yes              | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
-| Workstation       | No              | Yes             | IF               | Yes              | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
-
-**Events List:**
-
--   [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-
--   [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet.
-
--   [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
-
--   [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-
--   [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
-
--   [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection.
-
--   [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection.
-
--   [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port.
-
--   [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
deleted file mode 100644
index 9c77101ee8..0000000000
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Audit Filtering Platform Packet Drop 
-description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform.
-ms.assetid: 95457601-68d1-4385-af20-87916ddab906
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Filtering Platform Packet Drop
-
-
-Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
-
-Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-
-A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network.
-
-**Event volume**: High.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | No               | No               | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
-| Member Server     | No              | No              | No               | No               | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
-| Workstation       | No              | No              | No               | No               | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
-
-**Events List:**
-
--   [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet.
-
--   [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
deleted file mode 100644
index 9ab9af405b..0000000000
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Audit Filtering Platform Policy Change 
-description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions.
-ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Filtering Platform Policy Change
-
-
-Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following:
-
-- IPsec services status.
-
-- Changes to IPsec policy settings.
-
-- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
-
-- Changes to WFP providers and engine.
-
-Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-
-- 4709(S): IPsec Services was started.
-
-- 4710(S): IPsec Services was disabled.
-
-- 4711(S): May contain any one of the following: 
-
-- 4712(F): IPsec Services encountered a potentially serious failure.
-
-- 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
-
-- 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
-
-- 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
-
-- 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
-
-- 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
-
-- 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
-
-- 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
-
-- 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
-
-- 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
-
-- 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
-
-- 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
-
-- 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
-
-- 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
-
-- 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
-
-- 5446(S): A Windows Filtering Platform callout has been changed.
-
-- 5448(S): A Windows Filtering Platform provider has been changed.
-
-- 5449(S): A Windows Filtering Platform provider context has been changed.
-
-- 5450(S): A Windows Filtering Platform sub-layer has been changed.
-
-- 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
-
-- 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
-
-- 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
-
-- 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
-
-- 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
-
-- 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
-
-- 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
-
-- 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
-
-- 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
-
-- 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
-
-- 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
-
-- 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
-
-- 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
-
-- 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
-
-- 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
-
-- 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
-
-- 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
-
-- 5477(F): PAStore Engine failed to add quick mode filter.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
deleted file mode 100644
index 771769f0be..0000000000
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Audit Group Membership 
-description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
-ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Group Membership
-
-
-By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.
-
-This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
-
-For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-
-You must also enable the [Audit Logon](audit-logon.md) subcategory.
-
-Multiple events are generated if the group membership information cannot fit in a single security audit event
-
-**Event volume**:
-
-- Low on a client computer.
-
-- Medium on a domain controller or network servers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
-| Member Server     | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
-| Workstation       | Yes             | No              | Yes              | No               | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
-
-**Events List:**
-
--   [4627](event-4627.md)(S): Group membership information.
-
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
deleted file mode 100644
index 2452d552c4..0000000000
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Audit Handle Manipulation 
-description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
-ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Handle Manipulation
-
-
-Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions.
-
-**Event volume**: High.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
-| Member Server     | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
-| Workstation       | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
-
-**Events List:**
-
-- [4658](event-4658.md)(S): The handle to an object was closed.
-
-- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
-
-- 4658(S): The handle to an object was closed. For a description of the event, see _[4658](event-4658.md)(S): The handle to an object was closed._ in the Audit File System subcategory. This event doesn’t generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
deleted file mode 100644
index 20882eebbc..0000000000
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Audit IPsec Driver 
-description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
-ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit IPsec Driver
-
-
-Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
-
--   Startup and shutdown of the IPsec services.
-
--   Network packets dropped due to integrity check failure.
-
--   Network packets dropped due to replay check failure.
-
--   Network packets dropped due to being in plaintext.
-
--   Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated.
-
--   Inability to process IPsec filters.
-
-A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
-
-Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. This subcategory is outside the scope of this document.
-
-**Event volume:** Medium
-
-**Default:** Not configured
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                  |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
-| Member Server     | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
-| Workstation       | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
-
-**Events List:**
-
-- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
-
-- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
-
-- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
-
-- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
-
-- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
-
-- 5478(S): IPsec Services has started successfully.
-
-- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
-
-- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
-
-- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
-
-- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
-
-- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
deleted file mode 100644
index 45b5d1ef63..0000000000
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Audit IPsec Extended Mode 
-description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
-ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit IPsec Extended Mode
-
-
-Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
-
-Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
-| Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
-| Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
-
-- 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
-
-- 4979(S): IPsec Main Mode and Extended Mode security associations were established.
-
-- 4980(S): IPsec Main Mode and Extended Mode security associations were established.
-
-- 4981(S): IPsec Main Mode and Extended Mode security associations were established.
-
-- 4982(S): IPsec Main Mode and Extended Mode security associations were established.
-
-- 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
-
-- 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
deleted file mode 100644
index f1c660e1e8..0000000000
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Audit IPsec Main Mode 
-description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations.
-ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit IPsec Main Mode
-
-
-Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
-
-Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
-| Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
-| Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
-
-- 4646(S): Security ID: %1
-
-- 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
-
-- 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
-
-- 4652(F): An IPsec Main Mode negotiation failed.
-
-- 4653(F): An IPsec Main Mode negotiation failed.
-
-- 4655(S): An IPsec Main Mode security association ended.
-
-- 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
-
-- 5049(S): An IPsec Security Association was deleted.
-
-- 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
deleted file mode 100644
index c456fc1f21..0000000000
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: Audit IPsec Quick Mode 
-description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
-ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit IPsec Quick Mode
-
-
-Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
-
-Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
-| Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
-| Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
-
-- 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
-
-- 5451(S): An IPsec Quick Mode security association was established.
-
-- 5452(S): An IPsec Quick Mode security association ended.
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
deleted file mode 100644
index 6ec1fcf9e4..0000000000
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Audit Kerberos Authentication Service 
-description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests
-ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Kerberos Authentication Service
-
-
-Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
-
-If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
-
-**Event volume**: High on Kerberos Key Distribution Center servers.
-
-This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the user’s password has expired.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.<br>We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts. <br>Expected volume is high on domain controllers. |
-| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-
-**Events List:**
-
--   [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested.
-
--   [4771](event-4771.md)(F): Kerberos pre-authentication failed.
-
--   [4772](event-4772.md)(F): A Kerberos authentication ticket request failed.
-
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
deleted file mode 100644
index 2d13eeaf23..0000000000
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Audit Kerberos Service Ticket Operations 
-description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
-ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Kerberos Service Ticket Operations
-
-
-Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
-
-Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
-
-**Event volume**: Very High on Kerberos Key Distribution Center servers.
-
-This subcategory contains events about issued TGSs and failed TGS requests.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | Yes             | Yes              | Yes              | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).<br /><br />We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
-| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-
-**Events List:**
-
--   [4769](event-4769.md)(S, F): A Kerberos service ticket was requested.
-
--   [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
-
--   [4773](event-4773.md)(F): A Kerberos service ticket request failed.
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
deleted file mode 100644
index ae38545e9f..0000000000
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Audit Kernel Object 
-description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
-ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Kernel Object
-
-
-Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
-
-Only kernel objects with a matching system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) generate security audit events. The audits generated are usually useful only to developers.
-
-Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
-
-The “[Audit: Audit the access of global system objects](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852233(v=ws.11))” policy setting controls the default SACL of kernel objects.
-
-**Event volume**: High.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                               |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | No               | No               | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
-| Member Server     | No              | No              | No               | No               | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
-| Workstation       | No              | No              | No               | No               | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
-
-**Events List:**
-
--   [4656](event-4656.md)(S, F): A handle to an object was requested.
-
--   [4658](event-4658.md)(S): The handle to an object was closed.
-
--   [4660](event-4660.md)(S): An object was deleted.
-
--   [4663](event-4663.md)(S): An attempt was made to access an object.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
deleted file mode 100644
index 0525d84b24..0000000000
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Audit Logoff 
-description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
-ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Logoff
-
-
-Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
-
-These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to.
-
-There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
-
-Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
-
-**Event volume**: High.
-
-This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4634](event-4634.md)(S): An account was logged off.
-
--   [4647](event-4647.md)(S): User initiated logoff.
-
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
deleted file mode 100644
index 1437ead2f9..0000000000
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Audit Logon 
-description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
-ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Logon
-
-
-Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
-
-These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
-
-The following events are recorded:
-
--   Logon success and failure.
-
--   Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command.
-
--   Security identifiers (SIDs) are filtered.
-
-Logon events are essential to tracking user activity and detecting potential attacks.
-
-**Event volume**:
-
--   Low on a client computer.
-
--   Medium on a domain controllers or network servers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                          |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
-
-**Events List:**
-
--   [4624](event-4624.md)(S): An account was successfully logged on.
-
--   [4625](event-4625.md)(F): An account failed to log on.
-
--   [4648](event-4648.md)(S): A logon was attempted using explicit credentials.
-
--   [4675](event-4675.md)(S): SIDs were filtered.
-
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
deleted file mode 100644
index d00998a052..0000000000
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Audit MPSSVC Rule-Level Policy Change 
-description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).
-ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit MPSSVC Rule-Level Policy Change
-
-
-Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
-
-The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include:
-
--   Active policies when the Windows Firewall service starts.
-
--   Changes to Windows Firewall rules.
-
--   Changes to the Windows Firewall exception list.
-
--   Changes to Windows Firewall settings.
-
--   Rules ignored or not applied by the Windows Firewall service.
-
--   Changes to Windows Firewall Group Policy settings.
-
-Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
-
-**Event volume**: Medium.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                               |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
-
-**Events List:**
-
--   [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started.
-
--   [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started.
-
--   [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added.
-
--   [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified.
-
--   [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted.
-
--   [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values.
-
--   [4950](event-4950.md)(S): A Windows Firewall setting has changed.
-
--   [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
-
--   [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
-
--   [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule.
-
--   [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
-
--   [4956](event-4956.md)(S): Windows Firewall has changed the active profile.
-
--   [4957](event-4957.md)(F): Windows Firewall did not apply the following rule:
-
--   [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
-
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
deleted file mode 100644
index 9af80769b0..0000000000
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Audit Network Policy Server 
-description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests.
-ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Network Policy Server
-
-
-Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
-
-If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
-
-This subcategory generates events only if NAS or IAS role is installed on the server.
-
-NAP events can be used to help understand the overall health of the network.
-
-**Event volume**: Medium to High on servers that are running [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS).
-
-Role-specific subcategories are outside the scope of this document.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | IF              | IF              | IF               | IF               | IF – if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
-| Member Server     | IF              | IF              | IF               | IF               | IF – if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
-| Workstation       | No              | No              | No               | No               | [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role cannot be installed on client OS. |
-
-- 6272: Network Policy Server granted access to a user.
-
-- 6273: Network Policy Server denied access to a user.
-
-- 6274: Network Policy Server discarded the request for a user.
-
-- 6275: Network Policy Server discarded the accounting request for a user.
-
-- 6276: Network Policy Server quarantined a user.
-
-- 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
-
-- 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
-
-- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
-
-- 6280: Network Policy Server unlocked the user account.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
deleted file mode 100644
index 937e8bc34c..0000000000
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Audit Non-Sensitive Privilege Use 
-description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
-ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Non-Sensitive Privilege Use
-
-
-Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
-
--   Access Credential Manager as a trusted caller
-
--   Add workstations to domain
-
--   Adjust memory quotas for a process
-
--   Bypass traverse checking
-
--   Change the system time
-
--   Change the time zone
-
--   Create a page file
-
--   Create global objects
-
--   Create permanent shared objects
-
--   Create symbolic links
-
--   Force shutdown from a remote system
-
--   Increase a process working set
-
--   Increase scheduling priority
-
--   Lock pages in memory
-
--   Modify an object label
-
--   Perform volume maintenance tasks
-
--   Profile single process
-
--   Profile system performance
-
--   Remove computer from docking station
-
--   Shut down the system
-
--   Synchronize directory service data
-
-This subcategory also contains informational events from filesystem Transaction Manager.
-
-If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-
-**Event volume**: Very High.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                            |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | IF              | No               | IF               | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
-| Member Server     | No              | IF              | No               | IF               | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
-| Workstation       | No              | IF              | No               | IF               | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
-
-**Events List:**
-
--   [4673](event-4673.md)(S, F): A privileged service was called.
-
--   [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
-
--   [4985](event-4985.md)(S): The state of a transaction has changed.
-
-
-
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
deleted file mode 100644
index 9b973c0b7b..0000000000
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Audit Other Account Logon Events 
-description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
-ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Other Account Logon Events
-
-**General Subcategory Information:**
-
-This auditing subcategory does not contain any events. It is intended for future use.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                   |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | No               | No               | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
-| Member Server     | No              | No              | No               | No               | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
-| Workstation       | No              | No              | No               | No               | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
-
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
deleted file mode 100644
index 670cf6612d..0000000000
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Audit Other Account Management Events 
-description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
-ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Other Account Management Events
-
-
-Audit Other Account Management Events determines whether the operating system generates user account management audit events.
-
-**Event volume:** Typically Low on all types of computers.
-
-This subcategory allows you to audit next events:
-
--   The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration.
-
--   The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                          |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                             |
-| Member Server     | No              | No              | No               | No               | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | No              | No              | No               | No               | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
-
-**Events List:**
-
--   [4782](event-4782.md)(S): The password hash of an account was accessed.
-
--   [4793](event-4793.md)(S): The Password Policy Checking API was called.
-
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
deleted file mode 100644
index 86e40c99ae..0000000000
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Audit Other Logon/Logoff Events 
-description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
-ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Other Logon/Logoff Events
-
-
-Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
-
-These other logon or logoff events include:
-
--   A Remote Desktop session connects or disconnects.
-
--   A workstation is locked or unlocked.
-
--   A screen saver is invoked or dismissed.
-
--   A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
-
--   A user is granted access to a wireless network. It can be either a user account or the computer account.
-
--   A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.
-
-Logon events are essential to understanding user activity and detecting potential attacks.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events.                          |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events.                          |
-
-**Events List:**
-
--   [4649](event-4649.md)(S): A replay attack was detected.
-
--   [4778](event-4778.md)(S): A session was reconnected to a Window Station.
-
--   [4779](event-4779.md)(S): A session was disconnected from a Window Station.
-
--   [4800](event-4800.md)(S): The workstation was locked.
-
--   [4801](event-4801.md)(S): The workstation was unlocked.
-
--   [4802](event-4802.md)(S): The screen saver was invoked.
-
--   [4803](event-4803.md)(S): The screen saver was dismissed.
-
--   [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy.
-
--   [5632](event-5632.md)(S): A request was made to authenticate to a wireless network.
-
--   [5633](event-5633.md)(S): A request was made to authenticate to a wired network.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
deleted file mode 100644
index 5807ad6849..0000000000
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Audit Other Object Access Events 
-description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
-ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Other Object Access Events
-
-
-Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                           |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICMP DoS attack. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICMP DoS attack. |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICMP DoS attack. |
-
-**Events List:**
-
--   [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS.
-
--   [4691](event-4691.md)(S): Indirect access to an object was requested.
-
--   [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
-
--   [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed.
-
--   [4698](event-4698.md)(S): A scheduled task was created.
-
--   [4699](event-4699.md)(S): A scheduled task was deleted.
-
--   [4700](event-4700.md)(S): A scheduled task was enabled.
-
--   [4701](event-4701.md)(S): A scheduled task was disabled.
-
--   [4702](event-4702.md)(S): A scheduled task was updated.
-
--   [5888](event-5888.md)(S): An object in the COM+ Catalog was modified.
-
--   [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog.
-
--   [5890](event-5890.md)(S): An object was added to the COM+ Catalog.
-
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
deleted file mode 100644
index b05830fca8..0000000000
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Audit Other Policy Change Events 
-description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
-ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Other Policy Change Events
-
-
-Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | Yes             | IF               | Yes              | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
-| Member Server     | IF              | Yes             | IF               | Yes              | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
-| Workstation       | IF              | Yes             | IF               | Yes              | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
-
-**Events List:**
-
--   [4714](event-4714.md)(S): Encrypted data recovery policy was changed.
-
--   [4819](event-4819.md)(S): Central Access Policies on the machine have been changed.
-
--   [4826](event-4826.md)(S): Boot Configuration Data loaded.
-
--   [4909](event-4909.md)(-): The local policy settings for the TBS were changed.
-
--   [4910](event-4910.md)(-): The group policy settings for the TBS were changed.
-
--   [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted.
-
--   [5064](event-5064.md)(S, F): A cryptographic context operation was attempted.
-
--   [5065](event-5065.md)(S, F): A cryptographic context modification was attempted.
-
--   [5066](event-5066.md)(S, F): A cryptographic function operation was attempted.
-
--   [5067](event-5067.md)(S, F): A cryptographic function modification was attempted.
-
--   [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted.
-
--   [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted.
-
--   [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted.
-
--   [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed.
-
--   [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully.
-
--   [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects.
-
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
deleted file mode 100644
index 123145fdaf..0000000000
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Audit Other Privilege Use Events 
-description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
-ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Other Privilege Use Events
-
-
-This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                              |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
-| Domain Controller | No              | No              | No               | No               | This auditing subcategory doesn’t have any informative events inside. |
-| Member Server     | No              | No              | No               | No               | This auditing subcategory doesn’t have any informative events inside. |
-| Workstation       | No              | No              | No               | No               | This auditing subcategory doesn’t have any informative events inside. |
-
-**Events List:**
-
--   [4985](event-4985.md)(S): The state of a transaction has changed.
-
-
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
deleted file mode 100644
index 5472834fd9..0000000000
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Audit Other System Events 
-description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
-ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Other System Events
-
- 
-Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
-
-Audit Other System Events determines whether the operating system audits various system events.
-
-The system events in this category include:
-
--   Startup and shutdown of the Windows Firewall service and driver.
-
--   Security policy processing by the Windows Firewall service.
-
--   Cryptography key file and migration operations.
-
--   BranchCache events.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                               |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
-
-**Events List:**
-
--   [5024](event-5024.md)(S): The Windows Firewall Service has started successfully.
-
--   [5025](event-5025.md)(S): The Windows Firewall Service has been stopped.
-
--   [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
-
--   [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-
--   [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
-
--   [5030](event-5030.md)(F): The Windows Firewall Service failed to start.
-
--   [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-
--   [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully.
-
--   [5034](event-5034.md)(S): The Windows Firewall Driver was stopped.
-
--   [5035](event-5035.md)(F): The Windows Firewall Driver failed to start.
-
--   [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating.
-
--   [5058](event-5058.md)(S, F): Key file operation.
-
--   [5059](event-5059.md)(S, F): Key migration operation.
-
--   [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
-
--   [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded.
-
--   [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
-
--   [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
-
--   [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
-
--   [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred.
-
--   [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2
-
--   [6407](event-6407.md)(-): 1%
-
--   [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2
-
--   [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed.
-
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
deleted file mode 100644
index bd82df1b1e..0000000000
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Audit PNP Activity 
-description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
-ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit PNP Activity
-
-
-Audit PNP Activity determines when Plug and Play detects an external device.
-
-A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
-
-**Event volume**: Varies, depending on how the computer is used. Typically Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
-| Workstation       | Yes             | No              | Yes              | No               | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.    |
-
-**Events List:**
-
--   [6416](event-6416.md)(S): A new external device was recognized by the System
-
--   [6419](event-6419.md)(S): A request was made to disable a device
-
--   [6420](event-6420.md)(S): A device was disabled.
-
--   [6421](event-6421.md)(S): A request was made to enable a device.
-
--   [6422](event-6422.md)(S): A device was enabled.
-
--   [6423](event-6423.md)(S): The installation of this device is forbidden by system policy.
-
--   [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy.
-
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
deleted file mode 100644
index c19e613f2c..0000000000
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Audit Process Creation 
-description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts).
-ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 03/16/2022
-ms.topic: reference
----
-
-# Audit Process Creation
-
-
-Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
-
-These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
-
-**Event volume**: Medium to High, depending on the process activity on the computer.
-
-This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | Yes             | No              | Yes              | No               | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4688](event-4688.md)(S): A new process has been created.
-
--   [4696](event-4696.md)(S): A primary token was assigned to process.
-
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
deleted file mode 100644
index 0ecd8f1351..0000000000
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Audit Process Termination 
-description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process.
-ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Process Termination
-
-
-Audit Process Termination determines whether the operating system generates audit events when process has exited.
-
-Success audits record successful attempts and Failure audits record unsuccessful attempts.
-
-This policy setting can help you track user activity and understand how the computer is used.
-
-**Event volume**: Low to Medium, depending on system usage.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | IF               | No               | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | No              | No              | IF               | No               | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | No              | No              | IF               | No               | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4689](event-4689.md)(S): A process has exited.
-
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
deleted file mode 100644
index a4cea25938..0000000000
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Audit Registry 
-description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects.
-ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 01/05/2021
-ms.topic: reference
----
-
-# Audit Registry
-
-
-Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
-
-If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
-
-**Event volume**: Low to Medium, depending on how registry SACLs are configured.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | IF              | IF               | IF               | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific registry objects.<br>Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
-| Member Server     | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| Workstation       | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-
-**Events List:**
-
--   [4663](event-4663.md)(S): An attempt was made to access an object.
-
--   [4656](event-4656.md)(S, F): A handle to an object was requested.
-
--   [4658](event-4658.md)(S): The handle to an object was closed.
-
--   [4660](event-4660.md)(S): An object was deleted.
-
--   [4657](event-4657.md)(S): A registry value was modified.
-
--   [5039](event-5039.md)(-): A registry key was virtualized.
-
--   [4670](event-4670.md)(S): Permissions on an object were changed.
-
-
-> [!NOTE]
-> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behavior is expected only on later versions of the operating system (Windows 11, Windows Server 2022, and later). On previous versions, 4656 events are not generated during subkey creation.
->
-> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. 
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
deleted file mode 100644
index 5ef92d1b38..0000000000
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: Audit Removable Storage 
-description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive.
-ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Removable Storage
-
-
-Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](/windows/win32/secauthz/access-control-lists).
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | This subcategory will help identify when and which files or folders were accessed or modified on removable devices.<br>It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.<br>You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed. <br>We recommend Failure auditing to track failed access attempts. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| Workstation       | Yes             | Yes             | Yes              | Yes              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-
-**Events List:**
-
--   [4656](event-4656.md)(S, F): A handle to an object was requested.
-
--   [4658](event-4658.md)(S): The handle to an object was closed.
-
--   [4663](event-4663.md)(S): An attempt was made to access an object.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
deleted file mode 100644
index b5dd671672..0000000000
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Audit RPC Events 
-description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made.
-ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit RPC Events
-
-
-Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                 |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------|
-| Domain Controller | No              | No              | No               | No               | Events in this subcategory occur rarely. |
-| Member Server     | No              | No              | No               | No               | Events in this subcategory occur rarely. |
-| Workstation       | No              | No              | No               | No               | Events in this subcategory occur rarely. |
-
-**Events List:**
-
--   [5712](event-5712.md)(S): A Remote Procedure Call (RPC) was attempted.
-
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
deleted file mode 100644
index c0253c800f..0000000000
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Audit SAM 
-description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
-ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit SAM
-
-
-Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects.
-
-The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
-
--   SAM objects include the following:
-
--   SAM\_ALIAS: A local group
-
--   SAM\_GROUP: A group that is not a local group
-
--   SAM\_USER: A user account
-
--   SAM\_DOMAIN: A domain
-
--   SAM\_SERVER: A computer account
-
-If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-
-Only a [SACL](/windows/win32/secauthz/access-control-lists) for SAM\_SERVER can be modified.
-
-Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
-
-**Event volume**: High on domain controllers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                    |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
-| Member Server     | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
-| Workstation       | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
-
-**Events List:**
-
--   [4661](event-4661.md)(S, F): A handle to an object was requested.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
deleted file mode 100644
index ce479065a5..0000000000
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Audit Security Group Management 
-description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed.
-ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Security Group Management
-
-
-Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
-
-**Event volume**: Low.
-
-This subcategory allows you to audit events generated by changes to security groups such as the following:
-
-- Security group is created, changed, or deleted.
-
-- Member is added or removed from a security group.
-
-- Group type is changed.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
-- [4731](event-4731.md)(S): A security-enabled local group was created.
-
-- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
-
-- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
-
-- [4734](event-4734.md)(S): A security-enabled local group was deleted.
-
-- [4735](event-4735.md)(S): A security-enabled local group was changed.
-
-- [4764](event-4764.md)(S): A group’s type was changed.
-
-- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
-
-- 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
-
-- 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
-
-- 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
-
-- 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
-
-- 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
-
-- 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
-
-- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
-
-- 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
-
-- 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  > [!IMPORTANT]
-  > Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
-
-- 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
-
-  >[!IMPORTANT]
-  > Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
deleted file mode 100644
index c1a71e863e..0000000000
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Audit Security State Change 
-description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
-ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Security State Change
-
-
-Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                      |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | Yes             | No              | Yes              | No               | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4608](event-4608.md)(S): Windows is starting up.
-
--   [4616](event-4616.md)(S): The system time was changed.
-
--   [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
-
->[!NOTE]
->Event **4609(S): Windows is shutting down** doesn't currently generate. It is a defined event, but it is never invoked by the operating system.
-
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
deleted file mode 100644
index a058f09795..0000000000
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Audit Security System Extension 
-description: The Advanced Security Audit policy setting, Audit Security System Extension, determines if audit events related to security system extensions are generated.
-ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Security System Extension
-
-
-Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
-
-Changes to security system extensions in the operating system include the following activities:
-
--   Security extension code is loaded (for example, an authentication, notification, or security package). Security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
-
--   A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
-
-Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
-| Workstation       | Yes             | No              | Yes              | No               | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
-
-**Events List:**
-
--   [4610](event-4610.md)(S): An authentication package has been loaded by the Local Security Authority.
-
--   [4611](event-4611.md)(S): A trusted logon process has been registered with the Local Security Authority.
-
--   [4614](event-4614.md)(S): A notification package has been loaded by the Security Account Manager.
-
--   [4622](event-4622.md)(S): A security package has been loaded by the Local Security Authority.
-
--   [4697](event-4697.md)(S): A service was installed in the system.
-
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
deleted file mode 100644
index 3f5fa3f97d..0000000000
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Audit Sensitive Privilege Use 
-description: The policy setting, Audit Sensitive Privilege Use, determines if the operating system generates audit events when sensitive privileges (user rights) are used.
-ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Sensitive Privilege Use
-
-
-Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
-
--   Act as part of the operating system
-
--   Back up files and directories
-
--   Restore files and directories
-
--   Create a token object
-
--   Debug programs
-
--   Enable computer and user accounts to be trusted for delegation
-
--   Generate security audits
-
--   Impersonate a client after authentication
-
--   Load and unload device drivers
-
--   Manage auditing and security log
-
--   Modify firmware environment values
-
--   Replace a process-level token
-
--   Take ownership of files or other objects
-
-The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852206(v=ws.11))” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.
-
-This subcategory also contains informational events from the file system Transaction Manager.
-
-If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-
-**Event volume**: High.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                      |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
-
-**Events List:**
-
--   [4673](event-4673.md)(S, F): A privileged service was called.
-
--   [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
-
--   [4985](event-4985.md)(S): The state of a transaction has changed.
-
->[!NOTE] 
-> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
deleted file mode 100644
index 291c011a68..0000000000
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Audit Special Logon 
-description: The Advanced Security Audit policy setting, Audit Special Logon, determines if  audit events are generated under special sign in (or logon) circumstances.
-ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit Special Logon
-
-
-Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
-
-This subcategory allows you to audit events generated by special logons such as the following:
-
--   The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
-
--   A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
-
-**Event volume**:
-
--   Low on a client computer.
-
--   Medium on a domain controllers or network servers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4964](event-4964.md)(S): Special groups have been assigned to a new logon.
-
--   [4672](event-4672.md)(S): Special privileges assigned to new logon.
-
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
deleted file mode 100644
index 85cd8f762c..0000000000
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Audit System Integrity 
-description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem.
-ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit System Integrity
-
-
-Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
-
-Activities that violate the integrity of the security subsystem include the following:
-
--   Audited events are lost due to a failure of the auditing system.
-
--   A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
-
--   A remote procedure call (RPC) integrity violation is detected.
-
--   A code integrity violation with an invalid hash value of an executable file is detected.
-
--   Cryptographic tasks are performed.
-
-Violations of security subsystem integrity are critical and could indicate a potential security attack.
-
-**Event volume**: Low.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
-
-**Events List:**
-
--   [4612](event-4612.md)(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
-
--   [4615](event-4615.md)(S): Invalid use of LPC port.
-
--   [4618](event-4618.md)(S): A monitored security event pattern has occurred.
-
--   [4816](event-4816.md)(S): RPC detected an integrity violation while decrypting an incoming message.
-
--   [5038](event-5038.md)(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
-
--   [5056](event-5056.md)(S): A cryptographic self-test was performed.
-
--   [5062](event-5062.md)(S): A kernel-mode cryptographic self-test was performed.
-
--   [5057](event-5057.md)(F): A cryptographic primitive operation failed.
-
--   [5060](event-5060.md)(F): Verification operation failed.
-
--   [5061](event-5061.md)(S, F): Cryptographic operation.
-
--   [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-
--   [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
deleted file mode 100644
index ca2b5b0186..0000000000
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: Audit Token Right Adjusted
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
-manager: aaroncz
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.pagetype: security
-ms.date: 12/31/2017
-ms.topic: reference
----
-
-# Audit Token Right Adjusted
-
-
-Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
-
-For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation).
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4703](event-4703.md)(S): A user right was adjusted.
-
-**Event volume**: High.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
deleted file mode 100644
index 22bd1134da..0000000000
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Audit User Account Management 
-description: Audit User Account Management is an audit policy setting that determines if the operating system generates audit events when certain tasks are performed.
-ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit User Account Management
-
-
-Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
-
-**Event volume**: Low.
-
-This policy setting allows you to audit changes to user accounts. Events include the following:
-
--   A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
-
--   A user account’s password is set or changed.
-
--   A security identifier (SID) is added to the SID History of a user account, or fails to be added.
-
--   The Directory Services Restore Mode password is configured.
-
--   Permissions on administrative user accounts are changed.
-
--   A user's local group membership was enumerated.
-
--   Credential Manager credentials are backed up or restored.
-
-Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer accounts.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                     |
-|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | Yes             | Yes              | Yes              | This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for domain accounts, DSRM account password change failures, and failed SID History add attempts. |
-| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts.                                                                                                                |
-| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts.                                                                                                                |
-
-**Events List:**
-
--   [4720](event-4720.md)(S): A user account was created.
-
--   [4722](event-4722.md)(S): A user account was enabled.
-
--   [4723](event-4723.md)(S, F): An attempt was made to change an account's password.
-
--   [4724](event-4724.md)(S, F): An attempt was made to reset an account's password.
-
--   [4725](event-4725.md)(S): A user account was disabled.
-
--   [4726](event-4726.md)(S): A user account was deleted.
-
--   [4738](event-4738.md)(S): A user account was changed.
-
--   [4740](event-4740.md)(S): A user account was locked out.
-
--   [4765](event-4765.md)(S): SID History was added to an account.
-
--   [4766](event-4766.md)(F): An attempt to add SID History to an account failed.
-
--   [4767](event-4767.md)(S): A user account was unlocked.
-
--   [4780](event-4780.md)(S): The ACL was set on accounts which are members of administrators groups.
-
--   [4781](event-4781.md)(S): The name of an account was changed.
-
--   [4794](event-4794.md)(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
-
--   [4798](event-4798.md)(S): A user's local group membership was enumerated.
-
--   [5376](event-5376.md)(S): Credential Manager credentials were backed up.
-
--   [5377](event-5377.md)(S): Credential Manager credentials were restored from a backup.
-
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
deleted file mode 100644
index 748184d302..0000000000
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Audit User/Device Claims 
-description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
-ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/06/2021
-ms.topic: reference
----
-
-# Audit User/Device Claims
-
-
-Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
-
-For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-
-***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
-
-**Event volume**:
-
--   Low on a client computer.
-
--   Medium on a domain controller or network servers.
-
-| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                        |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | No              | IF               | No               | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | IF              | No              | IF               | No               | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | IF              | No              | IF               | No               | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-
-**Events List:**
-
--   [4626](event-4626.md)(S): User/Device claims information.
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
deleted file mode 100644
index 7c8b3b1d1a..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Audit account logon events
-description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
-ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit account logon events
-
-
-Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
-
-This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.
-To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
-
-**Default**: Success
-
-## Configure this audit setting
-
-You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-| Logon events | Description                                                                                                                          |
-|--------------|--------------------------------------------------------------------------------------------------------------------------------------|
-| 672          | An authentication service (AS) ticket was successfully issued and validated.                                                         |
-| 673          | A ticket granting service (TGS) ticket was granted.                                                                                  |
-| 674          | A security principal renewed an AS ticket or TGS ticket.                                                                             |
-| 675          | Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.     |
-| 676          | Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family.                |
-| 677          | A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.                        |
-| 678          | An account was successfully mapped to a domain account.                                                                              |
-| 681          | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
-| 682          | A user has reconnected to a disconnected terminal server session.                                                                    |
-| 683          | A user disconnected a terminal server session without logging off.                                                                   |
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
deleted file mode 100644
index 0f902b9980..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Audit account management
-description: Determines whether to audit each event of account management on a device.
-ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit account management
-
-
-Determines whether to audit each event of account management on a device.
-
-Examples of account management events include:
-
--   A user account or group is created, changed, or deleted.
--   A user account is renamed, disabled, or enabled.
--   A password is set or changed.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
-set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
-
-**Default:**
-
--   Success on domain controllers.
--   No auditing on member servers.
-
-## Configure this audit setting
-
-You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-
-| Account management events | Description |
-| :-----------------------: | :---------- |
-| 4720 | A user account was created.      |
-| 4723 | A user password was changed.     |
-| 4724 | A user password was set.         |
-| 4726 | A user account was deleted.      |
-| 4727 | A global group was created.      |
-| 4728 | A member was added to a global group. |
-| 4729 | A member was removed from a global group. |
-| 4730 | A global group was deleted. |
-| 4731 | A new local group was created. |
-| 4732 | A member was added to a local group. |
-| 4733 | A member was removed from a local group. |
-| 4734 | A local group was deleted.          |
-| 4735 | A local group account was changed.  |
-| 4737 | A global group account was changed. |
-| 4738 | A user account was changed. |
-| 4739 | A domain policy was modified. |
-| 4740 | A user account was auto locked. |
-| 4741 | A computer account was created. |
-| 4742 | A computer account was changed. |
-| 4743 | A computer account was deleted. |
-| 4744 | A local security group with security disabled was created.<br> **Note:**  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks |
-| 4745 | A local security group with security disabled was changed. |
-| 4746 | A member was added to a security-disabled local security group. |
-| 4747 | A member was removed from a security-disabled local security group. |
-| 4748 | A security-disabled local group was deleted. |
-| 4749 | A security-disabled global group was created. |
-| 4750 | A security-disabled global group was changed. |
-| 4751 | A member was added to a security-disabled global group. |
-| 4752 | A member was removed from a security-disabled global group. |
-| 4753 | A security-disabled global group was deleted. |
-| 4754 | A security-enabled universal group was created. |
-| 4755 | A security-enabled universal group was changed. |
-| 4756 | A member was added to a security-enabled universal group. |
-| 4757 | A member was removed from a security-enabled universal group. |
-| 4758 | A security-enabled universal group was deleted. |
-| 4759 | A security-disabled universal group was created. |
-| 4760 | A security-disabled universal group was changed. |
-| 4761 | A member was added to a security-disabled universal group. |
-| 4762 | A member was removed from a security-disabled universal group. |
-| 4763 | A security-disabled universal group was deleted. |
-| 4764 | A group type was changed. |
-| 4780 | Set the security descriptor of members of administrative groups. |
-|  685 | Set the security descriptor of members of administrative groups.<br> **Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
deleted file mode 100644
index fb7213123d..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Basic audit directory service access
-description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
-ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit directory service access
-
-
-Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
-
-By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
-> **Note:**  You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
-
-**Default:**
-
--   Success on domain controllers.
--   Undefined for a member server.
-
-## Configure this audit setting
-
-You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-There is only one directory service access event, which is identical to the Object Access security event message 566.
-
-| Directory service access events | Description                            |
-|---------------------------------|----------------------------------------|
-| 566                             | A generic object operation took place. |
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
deleted file mode 100644
index 6019102b0e..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Audit logon events
-description: Determines whether to audit each instance of a user logging on to or logging off from a device.
-ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.collection:
-  - highpri
-  - tier3
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit logon events
-
-
-Determines whether to audit each instance of a user logging on to or logging off from a device.
-
-Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more info about account logon events, see [Audit account logon events](basic-audit-account-logon-events.md).
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
-
-To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
-
-For information about advanced security policy settings for logon events, see the [Logon/logoff](advanced-security-audit-policy-settings.md#logonlogoff) section in [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
-
-## Configure this audit setting
-
-You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-| Logon events | Description |
-| - | - |
-| 4624          | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.                                                                                          |
-| 4625          | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.                                                                                                     |
-| 4634          | The logoff process was completed for a user.                                                                                                                                                                    |
-| 4647          | A user initiated the logoff process.                                                                                                                                                                            |
-| 4648          | A user successfully logged on to a computer using explicit credentials while already logged on as a different user.                                                                                             |
-| 4779          | A user disconnected a terminal server session without logging off.                                                                                                                                              |
-
-
-When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type.
-
-| Logon type | Logon title | Description |
-| - | - | - |
-| 2          | Interactive       | A user logged on to this computer.|
-| 3          | Network           | A user or computer logged on to this computer from the network.|
-| 4          | Batch             | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.|
-| 5          | Service           | A service was started by the Service Control Manager.|
-| 7          | Unlock            | This workstation was unlocked.|
-| 8          | NetworkCleartext  | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-| 9          | NewCredentials    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
-| 10         | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
-| 11         | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
deleted file mode 100644
index a27f9b77a0..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Audit object access
-description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
-ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit object access
-
-
-Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.
-
-To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
-
-> [!NOTE]
-> You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
-
-**Default:** No auditing.
-
-## Configure this audit setting
-
-You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-
-| Object access events |                                                                                                                    Description                                                                                                                     |
-|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|         560          |                                                                                                 Access was granted to an already existing object.                                                                                                  |
-|         562          |                                                                                                         A handle to an object was closed.                                                                                                          |
-|         563          |                                An attempt was made to open an object with the intent to delete it.<br>**Note:**  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().                                |
-|         564          |                                                                                                          A protected object was deleted.                                                                                                           |
-|         565          |                                                                                               Access was granted to an already existing object type.                                                                                               |
-|         567          | A permission associated with a handle was used.<br>**Note:**  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
-|         568          |                                                                                     An attempt was made to create a hard link to a file that is being audited.                                                                                     |
-|         569          |                                                                                The resource manager in Authorization Manager attempted to create a client context.                                                                                 |
-|         570          |                                                           A client attempted to access an object.<br>**Note:**  An event will be generated for every attempted operation on the object.                                                            |
-|         571          |                                                                                      The client context was deleted by the Authorization Manager application.                                                                                      |
-|         572          |                                                                                               The administrator manager initialized the application.                                                                                               |
-|         772          |                                                                                           The certificate manager denied a pending certificate request.                                                                                            |
-|         773          |                                                                                          Certificate Services received a resubmitted certificate request.                                                                                          |
-|         774          |                                                                                                    Certificate Services revoked a certificate.                                                                                                     |
-|         775          |                                                                             Certificate Services received a request to publish the certificate revocation list (CRL).                                                                              |
-|         776          |                                                                                       Certificate Services published the certificate revocation list (CRL).                                                                                        |
-|         777          |                                                                                                     A certificate request extension was made.                                                                                                      |
-|         778          |                                                                                                One or more certificate request attributes changed.                                                                                                 |
-|         779          |                                                                                                Certificate Services received a request to shutdown.                                                                                                |
-|         780          |                                                                                                        Certificate Services backup started.                                                                                                        |
-|         781          |                                                                                                       Certificate Services backup completed                                                                                                        |
-|         782          |                                                                                                       Certificate Services restore started.                                                                                                        |
-|         783          |                                                                                                      Certificate Services restore completed.                                                                                                       |
-|         784          |                                                                                                           Certificate Services started.                                                                                                            |
-|         785          |                                                                                                           Certificate Services stopped.                                                                                                            |
-|         786          |                                                                                             The security permissions for Certificate Services changed.                                                                                             |
-|         787          |                                                                                                  Certificate Services retrieved an archived key.                                                                                                   |
-|         788          |                                                                                           Certificate Services imported a certificate into its database.                                                                                           |
-|         789          |                                                                                                 The audit filter for Certificate Services changed.                                                                                                 |
-|         790          |                                                                                                Certificate Services received a certificate request.                                                                                                |
-|         791          |                                                                                   Certificate Services approved a certificate request and issued a certificate.                                                                                    |
-|         792          |                                                                                                 Certificate Services denied a certificate request.                                                                                                 |
-|         793          |                                                                                      Certificate Services set the status of a certificate request to pending.                                                                                      |
-|         794          |                                                                                         The certificate manager settings for Certificate Services changed.                                                                                         |
-|         795          |                                                                                               A configuration entry changed in Certificate Services.                                                                                               |
-|         796          |                                                                                                    A property of Certificate Services changed.                                                                                                     |
-|         797          |                                                                                                        Certificate Services archived a key.                                                                                                        |
-|         798          |                                                                                                 Certificate Services imported and archived a key.                                                                                                  |
-|         799          |                                                                                       Certificate Services published the CA certificate to Active Directory.                                                                                       |
-|         800          |                                                                                         One or more rows have been deleted from the certificate database.                                                                                          |
-|         801          |                                                                                                              Role separation enabled.                                                                                                              |
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
deleted file mode 100644
index c8c2ed48d0..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Audit policy change
-description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
-ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit policy change
-
-
-Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.
-
-To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
-
-**Default:**
-
--   Success on domain controllers.
--   No auditing on member servers.
-
-## Configure this audit setting
-
-You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-| Policy change events | Description |
-| - | - |
-| 608 | A user right was assigned.|
-| 609 | A user right was removed. |
-| 610 | A trust relationship with another domain was created.|
-| 611 | A trust relationship with another domain was removed.|
-| 612 | An audit policy was changed.|
-| 613 | An Internet Protocol security (IPSec) policy agent started.|
-| 614 | An IPSec policy agent was disabled. |
-| 615 | An IPSec policy agent changed. |
-| 616 | An IPSec policy agent encountered a potentially serious failure.|
-| 617 | A Kerberos policy changed. |
-| 618 | Encrypted Data Recovery policy changed.|
-| 620 | A trust relationship with another domain was modified.|
-| 621 | System access was granted to an account. |
-| 622 | System access was removed from an account.|
-| 623 | Per user auditing policy was set for a user.|
-| 625 | Per user audit policy was refreshed. |
-| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.<br>**Note**  When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
-| 769 | Trusted forest information was added.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
-| 770 | Trusted forest information was deleted.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
-| 771 | Trusted forest information was modified.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
-| 805 | The event log service read the security log configuration for a session.
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
deleted file mode 100644
index 1275bd3206..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Audit privilege use
-description: Determines whether to audit each instance of a user exercising a user right.
-ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit privilege use
-
-
-Determines whether to audit each instance of a user exercising a user right.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.
-
-To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
-
-**Default:** No auditing.
-
-Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for **Audit privilege use**. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the **FullPrivilegeAuditing** registry key.
-
--   Bypass traverse checking
--   Debug programs
--   Create a token object
--   Replace process level token
--   Generate security audits
--   Back up files and directories
--   Restore files and directories
-
-## Configure this audit setting
-
-You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-| Privilege use events | Description |
-| - | - |
-| 576 | Specified privileges were added to a user's access token.<br>**Note:**  This event is generated when the user logs on.|
-| 577 | A user attempted to perform a privileged system service operation. |
-| 578 | Privileges were used on an already open handle to a protected object. |
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
deleted file mode 100644
index 71a2c2735c..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Audit process tracking
-description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
-ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit process tracking
-
-
-Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails.
-
-To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
-
-**Default:** No auditing.
-
-## Configure this security setting
-
-You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-| Process tracking events | Description |
-| - | - |
-| 592 | A new process was created.|
-| 593 | A process exited. |
-| 594 | A handle to an object was duplicated.|
-| 595 | Indirect access to an object was obtained.|
-| 596 | A data protection master key was backed up.<br>**Note:**  The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
-| 597 | A data protection master key was recovered from a recovery server.|
-| 598 | Auditable data was protected. |
-| 599 | Auditable data was unprotected.|
-| 600 | A process was assigned a primary token.|
-| 601 | A user attempted to install a service. |
-| 602 | A scheduler job was created. |
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
deleted file mode 100644
index d29c89b90f..0000000000
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Audit system events
-description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
-ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Audit system events
-
-
-Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
-
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
-
-To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
-
-**Default:**
-
--   Success on domain controllers.
--   No auditing on member servers.
-
-## Configure this audit setting
-
-You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-| Logon events | Description |
-| - | - |
-| 512 | Windows is starting up. |
-| 513 | Windows is shutting down. |
-| 514 | An authentication package was loaded by the Local Security Authority.|
-| 515 | A trusted logon process has registered with the Local Security Authority.|
-| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
-| 517 | The audit log was cleared. |
-| 518 | A notification package was loaded by the Security Accounts Manager.|
-| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
-| 520 | The system time was changed.<br>**Note:**  This audit normally appears twice.|
-
-## Related topics
-
-- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
deleted file mode 100644
index a238c70e5c..0000000000
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Basic security audit policies
-description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
-ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Basic security audit policies
-
-
-Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
-
-The event categories that you can choose to audit are:
-
--   Audit account logon events
--   Audit account management
--   Audit directory service access
--   Audit logon events
--   Audit object access
--   Audit policy change
--   Audit privilege use
--   Audit process tracking
--   Audit system events
-
-If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category, for auditing objects on a domain controller, or the audit object access category, for auditing objects on a member server or workstation. After you enable the object access category, you can specify the types of access you want to audit for each group or user.
-
-## In this section
-
-| Article | Description |
-| - | - |
-| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
-| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful or failed access attempts in the security log. |
-| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
-| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
-
-
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
deleted file mode 100644
index 1b496de6ee..0000000000
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Basic security audit policy settings
-description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Basic security audit policy settings
-
-
-Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
-
-## In this section
-
-| Topic | Description |
-| - | - |
-| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
-| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
-| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
-| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
-| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
-| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
-| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
-| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
-| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
-
-## Related topics
-
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
deleted file mode 100644
index 0dbeef18fc..0000000000
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Create a basic audit policy for an event category
-description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
-ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: low
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/07/2021
----
-
-# Create a basic audit policy for an event category
-
-
-By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.
-
-To complete this procedure, you must be logged on as a member of the built-in Administrators group.
-
-**To define or modify auditing policy settings for an event category for your local computer**
-
-1.  Open the Local Security Policy snap-in (secpol.msc), and then click **Local Policies**.
-2.  Click **Audit Policy**.
-3.  In the results pane, double-click an event category that you want to change the auditing policy settings for.
-4.  Do one or both of the following, and then click **OK.**
-
-    -   To audit successful attempts, select the **Success** check box.
-    -   To audit unsuccessful attempts, select the **Failure** check box.
-
-To complete this procedure, you must be logged on as a member of the Domain Admins group.
-
-**To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain**
-
-1.  Open the Group Policy Management Console (GPMC).
-2.  In the console tree, double-click **Group Policy objects** in the forest and domain containing the **Default Domain Policy** Group Policy object (GPO) that you want to edit.
-3.  Right-click the **Default Domain Policy** GPO, and then click **Edit**.
-4.  In the GPMC, go to **Computer Configuration**, **Windows Settings**, **Security Settings**, and then click **Audit Policy**.
-5.  In the results pane, double-click an event category that you want to change the auditing policy settings for.
-6.  If you are defining auditing policy settings for this event category for the first time, select the **Define these policy settings** check box.
-7.  Do one or both of the following, and then click **OK.**
-
-    -   To audit successful attempts, select the **Success** check box.
-    -   To audit unsuccessful attempts, select the **Failure** check box.
-
-## Additional considerations
-
--   To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object.
--   After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events.
--   The default auditing policy setting for domain controllers is **No Auditing**. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
deleted file mode 100644
index fd669405ba..0000000000
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: 1100(S) The event logging service has shut down. 
-description: Describes security event 1100(S) The event logging service has shut down.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 1100(S): The event logging service has shut down.
-
-
-<img src="images/event-1100.png" alt="Event 1100 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows Event Log service has shut down.
-
-It also generates during normal system shutdown.
-
-This event doesn’t generate during emergency system reset.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
- <EventID>1100</EventID> 
- <Version>0</Version> 
- <Level>4</Level> 
- <Task>103</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x4020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-15T07:02:20.010585400Z" /> 
- <EventRecordID>1048124</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="820" ThreadID="964" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <UserData>
- <ServiceShutdown xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog" /> 
- </UserData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 1100(S): The event logging service has shut down.
-
--   With this event, you can track system shutdowns and restarts.
-
--   This event also can be a sign of malicious action when someone tried to shut down the Log Service to cover his or her activity.
-
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
deleted file mode 100644
index 3f66f12f17..0000000000
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: 1102(S) The audit log was cleared. 
-description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S).
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 1102(S): The audit log was cleared.
-
-
-<img src="images/event-1102.png" alt="Event 1102 illustration" width="449" height="336" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows Security audit log was cleared.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
- <EventID>1102</EventID> 
- <Version>0</Version> 
- <Level>4</Level> 
- <Task>104</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x4020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" /> 
- <EventRecordID>1087729</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="820" ThreadID="2644" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <UserData>
-- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
- <SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid> 
- <SubjectUserName>dadmin</SubjectUserName> 
- <SubjectDomainName>CONTOSO</SubjectDomainName> 
- <SubjectLogonId>0x55cd1d</SubjectLogonId> 
- </LogFileCleared>
- </UserData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that cleared the system security audit log. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that cleared the system security audit log.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-## Security Monitoring Recommendations
-
-For 1102(S): The audit log was cleared.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically you should not see this event. There is no need to manually clear the Security event log in most cases. We recommend monitoring this event and investigating why this action was performed.
-
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
deleted file mode 100644
index 60114513f7..0000000000
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: 1104(S) The security log is now full. 
-description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 1104(S): The security log is now full.
-
-
-<img src="images/event-1104.png" alt="Event 1104 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows security log becomes full.
-
-This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
- <EventID>1104</EventID> 
- <Version>0</Version> 
- <Level>2</Level> 
- <Task>101</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x4020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-15T23:36:50.479431200Z" /> 
- <EventRecordID>1087728</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="820" ThreadID="4224" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <UserData>
- <FileIsFull xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog" /> 
- </UserData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
deleted file mode 100644
index ab01840a97..0000000000
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: 1105(S) Event log automatic backup. 
-description: This event generates every time Windows security log becomes full and new event log file was created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 1105(S): Event log automatic backup
-
-
-<img src="images/event-1105.png" alt="Event 1105 illustration" width="572" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows security log becomes full and new event log file was created.
-
-This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11))”.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
- <EventID>1105</EventID> 
- <Version>0</Version> 
- <Level>4</Level> 
- <Task>105</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x4020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-16T00:50:12.715302700Z" /> 
- <EventRecordID>1128551</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="820" ThreadID="3660" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <UserData>
-- <AutoBackup xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
- <Channel>Security</Channel> 
- <BackupPath>C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2015-10-16-00-50-12-621.evtx</BackupPath> 
- </AutoBackup>
- </UserData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
-
-**File**: \[Type = FILETIME\]: full path and filename of archived log file.
-
-The format of archived log file name is: “Archive-LOG\_FILE\_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx”. Where:
-
--   LOG\_FILE\_NAME – the name of archived file.
-
--   Y – years.
-
--   M – months.
-
--   D – days.
-
--   h – hours.
-
--   m – minutes.
-
--   s – seconds.
-
--   n – fractional seconds.
-
-The time in this event is always in ***GMT+0/UTC+0*** time zone.
-
-## Security Monitoring Recommendations
-
-For 1105(S): Event log automatic backup.
-
--   Typically it’s an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11)), then this event will be a sign that some settings are not set to baseline settings or were changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
deleted file mode 100644
index df61026142..0000000000
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: The event logging service encountered an error 
-description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
-
-
-<img src="images/event-1108.png" alt="Event 1108 illustration" width="613" height="429" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates when event logging service encountered an error while processing an incoming event.
-
-It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
-
-For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
-
-<img src="images/event-4703-partial.png" alt="Event 4703, partial illustration" width="438" height="588" hspace="10" align="left" />
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> 
- <EventID>1108</EventID> 
- <Version>0</Version> 
- <Level>2</Level> 
- <Task>101</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x4020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-12T20:59:47.431979300Z" /> 
- <EventRecordID>5599</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="972" ThreadID="1320" /> 
- <Channel>Security</Channel> 
- <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> 
- <Security /> 
- </System>
-- <UserData>
-- <EventProcessingFailure xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
- <Error Code="15005" /> 
- <EventID>0</EventID> 
- <PublisherID>Microsoft-Windows-Security-Auditing</PublisherID> 
- </EventProcessingFailure>
- </UserData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**%1** \[Type = UnicodeString\]: the name of [security event source](/windows/win32/eventlog/event-sources) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
-
-<img src="images/subkeys-under-security-key.png" alt="Subkeys under Security key illustration" width="236" height="246" />
-
-## Security Monitoring Recommendations
-
-For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
-
--   We recommend monitoring for all events of this type and checking what the cause of the error was.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
deleted file mode 100644
index 4d229afc2d..0000000000
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: 4608(S) Windows is starting up. 
-description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4608(S): Windows is starting up.
-
-
-<img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="top" />
-
-***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
-
-***Event Description:***
-
-This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
-
-It typically generates during operating system startup process.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4608</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12288</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-09T05:25:38.222242500Z" /> 
- <EventRecordID>1101704</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="508" ThreadID="512" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
- <EventData /> 
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 4608(S): Windows is starting up.
-
--   With this event, you can track system startup events.
-
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
deleted file mode 100644
index a277e58ec7..0000000000
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: 4610(S) An authentication package has been loaded by the Local Security Authority. 
-description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4610(S): An authentication package has been loaded by the Local Security Authority.
-
-
-<img src="images/event-4610.png" alt="Event 4610 illustration" width="656" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates every time [Authentication Package](/windows/win32/secauthn/authentication-packages) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
-
-Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4610</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12289</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-14T03:36:41.391489300Z" /> 
- <EventRecordID>1048138</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="520" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="AuthenticationPackageName">C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](/windows/win32/secauthn/authentication-packages). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME.
-
-By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](/windows/win32/secauthn/msv1-0-authentication-package)”.
-
-## Security Monitoring Recommendations
-
-For 4610(S): An authentication package has been loaded by the Local Security Authority.
-
--   Report all “**Authentication Package Name**” not equals “C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0”, because by default this is the only Authentication Package loaded by Windows 10.
-
--   Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “**Authentication Package Name”** is in your defined list.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
deleted file mode 100644
index 27574efa40..0000000000
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-title: 4611(S) A trusted logon process has been registered with the Local Security Authority. 
-description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4611(S): A trusted logon process has been registered with the Local Security Authority.
-
-
-<img src="images/event-4611.png" alt="Event 4611 illustration" width="449" height="393" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event indicates that a logon process has registered with the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)). Also, logon requests will now be accepted from this source.
-
-At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
-
-A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
-
-You typically see these events during operating system startup or user logon and authentication actions.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4611</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12289</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-14T03:43:29.604031000Z" /> 
- <EventRecordID>1048175</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="548" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="LogonProcessName">Winlogon</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that registered the trusted logon process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the trusted logon process.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Logon Process Name** \[Type = UnicodeString\]**:** the name of registered logon process.
-
-## Security Monitoring Recommendations
-
-For 4611(S): A trusted logon process has been registered with the Local Security Authority.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the allow list or not.
-
--
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
deleted file mode 100644
index fba5b23479..0000000000
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. 
-description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
-
-
-This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
-
-This event doesn't generate when the event log service is stopped or event log is full and events retention is disabled.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.*
-
-*Number of audit messages discarded: %1*
-
-*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of hardware issues or lack of system resources (for example, RAM). We recommend monitoring this event and investigating the reason for the condition.
-
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
deleted file mode 100644
index 7742a34ee9..0000000000
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: 4614(S) A notification package has been loaded by the Security Account Manager. 
-description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4614(S): A notification package has been loaded by the Security Account Manager.
-
-
-<img src="images/event-4614.png" alt="Event 4614 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates every time a Notification Package has been loaded by the [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)).
-
-In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](/windows/win32/secmgmt/password-filters).
-
-Password Filters are DLLs that are loaded or called when passwords are set or changed.
-
-Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4614</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12289</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-14T03:36:43.073484900Z" /> 
- <EventRecordID>1048140</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="520" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="NotificationPackageName">WDIGEST</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Notification Package Name** \[Type = UnicodeString\]**:** the name of loaded Notification Package.
-
-## Security Monitoring Recommendations
-
-For 4614(S): A notification package has been loaded by the Security Account Manager.
-
--   Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the allow list or not.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
deleted file mode 100644
index c8a16371bd..0000000000
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: 4615(S) Invalid use of LPC port. 
-description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4615(S): Invalid use of LPC port.
-
-
-It appears that this event never occurs.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*Invalid use of LPC port.*
-
-*Subject:*
-
-> *Security ID%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Process Information:*
-
-> *PID:%7*
->
-> *Name:%8*
-
-*Invalid Use:%5*
-
-*LPC Server Port Name:%6*
-
-*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
deleted file mode 100644
index 91890bb297..0000000000
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ /dev/null
@@ -1,176 +0,0 @@
----
-title: 4616(S) The system time was changed. 
-description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4616(S): The system time was changed.
-
-
-<img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="top" />
-
-***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
-
-***Event Description:***
-
-This event generates every time system time was changed.
-
-This event is always logged regardless of the "Audit Security State Change" sub-category setting.
-
-You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4616</EventID> 
- <Version>1</Version> 
- <Level>0</Level> 
- <Task>12288</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-09T05:04:29.995794600Z" /> 
- <EventRecordID>1101699</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="148" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x48f29</Data> 
- <Data Name="PreviousTime">2015-10-09T05:04:30.000941900Z</Data> 
- <Data Name="NewTime">2015-10-09T05:04:30.000000000Z</Data> 
- <Data Name="ProcessId">0x1074</Data> 
- <Data Name="ProcessName">C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:***
-
--   0 - Windows Server 2008, Windows Vista.
-
--   1 - Windows Server 2008 R2, Windows 7.
-
-    -   Added “Process Information” section.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    > [!NOTE]
-    > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Process Information** \[Version 1\]**:**
-
--   **Process ID** \[Type = Pointer\] \[Version 1\]: hexadecimal Process ID of the process that changed the system time. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Name** \[Type = UnicodeString\] \[Version 1\]**:** full path and the name of the executable for the process.
-
-**Previous Time** \[Type = FILETIME\]: previous time in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
-
--   Y - years
-
--   M - months
-
--   D - days
-
--   T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
-
--   h - hours
-
--   m - minutes
-
--   s - seconds
-
--   n - fractional seconds
-
--   Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
-
-**New Time** \[Type = FILETIME\]: new time that was set in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
-
--   Y - years
-
--   M - months
-
--   D - days
-
--   T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
-
--   h - hours
-
--   m - minutes
-
--   s - seconds
-
--   n - fractional seconds
-
--   Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
-
-## Security Monitoring Recommendations
-
-For 4616(S): The system time was changed.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made by Windows Time service.
-
--   Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made by Windows Time service.
-
-<!-- -->
-
--   <span id="Reccomendations_Process_Name" class="anchor"></span>If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
deleted file mode 100644
index 888ba46e90..0000000000
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: 4618(S) A monitored security event pattern has occurred. 
-description: Describes security event 4618(S) A monitored security event pattern has occurred.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4618(S): A monitored security event pattern has occurred.
-
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-This event can be generated (invoked) only externally using the following command:
-
-**%windir%\\system32\\rundll32 %windir%\\system32\\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount Duration**
-
-Account must have **SeAuditPrivilege** (Generate security audits) to be able to generate this event.
-
--   **UserSid** is resolved when viewing the event in event viewer.
-
--   Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
-
--   If a field doesn’t match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
-
--   **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
-
--   Parameters are space delimited, even if a parameter is enclosed in double-quotes.
-
--   Here are the expected data types for the parameters:
-
-| Parameter    | Expected Data Type                               |
-|--------------|--------------------------------------------------|
-| OrgEventID   | Ulong                                            |
-| ComputerName | String                                           |
-| UserSid      | SID (in string format)                           |
-| UserName     | String                                           |
-| UserDomain   | String                                           |
-| UserLogonID  | Luid (a ULongLong converted to Hex in the event) |
-| EventCount   | Ulong                                            |
-| Duration     | String                                           |
-
-<img src="images/event-4618.png" alt="Event 4618 illustration" width="449" height="494" hspace="10" align="left" />
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4618</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12290</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-11T21:42:33.264246700Z" /> 
- <EventRecordID>1198759</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="528" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="EventId">4624</Data> 
- <Data Name="ComputerName">DC01.contoso.local</Data> 
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetUserDomain">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x1</Data> 
- <Data Name="EventCount">10</Data> 
- <Data Name="Duration">“Hour"</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 4618(S): A monitored security event pattern has occurred.
-
--   This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it.
-
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
deleted file mode 100644
index 23a502abad..0000000000
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: 4621(S) Administrator recovered system from CrashOnAuditFail. 
-description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4621(S): Administrator recovered system from CrashOnAuditFail.
-
-
-
-This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
-
-***Event Schema:***
-
-*Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.*
-
-*Value of CrashOnAuditFail:%1*
-
-*This event is logged after a system reboots following CrashOnAuditFail.*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396).
-
--   If your computers don’t have the [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
deleted file mode 100644
index c55bf6a9b2..0000000000
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: 4622(S) A security package has been loaded by the Local Security Authority. 
-description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4622(S): A security package has been loaded by the Local Security Authority.
-
-
-<img src="images/event-4622.png" alt="Event 4622 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates every time [Security Package](/windows/win32/secauthn/ssp-aps-versus-ssps) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
-
-Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
-
-Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
-
-It is also possible to add security package dynamically using [AddSecurityPackage](/windows/win32/api/sspi/nf-sspi-addsecuritypackagea) function, not only during system startup process.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4622</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12289</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-14T03:36:41.359331100Z" /> 
- <EventRecordID>1048131</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="520" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SecurityPackageName">C:\\Windows\\system32\\kerberos.DLL : Kerberos</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Security Package Name** \[Type = UnicodeString\]**:** the name of loaded Security Package. The format is: DLL\_PATH\_AND\_NAME: SECURITY\_PACKAGE\_NAME.
-
-These are some Security Package DLLs loaded by default in Windows 10:
-
--   C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider
-
--   C:\\Windows\\system32\\schannel.DLL : Schannel
-
--   C:\\Windows\\system32\\cloudAP.DLL : CloudAP
-
--   C:\\Windows\\system32\\wdigest.DLL : WDigest
-
--   C:\\Windows\\system32\\pku2u.DLL : pku2u
-
--   C:\\Windows\\system32\\tspkg.DLL : TSSSP
-
--   C:\\Windows\\system32\\msv1\_0.DLL : NTLM
-
--   C:\\Windows\\system32\\kerberos.DLL : Kerberos
-
--   C:\\Windows\\system32\\negoexts.DLL : NegoExtender
-
--   C:\\Windows\\system32\\lsasrv.dll : Negotiate
-
-## Security Monitoring Recommendations
-
-For 4622(S): A security package has been loaded by the Local Security Authority.
-
--   Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
deleted file mode 100644
index 84e8eaa64e..0000000000
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ /dev/null
@@ -1,322 +0,0 @@
----
-title: 4624(S) An account was successfully logged on.
-description: Describes security event 4624(S) An account was successfully logged on.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.collection: tier3
-ms.topic: reference
----
-
-# 4624(S): An account was successfully logged on.
-
-
-<img src="images/event-4624.png" alt="Event 4624 illustration" width="438" height="668" hspace="10" />
-
-***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
-
-***Event Description:***
-
-This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```xml
-<?xml version="1.0"?>
-<Event
-    xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    <System>
-        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
-        <EventID>4624</EventID>
-        <Version>2</Version>
-        <Level>0</Level>
-        <Task>12544</Task>
-        <Opcode>0</Opcode>
-        <Keywords>0x8020000000000000</Keywords>
-        <TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z"/>
-        <EventRecordID>211</EventRecordID>
-        <Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}"/>
-        <Execution ProcessID="716" ThreadID="760"/>
-        <Channel>Security</Channel>
-        <Computer>WIN-GG82ULGC9GO</Computer>
-        <Security/>
-    </System>
-    <EventData>
-        <Data Name="SubjectUserSid">S-1-5-18</Data>
-        <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
-        <Data Name="SubjectDomainName">WORKGROUP</Data>
-        <Data Name="SubjectLogonId">0x3e7</Data>
-        <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
-        <Data Name="TargetUserName">Administrator</Data>
-        <Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
-        <Data Name="TargetLogonId">0x8dcdc</Data>
-        <Data Name="LogonType">2</Data>
-        <Data Name="LogonProcessName">User32</Data>
-        <Data Name="AuthenticationPackageName">Negotiate</Data>
-        <Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
-        <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
-        <Data Name="TransmittedServices">-</Data>
-        <Data Name="LmPackageName">-</Data>
-        <Data Name="KeyLength">0</Data>
-        <Data Name="ProcessId">0x44c</Data>
-        <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
-        <Data Name="IpAddress">127.0.0.1</Data>
-        <Data Name="IpPort">0</Data>
-        <Data Name="ImpersonationLevel">%%1833</Data>
-        <Data Name="RestrictedAdminMode">-</Data>
-        <Data Name="TargetOutboundUserName">-</Data>
-        <Data Name="TargetOutboundDomainName">-</Data>
-        <Data Name="VirtualAccount">%%1843</Data>
-        <Data Name="TargetLinkedLogonId">0x0</Data>
-        <Data Name="ElevatedToken">%%1842</Data>
-    </EventData>
-</Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:***
-
-- 0 - Windows Server 2008, Windows Vista.
-
-- 1 - Windows Server 2012, Windows 8.
-
-  - Added "Impersonation Level" field.
-
-- 2 - Windows 10.
-
-    - Added "Logon Information:" section.
-
-    - **Logon Type** moved to "Logon Information:" section.
-
-    - Added "Restricted Admin Mode" field.
-
-    - Added "Virtual Account" field.
-
-    - Added "Elevated Token" field.
-
-    - Added "Linked Logon ID" field.
-
-    - Added "Network Account Name" field.
-
-    - Added "Network Account Domain" field.
-
-***Field Descriptions:***
-
-**Subject:**
-
-- **Security ID** [Type = SID]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-    This field can also contain no subject user information, but the NULL Sid "S-1-0-0" and no user or domain information.
-
-  > [!NOTE]
-  > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-- **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon.
-
-- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following information:
-
-    - Domain NETBIOS name example: CONTOSO
-
-    - Lowercase full domain name: contoso.local
-
-    - Uppercase full domain name: CONTOSO.LOCAL
-
-    - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
-
-    - For local user accounts, this field contains the name of the computer or device that this account belongs to, for example: `Win81`.
-
-- **Logon ID** [Type = HexInt64]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4672](event-4672.md)(S): Special privileges assigned to new logon."
-
-**Logon Information** [Version 2]**:**
-
-- **Logon Type** [Version 0, 1, 2] [Type = UInt32]**:** the type of logon that happened. The following table contains the list of possible values for this field.
-
-## Logon types and descriptions
-
-| Logon Type | Logon Title         | Description                                                                                                                                                                                                                                                                                                                |
-|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|  `0`       | `System`            | Used only by the System account, for example at system startup.                                                                                                                                                                                                                                                            |
-|  `2`       | `Interactive`       | A user logged on to this computer.                                                                                                                                                                                                                                                                                         |
-|  `3`       | `Network`           | A user or computer logged on to this computer from the network.                                                                                                                                                                                                                                                            |
-|  `4`       | `Batch`             | Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention.                                                                                                                                                                                         |
-|  `5`       | `Service`           | The Service Control Manager started a service.                                                                                                                                                                                                                                                                      |
-|  `7`       | `Unlock`            | This workstation was unlocked.                                                                                                                                                                                                                                                                                             |
-|  `8`       | `NetworkCleartext`  | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext). |
-|  `9`       | `NewCredentials`    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
-| `10`       | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
-| `11`       | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller wasn't contacted to verify the credentials.                                                                                                                                                    |
-| `12`       | `CachedRemoteInteractive` | Same as RemoteInteractive. This type is used for internal auditing.                                                                                                                                                                                                                                                        |
-| `13`       | `CachedUnlock` | Workstation logon.                                                                                                                                                                                                                                                                                                             |
-
-- **Restricted Admin Mode** [Version 2] [Type = UnicodeString]**:** Only populated for **RemoteInteractive** logon type sessions. This value is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Windows 8.1 and Windows Server 2012 R2, but this flag was added to the event in Windows 10.
-
-    Reference: <https://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx>.
-
-    If not a **RemoteInteractive** logon, then this value is the string: `-`
-
-- **Virtual Account** [Version 2] [Type = UnicodeString]**:** a "Yes" or "No" flag, which indicates if the account is a virtual account (for example, "[Managed Service Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560633(v=ws.10))"), which was introduced in Windows 7 and Windows Server 2008 R2 to identify the account that a given Service uses, instead of just using "NetworkService".
-
-- **Elevated Token** [Version 2] [Type = UnicodeString]**:** a "Yes" or "No" flag. If "Yes", then the session this event represents is elevated and has administrator privileges.
-
-**Impersonation Level** [Version 1, 2] [Type = UnicodeString]: can have one of these four values:
-
-- SecurityAnonymous (displayed as **empty string**): The server process can't obtain identification information about the client, and it can't impersonate the client. It's defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.
-
-- SecurityIdentification (displayed as "**Identification**"): The server process can obtain information about the client, such as security identifiers and privileges, but it can't impersonate the client. This value is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
-
-- SecurityImpersonation (displayed as "**Impersonation**"): The server process can impersonate the client's security context on its local system. The server can't impersonate the client on remote systems. This type is the most common.
-
-- SecurityDelegation (displayed as "**Delegation**"): The server process can impersonate the client's security context on remote systems.
-
-**New Logon:**
-
-- **Security ID** [Type = SID]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-  > [!NOTE]
-  > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-- **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed.
-
-- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following information:
-
-    - Domain NETBIOS name example: CONTOSO
-
-    - Lowercase full domain name: contoso.local
-
-    - Uppercase full domain name: CONTOSO.LOCAL
-
-    - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
-
-    - For local user accounts, this field contains the name of the computer or device that this account belongs to, for example: `Win81`.
-
-- **Logon ID** [Type = HexInt64]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4672](event-4672.md)(S): Special privileges assigned to new logon."
-
-- **Linked Logon ID** [Version 2] [Type = HexInt64]**:** A hexadecimal value of the paired logon session. If there's no other logon session associated with this logon session, then the value is "**0x0**".
-
-- **Network Account Name** [Version 2] [Type = UnicodeString]**:** User name that's used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
-
-    If not **NewCredentials** logon, then this value will be the string: `-`
-
-- **Network Account Domain** [Version 2] [Type = UnicodeString]**:** Domain for the user that's used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
-
-    If not **NewCredentials** logon, then this value will be the string: `-`
-
-- **Logon GUID** [Type = GUID]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, "[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
-
-    It also can be used for correlation between a 4624 event and several other events (on the same computer) that can contain the same **Logon GUID**, "[4648](event-4648.md)(S): A logon was attempted using explicit credentials" and "[4964](event-4964.md)(S): Special groups have been assigned to a new logon."
-
-    This parameter might not be captured in the event, and in that case appears as "{00000000-0000-0000-0000-000000000000}".
-
-    > [!NOTE]
-    > **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities, or instances.
-
-**Process Information:**
-
-- **Process ID** [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
-
-- **Process Name** [Type = UnicodeString]**:** full path and the name of the executable for the process.
-
-**Network Information:**
-
-- **Workstation Name** [Type = UnicodeString]**:** machine name from which a logon attempt was performed.
-
-- **Source Network Address** [Type = UnicodeString]**:** IP address of machine from which logon attempt was performed.
-
-    - IPv6 address or IPv4 address of a client.
-
-    - `::1` or `127.0.0.1` means localhost.
-
-- **Source Port** [Type = UnicodeString]: The source port that was used for logon attempt from remote machine.
-
-    - 0 for interactive logons.
-
-> [!NOTE]
-> The fields for IP address/port and workstation name are populated depending on the authentication context and protocol used. LSASS will audit the information the authenticating service shares with LSASS. For example, network logons with Kerberos likely have no workstation information, and NTLM logons have no TCP/IP details.
-
-**Detailed Authentication Information:**
-
-- **Logon Process** [Type = UnicodeString]**:** the name of the trusted logon process that was used for the logon. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
-
-- **Authentication Package** [Type = UnicodeString]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
-
-    - **NTLM** - NTLM-family Authentication
-
-    - **Kerberos** - Kerberos authentication.
-
-    - **Negotiate** - the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it can't be used by one of the systems involved in the authentication or the calling application didn't provide sufficient information to use Kerberos.
-
-- **Transited Services** [Type = UnicodeString] [Kerberos-only]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/library/cc246072.aspx>
-
-- **Package Name (NTLM only)** [Type = UnicodeString]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during logon. Possible values are:
-
-    - "NTLM V1"
-
-    - "NTLM V2"
-
-    - "LM"
-
-        Only populated if "**Authentication Package" = "NTLM"**.
-
-- **Key Length** [Type = UInt32]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically it has 128-bit or 56-bit length. This parameter is always 0 if "**Authentication Package" = "Kerberos"**, because it isn't applicable for Kerberos protocol. This field also has a `0` value if Kerberos was negotiated using **Negotiate** authentication package.
-
-## Security Monitoring Recommendations
-
-For 4624(S): An account was successfully logged on.
-
-| Type of monitoring required | Recommendation |
-|-----------------------------|-------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.       | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have nonactive, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used.                                                          |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                     | If this event corresponds to an "allowlist-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allowlist.                                  |
-| **Accounts of different types**: Make sure that certain actions run only by certain account types. For example, local or domain account, machine or user account, or vendor or employee account.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that aren't allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts.                                                |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) shouldn't typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you're concerned about.                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions.                                                                                      |
-
-- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** isn't SYSTEM.
-
-- If "**Restricted Admin**" mode must be used for logons by certain accounts, use this event to monitor logons by "**New Logon\\Security ID**" in relation to "**Logon Type**"=10 and "**Restricted Admin Mode**"="Yes". If "**Restricted Admin Mode**"="No" for these accounts, trigger an alert.
-
-- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with "**Elevated Token**"="Yes".
-
-- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with "**Virtual Account**"="Yes".
-
-- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
-
-- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
-
-    - If the user account **"New Logon\\Security ID"** should never be used to log on from the specific **Computer:**.
-
-    - If **New Logon\\Security ID** credentials shouldn't be used from **Workstation Name** or **Source Network Address**.
-
-    - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
-
-    - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** doesn't equal **NTLM V2**.
-
-    - If NTLM isn't used in your organization, or shouldn't be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
-
-    - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
-
-- If you monitor for potentially malicious software, or software that isn't authorized to request logon actions, monitor this event for **Process Name**.
-
-- If you have a trusted logon processes list, monitor for a **Logon Process** that isn't from the list.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
deleted file mode 100644
index 0cb398d228..0000000000
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ /dev/null
@@ -1,270 +0,0 @@
----
-title: 4625(F) An account failed to log on. 
-description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 01/03/2022
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.collection: 
-  - highpri
-  - tier3
-ms.topic: reference
----
-
-# 4625(F): An account failed to log on.
-
-
-<img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="top" />
-
-***Subcategories:***&nbsp;[Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
-
-***Event Description:***
-
-This event is logged for any logon failure.
-
-It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4625</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12546</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" /> 
- <EventRecordID>229977</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="3240" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TargetUserSid">S-1-0-0</Data> 
- <Data Name="TargetUserName">Auditor</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="Status">0xc0000234</Data> 
- <Data Name="FailureReason">%%2307</Data> 
- <Data Name="SubStatus">0x0</Data> 
- <Data Name="LogonType">2</Data> 
- <Data Name="LogonProcessName">User32</Data> 
- <Data Name="AuthenticationPackageName">Negotiate</Data> 
- <Data Name="WorkstationName">DC01</Data> 
- <Data Name="TransmittedServices">-</Data> 
- <Data Name="LmPackageName">-</Data> 
- <Data Name="KeyLength">0</Data> 
- <Data Name="ProcessId">0x1bc</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data> 
- <Data Name="IpAddress">127.0.0.1</Data> 
- <Data Name="IpPort">0</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    > [!NOTE]
-    > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-
--   **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field.
-
-
-    <span id="_Ref433822321" class="anchor"></span>**Table 11: Windows Logon Types**
-
-    | <span id="Windows_Logon_Types" class="anchor"></span>Logon Type | Logon Title       | Description                                                                                                                                                                                                                                                                                                                |
-    |-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-    | 2                                                               | Interactive       | A user logged on to this computer.                                                                                                                                                                                                                                                                                         |
-    | 3                                                               | Network           | A user or computer logged on to this computer from the network.                                                                                                                                                                                                                                                            |
-    | 4                                                               | Batch             | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.                                                                                                                                                                                         |
-    | 5                                                               | Service           | A service was started by the Service Control Manager.                                                                                                                                                                                                                                                                      |
-    | 7                                                               | Unlock            | This workstation was unlocked.                                                                                                                                                                                                                                                                                             |
-    | 8                                                               | NetworkCleartext  | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-    | 9                                                               | NewCredentials    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
-    | 10                                                              | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
-    | 11                                                              | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.                                                                                                                                                    |
-
-
-**Account For Which Logon Failed:**
-
--   **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    > [!NOTE]
-    > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
-
-**Failure Information:**
-
--   **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value.
-
--   **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value.
-
--   **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure.
-
-> [!NOTE]
-> For more information about various Status or Sub Status codes, see [NTSTATUS Values](/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55).
-
-**Process Information:**
-
--   **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):<br/><br/>
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
-
--   **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Network Information:**
-
--   **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
-
--   **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
-
-    -   IPv6 address or ::ffff:IPv4 address of a client.
-
-    -   ::1 or 127.0.0.1 means localhost.
-
--   **Source Port** \[Type = UnicodeString\]: source port that was used for logon attempt from remote machine.
-
-    -   0 for interactive logons.
-
-**Detailed Authentication Information:**
-
--   **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
-
--   **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
-
-    -   **NTLM** – NTLM-family Authentication
-
-    -   **Kerberos** – Kerberos authentication.
-
-    -   **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
-
--   **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/library/cc246072.aspx>
-
--   **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during the logon attempt. Possible values are:
-
-    -   "NTLM V1"
-
-    -   "NTLM V2"
-
-    -   "LM"
-
-        Only populated if "**Authentication Package" = "NTLM"**.
-
--   **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package.
-
-## Security Monitoring Recommendations
-
-For 4625(F): An account failed to log on.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
-
--   You can monitor to see if "**Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
-
--   If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**.
-
--   To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
-
--   If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **"Subject\\Security ID"** that corresponds to the account.
-
--   We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
-
--   We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.
-
--   If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
-
-    -   If the **"Account For Which Logon Failed \\Security ID"** should never be used to log on from the specific **Network Information\\Workstation Name**.
-
-    -   If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
-
-    -   If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
-
-    -   If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
-
-    -   If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
-
-    -   If **Logon Process** is not from a trusted logon processes list.
-
--   Monitor for all events with the fields and values in the following table:
-
-    |  Field                                                                         | Value to monitor for                                                                                                                                                                                |
-    |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E – "There are currently no logon servers available to service the logon request." <br>This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 – "User logon with misspelled or bad user account". <br>Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.                             |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.                               |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.       |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F – "User logon outside authorized hours".                                                                                                                                                 |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 – "User logon from unauthorized workstation".                                                                                                                                            |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 – "User logon to account disabled by administrator".                                                                                                                                     |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B – "The user has not been granted the requested logon type (aka logon right) at this machine".                                                                                            |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 – "An attempt was made to logon, but the Netlogon service was not started". <br>This issue is typically not a security issue but it can be an infrastructure or availability issue.      |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 – "User logon with expired account".                                                                                                                                                     |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 – "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine".                     |
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
deleted file mode 100644
index 3e4a81e7d5..0000000000
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ /dev/null
@@ -1,181 +0,0 @@
----
-title: 4626(S) User/Device claims information. 
-description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4626(S): User/Device claims information.
-
-
-<img src="images/event-4626.png" alt="Event 4626 illustration" width="549" height="771" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User/Device Claims](audit-user-device-claims.md)
-
-***Event Description:***
-
-This event generates for new account logons and contains user/device claims which were associated with a new logon session.
-
-This event does not generate if the user/device doesn’t have claims.
-
-For computer account logons you will also see device claims listed in the “**User Claims**” field.
-
-You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
-
-This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4626</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12553</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-10T00:12:02.243396300Z" /> 
- <EventRecordID>232648</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="1092" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-0-0</Data> 
- <Data Name="SubjectUserName">-</Data> 
- <Data Name="SubjectDomainName">-</Data> 
- <Data Name="SubjectLogonId">0x0</Data> 
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x136f7b</Data> 
- <Data Name="LogonType">3</Data> 
- <Data Name="EventIdx">1</Data> 
- <Data Name="EventCountTotal">1</Data> 
- <Data Name="UserClaims">ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b <%%1818> : "IT"</Data> 
- <Data Name="DeviceClaims">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that reported information about claims. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about claims.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
-
-| Logon Type | Logon Title       | Description                                                                                                                                                                                                                                                                                                                |
-|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 2          | Interactive       | A user logged on to this computer.                                                                                                                                                                                                                                                                                         |
-| 3          | Network           | A user or computer logged on to this computer from the network.                                                                                                                                                                                                                                                            |
-| 4          | Batch             | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.                                                                                                                                                                                         |
-| 5          | Service           | A service was started by the Service Control Manager.                                                                                                                                                                                                                                                                      |
-| 7          | Unlock            | This workstation was unlocked.                                                                                                                                                                                                                                                                                             |
-| 8          | NetworkCleartext  | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-| 9          | NewCredentials    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
-| 10         | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
-| 11         | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.                                                                                                                                                    |
-
-**New Logon:**
-
--   **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all claims, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
-
-**User Claims** \[Type = UnicodeString\]**:** list of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in. Here is an example how to parse the entrance of this field:
-
--   ad://ext/cn:88d2b96fdb2b4c49 &lt;String&gt; : “dadmin”
-
-    -   cn – claim display name.
-
-    -   88d2b96fdb2b4c49 – unique claim ID.
-
-    -   &lt;String&gt; - claim type.
-
-    -   “dadmin” – claim value.
-
-**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value<b>.</b> For computer accounts this field has device claims listed.
-
-## Security Monitoring Recommendations
-
-For 4626(S): User/Device claims information.
-
--   <span id="Reccomendations_Subject_NULLSID" class="anchor"></span>Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
-
--   If you need to monitor account logons with specific claims, you can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
-
--   If you have specific requirements, such as:
-
-    -   Users with specific claims should not access specific computers;
-
-    -   Computer account should not have specific claims;
-
-    -   User account should not have specific claims;
-
-    -   Claim should not be empty
-
-    -   And so on…
-
-        You can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
-
--   If you need to monitor computer/user logon attempts only and you don’t need information about claims, then it is better to monitor “[4624](event-4624.md): An account was successfully logged on.”
-
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
deleted file mode 100644
index bb08d6bfd0..0000000000
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ /dev/null
@@ -1,158 +0,0 @@
----
-title: 4627(S) Group membership information. 
-description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4627(S): Group membership information.
-
-
-<img src="images/event-4627.png" alt="Event 4627 illustration" width="554" height="896" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Group Membership](audit-group-membership.md)
-
-***Event Description:***
-
-This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
-
-You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
-
-Multiple events are generated if the group membership information cannot fit in a single security audit event.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4627</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12554</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-12T03:51:25.843673000Z" /> 
- <EventRecordID>3081</EventRecordID> 
- <Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" /> 
- <Execution ProcessID="736" ThreadID="808" /> 
- <Channel>Security</Channel> 
- <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-0-0</Data> 
- <Data Name="SubjectUserName">-</Data> 
- <Data Name="SubjectDomainName">-</Data> 
- <Data Name="SubjectLogonId">0x0</Data> 
- <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x569860</Data> 
- <Data Name="LogonType">3</Data> 
- <Data Name="EventIdx">1</Data> 
- <Data Name="EventCountTotal">1</Data> 
- <Data Name="GroupMembership">%{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2016, Windows 10.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    > [!NOTE]
-    >  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
-
--   **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
-
-| Logon Type | Logon Title | Description |
-|------------|-------------------|----------------------|
-| 2          | Interactive       | A user logged on to this computer.                                                                                                                                                                                                                                                                                         |
-| 3          | Network           | A user or computer logged on to this computer from the network.                                                                                                                                                                                                                                                            |
-| 4          | Batch             | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.                                                                                                                                                                                         |
-| 5          | Service           | A service was started by the Service Control Manager.                                                                                                                                                                                                                                                                      |
-| 7          | Unlock            | This workstation was unlocked.                                                                                                                                                                                                                                                                                             |
-| 8          | NetworkCleartext  | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-| 9          | NewCredentials    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
-| 10         | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
-| 11         | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.                                                                                                                                                    |
-
-**New Logon:**
-
--   **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    > [!NOTE]
-    > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
-
-**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all groups, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
-
-**Group Membership** \[Type = UnicodeString\]**:** the list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-## Security Monitoring Recommendations
-
-For 4627(S): Group membership information.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
-
-<!-- -->
-
--   If you need to track that a member of a specific group logged on to a computer, check the “**Group Membership**” field.
-
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
deleted file mode 100644
index 6d1dd284e6..0000000000
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: 4634(S) An account was logged off. 
-description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4634(S): An account was logged off.
-
-
-<img src="images/event-4634.png" alt="Event 4634 illustration" width="449" height="431" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Logoff](audit-logoff.md)
-
-***Event Description:***
-
-This event shows that logon session was terminated and no longer exists.
-
-The main difference between “[4647](event-4647.md): User initiated logoff.” and 4634 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
-
-4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
-
-It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4634</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12545</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-09T02:27:57.877205900Z" /> 
- <EventRecordID>230019</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="832" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserSid">S-1-5-90-1</Data> 
- <Data Name="TargetUserName">DWM-1</Data> 
- <Data Name="TargetDomainName">Window Manager</Data> 
- <Data Name="TargetLogonId">0x1a0992</Data> 
- <Data Name="LogonType">2</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was logged off. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was logged off.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Logon Type** \[Type = UInt32\]**:** the type of logon which was used. The table below contains the list of possible values for this field:
-
-| Logon Type | Logon Title       | Description                                                                                                                                                                                                                                                                                                                |
-|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 2          | Interactive       | A user logged on to this computer.                                                                                                                                                                                                                                                                                         |
-| 3          | Network           | A user or computer logged on to this computer from the network.                                                                                                                                                                                                                                                            |
-| 4          | Batch             | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.                                                                                                                                                                                         |
-| 5          | Service           | A service was started by the Service Control Manager.                                                                                                                                                                                                                                                                      |
-| 7          | Unlock            | This workstation was unlocked.                                                                                                                                                                                                                                                                                             |
-| 8          | NetworkCleartext  | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-| 9          | NewCredentials    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
-| 10         | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
-| 11         | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.                                                                                                                                                    |
-
-## Security Monitoring Recommendations
-
-For 4634(S): An account was logged off.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If a particular **Logon Type** should not be used by a particular account (for example if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor this event for such actions.
-
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
deleted file mode 100644
index d7ba93610b..0000000000
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-title: 4647(S) User initiated logoff. 
-description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4647(S): User initiated logoff.
-
-
-<img src="images/event-4647.png" alt="Event 4647 illustration" width="449" height="392" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Logoff](audit-logoff.md)
-
-***Event Description:***
-
-This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
-
-The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
-
-4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
-
-It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4647</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12545</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-09T03:08:39.126890800Z" /> 
- <EventRecordID>230200</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="3864" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x29b379</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “logoff” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “logoff” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-## Security Monitoring Recommendations
-
-For 4647(S): User initiated logoff.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
deleted file mode 100644
index bd172bb754..0000000000
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ /dev/null
@@ -1,195 +0,0 @@
----
-title: 4648(S) A logon was attempted using explicit credentials. 
-description: Describes security event 4648(S) A logon was attempted using explicit credentials.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4648(S): A logon was attempted using explicit credentials.
-
-
-<img src="images/event-4648.png" alt="Event 4648 illustration" width="486" height="663" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
-
-***Event Description:***
-
-This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
-
-This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
-
-It is also a routine event which periodically occurs during normal operating system activity.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4648</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12544</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-10T02:54:50.771459000Z" /> 
- <EventRecordID>233200</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="1116" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x31844</Data> 
- <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
- <Data Name="TargetUserName">ladmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonGuid">{0887F1E4-39EA-D53C-804F-31D568A06274}</Data> 
- <Data Name="TargetServerName">localhost</Data> 
- <Data Name="TargetInfo">localhost</Data> 
- <Data Name="ProcessId">0x368</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
- <Data Name="IpAddress">::1</Data> 
- <Data Name="IpPort">0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the new logon session with explicit credentials. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the new logon session with explicit credentials.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
--   **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
-
-    It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-**Account Whose Credentials Were Used:**
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account whose credentials were used.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
-
-    It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-**Target Server:**
-
--   **Target Server Name** \[Type = UnicodeString\]**:** the name of the server on which the new process was run. Has “**localhost**” value if the process was run locally.
-
--   **Additional Information** \[Type = UnicodeString\]**:** there is no detailed information about this field in this document.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was run using explicit credentials. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Network Information:**
-
--   **Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
-
-    -   IPv6 address or ::ffff:IPv4 address of a client.
-
-    -   ::1 or 127.0.0.1 means localhost.
-
--   **Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
-
-    -   0 for interactive logons.
-
-## Security Monitoring Recommendations
-
-For 4648(S): A logon was attempted using explicit credentials.
-
-The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**”
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                                                                                                                                                   |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.<br>Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts.                                                                                                                                                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used.                                                                                                                               |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used.                                                                                                                                                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events.                                                                                                                                                                    | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list.                                                                                                                                                                |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event.                                                                                                                                       | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                        |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.<br>For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions.                                                                                                                                                                                                                  |
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   If **Subject\\Security ID** should not know or use credentials for **Account Whose Credentials Were Used\\Account Name**, monitor this event.
-
--   If credentials for **Account Whose Credentials Were Used\\Account Name** should not be used from **Network Information\\Network Address**, monitor this event.
-
--   Check that **Network Information\\Network Address** is from internal IP address list. For example, if you know that a specific account (for example, a service account) should be used only from specific IP addresses, you can monitor for all events where **Network Information\\Network Address** is not one of the allowed IP addresses.
-
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
deleted file mode 100644
index 81ceab6ec4..0000000000
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: 4649(S) A replay attack was detected. 
-description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4649(S): A replay attack was detected.
-
-
-This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.
-
-Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB\_AP\_ERR\_REPEAT. You can read more about this in [RFC-1510](http://www.ietf.org/rfc/rfc1510.txt). One potential cause for this is a misconfigured network device between the client and server that could send the same packet(s) repeatedly.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Schema:***
-
-*A replay attack was detected.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Credentials Which Were Replayed:*
-
-> *Account Name:%5*
->
-> *Account Domain:%6*
-
-*Process Information:*
-
-> *Process ID:%12*
->
-> *Process Name:%13*
-
-*Network Information:*
-
-> *Workstation Name:%10*
-
-*Detailed Authentication Information:*
-
-> *Request Type:%7*
->
-> *Logon Process:%8*
->
-> *Authentication Package:%9*
->
-> *Transited Services:%11*
-
-*This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration."*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 4649(S): A replay attack was detected.
-
--   This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated.
-
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
deleted file mode 100644
index 8441566c4f..0000000000
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ /dev/null
@@ -1,277 +0,0 @@
----
-title: 4656(S, F) A handle to an object was requested. 
-description: Describes security event 4656(S, F) A handle to an object was requested.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4656(S, F): A handle to an object was requested.
-
-
-<img src="images/event-4656.png" alt="Event 4656 illustration" width="764" height="895"/>
-
-***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
-
-***Event Description:***
-
-This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
-
-If access was declined, a Failure event is generated.
-
-This event generates only if the object’s [SACL](/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
-
-This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-***Event XML***:
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4656</EventID> 
- <Version>1</Version> 
- <Level>0</Level> 
- <Task>12800</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" /> 
- <EventRecordID>274057</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x4367b</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data> 
- <Data Name="HandleId">0x0</Data> 
- <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
- <Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data> 
- <Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data> 
- <Data Name="AccessMask">0x12019f</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="RestrictedSidCount">0</Data> 
- <Data Name="ProcessId">0x1074</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data> 
- <Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:***
-
--   0 - Windows Server 2008, Windows Vista.
-
--   1 - Windows Server 2012, Windows 8.
-
-    -   Added “Resource Attributes” field.
-
-    -   Added “Access Reasons” field.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
--   **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.
-
-    For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
-
-    -   Impact\_MS: Resource Property ***ID***.
-
-    -   3000: Recourse Property ***Value***.
-
-<img src="images/impact-property.png" alt="Impact property illustration" width="886" height="592" />
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Access Request Information:**
-
--   **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
-
-| <span id="File_system_objects_access_rights" class="anchor"></span>Access             | Hexadecimal Value,<br>Schema Value  | Description    |
-|---------------------------------------------------------------------------------------|-------------------------------------|----------------|
-| ReadData (or ListDirectory)<br><br>(For registry objects, this is “Query key value.”) | 0x1,<br>%%4416                | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory.                                                                                     |
-| WriteData (or AddFile)<br><br>(For registry objects, this is “Set key value.”)        | 0x2,<br>%%4417                | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory.                                                                                         |
-| AppendData (or AddSubdirectory or CreatePipeInstance)                                 | 0x4,<br>%%4418                | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe.                                                                                                                                                                                                                                                              |
-| ReadEA<br>(For registry objects, this is “Enumerate sub-keys.”)                       | 0x8,<br>%%4419                | The right to read extended file attributes.                                                                                                           |
-| WriteEA                                                                               | 0x10,<br>%%4420               | The right to write extended file attributes.                                                                                                          |
-| Execute/Traverse                                                                      | 0x20,<br>%%4421               | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information.                                                                                      |
-| DeleteChild                                                                            | 0x40,<br>%%4422              | For a directory, the right to delete a directory and all the files it contains, including read-only files.                                                                                                                                                        |
-| ReadAttributes                                                                         | 0x80,<br>%%4423              | The right to read file attributes.                                                                                                                    |
-| WriteAttributes                                                                        | 0x100,<br>%%4424             | The right to write file attributes.                                                                                                                   |
-| DELETE                                                                                 | 0x10000,<br>%%1537           | The right to delete the object.                                                                                                                       |
-| READ\_CONTROL                                                                          | 0x20000,<br>%%1538           | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).                                                                                                                                                                                              |
-| WRITE\_DAC                                                                             | 0x40000,<br>%%1539           | The right to modify the discretionary access control list (DACL) in the object's security descriptor.                                                                                                                                                                      |
-| WRITE\_OWNER                                                                           | 0x80000,<br>%%1540           | The right to change the owner in the object's security descriptor                                                                                                                                                                                              |
-| SYNCHRONIZE                                                                            | 0x100000,<br>%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.                                                                                                                                                                         |
-| ACCESS\_SYS\_SEC                                                                       | 0x1000000,<br>%%1542         | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor.                                         |
-
-> <span id="_Ref433973578" class="anchor"></span>Table 14. File System objects access rights.
-
--   **Access Reasons** \[Type = UnicodeString\] \[Version 1\]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply.
-
--   **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.
-
-<!-- -->
-
--   **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
-
-| Privilege Name                  | User Right Group Policy Name                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege   | Replace a process-level token                                  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeAuditPrivilege                | Generate security audits                                       | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeBackupPrivilege               | Back up files and directories                                  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                                                                                |
-| SeChangeNotifyPrivilege         | Bypass traverse checking                                       | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeCreateGlobalPrivilege         | Create global objects                                          | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| SeCreatePagefilePrivilege       | Create a pagefile                                              | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| SeCreatePermanentPrivilege      | Create permanent shared objects                                | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeCreateSymbolicLinkPrivilege   | Create symbolic links                                          | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeCreateTokenPrivilege          | Create a token object                                          | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeDebugPrivilege                | Debug programs                                                 | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeEnableDelegationPrivilege     | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.                                                                                                                                                                                                                      |
-| SeImpersonatePrivilege          | Impersonate a client after authentication                      | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| SeIncreaseBasePriorityPrivilege | Increase scheduling priority                                   | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| SeIncreaseQuotaPrivilege        | Adjust memory quotas for a process                             | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeIncreaseWorkingSetPrivilege   | Increase a process working set                                 | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeLoadDriverPrivilege           | Load and unload device drivers                                 | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeLockMemoryPrivilege           | Lock pages in memory                                           | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeMachineAccountPrivilege       | Add workstations to domain                                     | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeManageVolumePrivilege         | Perform volume maintenance tasks                               | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeProfileSingleProcessPrivilege | Profile single process                                         | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeRelabelPrivilege              | Modify an object label                                         | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeRemoteShutdownPrivilege       | Force shutdown from a remote system                            | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| SeRestorePrivilege              | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege             | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeShutdownPrivilege             | Shut down the system                                           | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeSyncAgentPrivilege            | Synchronize directory service data                             | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeSystemEnvironmentPrivilege    | Modify firmware environment values                             | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeSystemProfilePrivilege        | Profile system performance                                     | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| SeSystemtimePrivilege           | Change the system time                                         | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTakeOwnershipPrivilege        | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTcbPrivilege                  | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTimeZonePrivilege             | Change the time zone                                           | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller                  | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeUndockPrivilege               | Remove computer from docking station                           | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeUnsolicitedInputPrivilege     | Not applicable                                                 | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
--   **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken) in the token. Applicable to only specific **Object Types**.
-
-## Security Monitoring Recommendations
-
-For 4656(S, F): A handle to an object was requested.
-
-For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
-
-For other types of objects, the following recommendations apply.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   If **Object Name** is a sensitive or critical object for which you need to monitor any access attempt, monitor all [4656](event-4656.md) events.
-
--   If **Object Name** is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4656](event-4656.md) events with the corresponding **Access Request Information\\Accesses** values.
-
--   If you need to monitor files and folders with specific Resource Attribute values, monitor for all [4656](event-4656.md) events with specific **Resource Attributes** field values.
-
-    For file system objects, we recommend that you monitor these **Access Request Information\\Accesses** rights (especially for Failure events):
-
-    -   WriteData (or AddFile)
-
-    -   AppendData (or AddSubdirectory or CreatePipeInstance)
-
-    -   WriteEA
-
-    -   DeleteChild
-
-    -   WriteAttributes
-
-    -   DELETE
-
-    -   WRITE\_DAC
-
-    -   WRITE\_OWNER
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
deleted file mode 100644
index c6279c1fa1..0000000000
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-title: 4657(S) A registry value was modified. 
-description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4657(S): A registry value was modified.
-
-
-<img src="images/event-4657.png" alt="Event 4657 illustration" width="449" height="570" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Registry](audit-registry.md)
-
-***Event Description:***
-
-This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified.
-
-This event generates only if “Set Value" auditing is set in registry key’s [SACL](/windows/win32/secauthz/access-control-lists).
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4657</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12801</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" /> 
- <EventRecordID>744725</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="4824" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x364eb</Data> 
- <Data Name="ObjectName">\\REGISTRY\\MACHINE</Data> 
- <Data Name="ObjectValueName">Name\_New</Data> 
- <Data Name="HandleId">0x54</Data> 
- <Data Name="OperationType">%%1905</Data> 
- <Data Name="OldValueType">%%1873</Data> 
- <Data Name="OldValue" /> 
- <Data Name="NewValueType">%%1873</Data> 
- <Data Name="NewValue">Andrei</Data> 
- <Data Name="ProcessId">0xce4</Data> 
- <Data Name="ProcessName">C:\\Windows\\regedit.exe</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “modify registry value” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify registry value” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object:**
-
--   **Object Name** \[Type = UnicodeString\]: full path and name of the registry key which value was modified. The format is: \\REGISTRY\\HIVE\\PATH where:
-
-    -   HIVE:
-
-        -   HKEY\_LOCAL\_MACHINE = \\REGISTRY\\MACHINE
-
-        -   HKEY\_CURRENT\_USER = \\REGISTRY\\USER\\\[USER\_SID\], where \[USER\_SID\] is the SID of current user.
-
-        -   HKEY\_CLASSES\_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes
-
-        -   HKEY\_USERS = \\REGISTRY\\USER
-
-        -   HKEY\_CURRENT\_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current
-
-    -   PATH – path to the registry key.
-
--   **Object Value Name** \[Type = UnicodeString\]**:** the name of modified registry key value.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4656](event-4656.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
--   **Operation Type** \[Type = UnicodeString\]**:** the type of performed operation with registry key value. Most common operations are:
-
-    -   New registry value created
-
-    -   Registry value deleted
-
-    -   Existing registry value modified
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the registry key value was modified. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Change Information:**
-
--   **Old Value Type** \[Type = UnicodeString\]**:** old type of changed registry key value. Registry key value types:
-
-| Value Type      | Description             |
-|-----------------|-------------------------|
-| REG\_SZ         | String                  |
-| REG\_BINARY     | Binary                  |
-| REG\_DWORD      | DWORD (32-bit) Value    |
-| REG\_QWORD      | QWORD (64-bit) Value    |
-| REG\_MULTI\_SZ  | Multi-String Value      |
-| REG\_EXPAND\_SZ | Expandable String Value |
-
--   **Old Value** \[Type = UnicodeString\]: old value for changed registry key value.
-
--   **New Value Type** \[Type = UnicodeString\]**:** new type of changed registry key value. See table above for possible values.
-
--   **New Value** \[Type = UnicodeString\]: new value for changed registry key value.
-
-## Security Monitoring Recommendations
-
-For 4657(S): A registry value was modified.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   If **Object Name** is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all [4657](event-4657.md) events.
-
--   If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
deleted file mode 100644
index 346730e603..0000000000
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: 4658(S) The handle to an object was closed. 
-description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4658(S): The handle to an object was closed.
-
-
-<img src="images/event-4658.png" alt="Event 4658 illustration" width="449" height="463" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Handle Manipulation](audit-handle-manipulation.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
-
-***Event Description:***
-
-This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
-
-This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
-
-Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4658</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12800</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" /> 
- <EventRecordID>276724</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="5056" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x4367b</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="HandleId">0x18a8</Data> 
- <Data Name="ProcessId">0xef0</Data> 
- <Data Name="ProcessName">C:\\Windows\\explorer.exe</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “close object’s handle” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “close object’s handle” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested that the handle be closed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-## Security Monitoring Recommendations
-
-For 4658(S): The handle to an object was closed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
-
--   This event can be used to track all actions or operations related to a specific object handle.
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
deleted file mode 100644
index 820e2eed6f..0000000000
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: 4660(S) An object was deleted. 
-description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4660(S): An object was deleted.
-
-
-<img src="images/event-4660.png" alt="Event 4660 illustration" width="449" height="477" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), and [Audit Registry](audit-registry.md)
-
-***Event Description:***
-
-This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
-
-This event generates only if “Delete" auditing is set in object’s [SACL](/windows/win32/secauthz/access-control-lists).
-
-This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
-
-The advantage of this event is that it’s generated only during real delete operations. In contrast, “4663(S): An attempt was made to access an object” also generates during other actions, such as object renaming.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4660</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12800</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" /> 
- <EventRecordID>270188</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="3060" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x4367b</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="HandleId">0x1678</Data> 
- <Data Name="ProcessId">0xef0</Data> 
- <Data Name="ProcessName">C:\\Windows\\explorer.exe</Data> 
- <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that deleted the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-<!-- -->
-
--   **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-## Security Monitoring Recommendations
-
-For 4660(S): An object was deleted.
-
--   This event doesn’t contains the name of deleted object (only **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object.” events with DELETE access to track object deletion actions.
-
--   For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
deleted file mode 100644
index ea83c3bcec..0000000000
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ /dev/null
@@ -1,219 +0,0 @@
----
-title: 4661(S, F) A handle to an object was requested. 
-description: Describes security event 4661(S, F) A handle to an object was requested.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4661(S, F): A handle to an object was requested.
-
-
-<img src="images/event-4661.png" alt="Event 4661 illustration" width="449" height="661" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit Directory Service Access](audit-directory-service-access.md) and [Audit SAM](audit-sam.md)
-
-***Event Description:***
-
-This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.
-
-If access was declined, then Failure event is generated.
-
-This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML***:
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4661</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14080</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" /> 
- <EventRecordID>1048009</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="528" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x4280e</Data> 
- <Data Name="ObjectServer">Security Account Manager</Data> 
- <Data Name="ObjectType">SAM\_DOMAIN</Data> 
- <Data Name="ObjectName">DC=contoso,DC=local</Data> 
- <Data Name="HandleId">0xdd64d36870</Data> 
- <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
- <Data Name="AccessList">%%5400</Data> 
- <Data Name="AccessMask">0x2d</Data> 
- <Data Name="PrivilegeList">Ā</Data> 
- <Data Name="Properties">-</Data> 
- <Data Name="RestrictedSidCount">2949165</Data> 
- <Data Name="ProcessId">0x9000a000d002d</Data> 
- <Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** For an Active Directory object, the domain controller role is required. For a SAM object, there is no required role.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security Account Manager**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: the type or class of the object that was accessed. The following list contains possible values for this field:
-
-    -   SAM\_ALIAS - a local group.
-
-    -   SAM\_GROUP - a group that is not a local group.
-
-    -   SAM\_USER - a user account.
-
-    -   SAM\_DOMAIN - a domain. For Active Directory events, this is the typical value.
-
-    -   SAM\_SERVER - a computer account.
-
--   **Object Name** \[Type = UnicodeString\]: the name of an object for which access was requested. Depends on **Object Type.** This event can have the following format:
-
-    -   SAM\_ALIAS – SID of the group.
-
-    -   SAM\_GROUP - SID of the group.
-
-    -   SAM\_USER - SID of the account.
-
-    -   SAM\_DOMAIN – distinguished name of the accessed object.
-
-    -   SAM\_SERVER - distinguished name of the accessed object.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4662](event-4662.md): An operation was performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested the handle. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Access Request Information:**
-
--   **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
-
--   **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
-
--   **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
-
-| Privilege Name                  | User Right Group Policy Name                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege   | Replace a process-level token                                  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeAuditPrivilege                | Generate security audits                                       | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeBackupPrivilege               | Back up files and directories                                  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                                                                                |
-| SeChangeNotifyPrivilege         | Bypass traverse checking                                       | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeCreateGlobalPrivilege         | Create global objects                                          | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| SeCreatePagefilePrivilege       | Create a pagefile                                              | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| SeCreatePermanentPrivilege      | Create permanent shared objects                                | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeCreateSymbolicLinkPrivilege   | Create symbolic links                                          | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeCreateTokenPrivilege          | Create a token object                                          | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeDebugPrivilege                | Debug programs                                                 | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeEnableDelegationPrivilege     | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.                                                                                                                                                                                                                      |
-| SeImpersonatePrivilege          | Impersonate a client after authentication                      | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| SeIncreaseBasePriorityPrivilege | Increase scheduling priority                                   | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| SeIncreaseQuotaPrivilege        | Adjust memory quotas for a process                             | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeIncreaseWorkingSetPrivilege   | Increase a process working set                                 | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeLoadDriverPrivilege           | Load and unload device drivers                                 | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeLockMemoryPrivilege           | Lock pages in memory                                           | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeMachineAccountPrivilege       | Add workstations to domain                                     | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeManageVolumePrivilege         | Perform volume maintenance tasks                               | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeProfileSingleProcessPrivilege | Profile single process                                         | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeRelabelPrivilege              | Modify an object label                                         | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeRemoteShutdownPrivilege       | Force shutdown from a remote system                            | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| SeRestorePrivilege              | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege             | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeShutdownPrivilege             | Shut down the system                                           | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeSyncAgentPrivilege            | Synchronize directory service data                             | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeSystemEnvironmentPrivilege    | Modify firmware environment values                             | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeSystemProfilePrivilege        | Profile system performance                                     | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| SeSystemtimePrivilege           | Change the system time                                         | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTakeOwnershipPrivilege        | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTcbPrivilege                  | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTimeZonePrivilege             | Change the time zone                                           | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller                  | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeUndockPrivilege               | Remove computer from docking station                           | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeUnsolicitedInputPrivilege     | Not applicable                                                 | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
--   **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory.
-
--   **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken) in the token. Applicable to only specific **Object Types**.
-
-## Security Monitoring Recommendations
-
-For 4661(S, F): A handle to an object was requested.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
deleted file mode 100644
index 13b91b7666..0000000000
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ /dev/null
@@ -1,247 +0,0 @@
----
-title: 4662(S, F) An operation was performed on an object. 
-description: Describes security event 4662(S, F) An operation was performed on an object.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4662(S, F): An operation was performed on an object.
-
-
-<img src="images/event-4662.png" alt="Event 4662 illustration" width="496" height="614" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Access](audit-directory-service-access.md)
-
-***Event Description:***
-
-This event generates every time when an operation was performed on an Active Directory object.
-
-This event generates only if appropriate [SACL](/windows/win32/secauthz/access-control-lists) was set for Active Directory object and performed operation meets this SACL.
-
-If operation failed then Failure event will be generated.
-
-You will get one 4662 for each operation type which was performed.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4662</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14080</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" /> 
- <EventRecordID>407230</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="600" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x35867</Data> 
- <Data Name="ObjectServer">DS</Data> 
- <Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
- <Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data> 
- <Data Name="OperationType">Object Access</Data> 
- <Data Name="HandleId">0x0</Data> 
- <Data Name="AccessList">%%1537</Data> 
- <Data Name="AccessMask">0x10000</Data> 
- <Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
- <Data Name="AdditionalInfo">-</Data> 
- <Data Name="AdditionalInfo2" /> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object:**
-
--   **Object Server** \[Type = UnicodeString\]: has “**DS**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: type or class of the object that was accessed. Some of the common Active Directory object types and classes are:
-
-    -   container – for containers.
-
-    -   user – for users.
-
-    -   group – for groups.
-
-    -   domainDNS – for domain object.
-
-    -   groupPolicyContainer – for group policy objects.
-
-        For all possible values of **Object Type** open Active Directory Schema snap-in (see how to enable this snap-in: <https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx)> and navigate to **Active Directory Schema\\Classes**. Or use this document: <https://msdn.microsoft.com/library/cc221630.aspx>
-
--   **Object Name** \[Type = UnicodeString\]: distinguished name of the object that was accessed.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4661](event-4661.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Operation:**
-
--   **Operation Type** \[Type = UnicodeString\]: the type of operation which was performed on an object. Typically has “**Object Access”** value for this event.
-
--   **Accesses** \[Type = UnicodeString\]: the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.
-
--   **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.
-
-| <span id="Active_Directory_Access_Codes_and_Types" class="anchor"></span>Access Mask | Access Name                          | Description                                                                                                                                                                                                                                                                                           |
-|--------------------------------------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x1                                                                                  | Create Child                         | The right to create child objects of the object.                                                                                                                                                                                                                                                      |
-| 0x2                                                                                  | Delete Child                         | The right to delete child objects of the object.                                                                                                                                                                                                                                                      |
-| 0x4                                                                                  | List Contents                        | The right to list child objects of this object.                                                                                                                                                                                                                                                       |
-| 0x8                                                                                  | SELF                                 | The right to perform an operation controlled by a validated write access right.                                                                                                                                                                                                                       |
-| 0x10                                                                                 | Read Property                        | The right to read properties of the object.                                                                                                                                                                                                                                                           |
-| 0x20                                                                                 | Write Property                       | The right to write properties of the object.                                                                                                                                                                                                                                                          |
-| 0x40                                                                                 | Delete Tree                          | Delete all children of this object, regardless of the permissions of the children. It is indicates that “Use Delete Subtree server control” check box was checked during deletion. This operation means that all objects within the subtree, including all delete-protected objects, will be deleted. |
-| 0x80                                                                                 | List Object                          | The right to list a particular object.                                                                                                                                                                                                                                                                |
-| 0x100                                                                                | Control Access                       | Access allowed only after extended rights checks supported by the object are performed.<br>The right to perform an operation controlled by an extended access right.                                                                                                                            |
-| 0x10000                                                                              | DELETE                               | The right to delete the object. <br>DELETE also generated when object was moved.                                                                                                                                                                                                                |
-| 0x20000                                                                              | READ\_CONTROL                        | The right to read data from the security descriptor of the object, not including the data in the SACL.                                                                                                                                                                                                |
-| 0x40000                                                                              | WRITE\_DAC                           | The right to modify the discretionary access-control list (DACL) in the object security descriptor.                                                                                                                                                                                                   |
-| 0x80000                                                                              | WRITE\_OWNER                         | The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users.                                                                                                                                                               |
-| 0x100000                                                                             | SYNCHRONIZE                          | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.                                                                                                                                                                             |
-| 0x1000000                                                                            | ADS\_RIGHT\_ACCESS\_SYSTEM\_SECURITY | The right to get or set the SACL in the object security descriptor.                                                                                                                                                                                                                                   |
-| 0x80000000                                                                           | ADS\_RIGHT\_GENERIC\_READ            | The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container.                                                                                           |
-| 0x40000000                                                                           | ADS\_RIGHT\_GENERIC\_WRITE           | The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.                                                                                                                                                               |
-| 0x20000000                                                                           | ADS\_RIGHT\_GENERIC\_EXECUTE         | The right to read permissions on, and list the contents of, a container object.                                                                                                                                                                                                                       |
-| 0x10000000                                                                           | ADS\_RIGHT\_GENERIC\_ALL             | The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right.                                                                        |
-
-> <span id="_Ref433797298" class="anchor"></span>Table 9. Active Directory Access Codes and Rights.
-
--   **Properties** \[Type = UnicodeString\]: first part is the type of access that was used. Typically has the same value as **Accesses** field.
-
-    Second part is a tree of **GUID** values of Active Directory classes or property sets, for which operation was performed.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-To translate this GUID, use the following procedure:
-
--   Perform the following LDAP search using LDP.exe tool:
-
-    -   Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
-
-    -   Filter: (&(objectClass=\*)(schemaIDGUID=GUID))
-
-        -   Perform the following operations with the GUID before using it in a search request:
-
-            -   We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2
-
-            -   Take first 3 sections bf967a86-0de6-11d0.
-
-            -   For each of these 3 sections you need to change (Invert) the order of bytes, like this 867a96bf-e60d-d011
-
-            -   Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-00aa003049e2
-
-            -   Delete - : 867a96bfe60dd011a28500aa003049e2
-
-            -   Divide bytes with backslashes: \\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2
-
-        -   Filter example: (&(objectClass=\*)(schemaIDGUID=\\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2))
-
-    -   Scope: Subtree
-
-    -   Attributes: schemaIDGUID
-
-<img src="images/schema-search.png" alt="Schema search illustration" width="313" height="212" />
-
-Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: <https://msdn.microsoft.com/library/ms683990(v=vs.85).aspx>.
-
-Here is an example of decoding of **Properties** field:
-
-| Properties                                                                                                                                                                                                                                | Translation                                                                                                                                            |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
-| {bf967a86-0de6-11d0-a285-00aa003049e2}<br>{91e647de-d96f-4b70-9557-d63ff4f3ccd8}<br> {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}<br> {b3f93023-9239-4f7c-b99c-6745d87adbc2}<br> {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} | Computer<br>Private-Information property set<br>ms-PKI-RoamingTimeStamp<br>ms-PKI-DPAPIMasterKeys<br>ms-PKI-AccountCredentials |
-
-**Additional Information:**
-
--   **Parameter 1** \[Type = UnicodeString\]**:** there is no information about this field in this document.
-
--   **Parameter 2** \[Type = UnicodeString\]**:** there is no information about this field in this document.
-
-## Security Monitoring Recommendations
-
-For 4662(S, F): An operation was performed on an object.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor operations attempts to specific Active Directory classes, monitor for **Object Type** field with specific class name. For example, we recommend that you monitor all operations attempts to **domainDNS** class.
-
--   If you need to monitor operations attempts to specific Active Directory objects, monitor for **Object Name** field with specific object name. For example, we recommend that you monitor all operations attempts to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object.
-
--   Some access types are more important to monitor, for example:
-
-    -   Write Property
-
-    -   Control Access
-
-    -   DELETE
-
-    -   WRITE\_DAC
-
-    -   WRITE\_OWNER
-
-        You can decide to monitor these (or one of these) access types for specific Active Directory objects. To do so, monitor for **Accesses** field with specific access type.
-
--   If you need to monitor operations attempts to specific Active Directory properties, monitor for **Properties** field with specific property GUID.
-
--   Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
deleted file mode 100644
index 3568c87841..0000000000
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ /dev/null
@@ -1,223 +0,0 @@
----
-title: 4663(S) An attempt was made to access an object. 
-description: Describes security event 4663(S) An attempt was made to access an object.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4663(S): An attempt was made to access an object.
-
-
-<img src="images/event-4663.png" alt="Event 4663 illustration" width="530" height="589" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
-
-***Event Description:***
-
-This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
-
-This event generates only if object’s [SACL](/windows/win32/secauthz/access-control-lists) has required ACE to handle specific access right use.
-
-The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4663</EventID> 
- <Version>1</Version> 
- <Level>0</Level> 
- <Task>12800</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" /> 
- <EventRecordID>273866</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x4367b</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data> 
- <Data Name="HandleId">0x1bc</Data> 
- <Data Name="AccessList">%%4417 %%4418</Data> 
- <Data Name="AccessMask">0x6</Data> 
- <Data Name="ProcessId">0x458</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data> 
- <Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:***
-
--   0 - Windows Server 2008, Windows Vista.
-
--   1 - Windows Server 2012, Windows 8.
-
-    -   Added “Resource Attributes” field.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to access an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to access an object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of object that was accessed during the operation.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can be used for correlation with other events, for example with **Handle ID** field in “[4656](event-4656.md)(S, F): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
--   **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.
-
-    For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
-
-    -   Impact\_MS: Resource Property ***ID***.
-
-    -   3000: Recourse Property ***Value***.
-
-<img src="images/impact-property.png" alt="Impact property illustration" width="886" height="592" />
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that accessed the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Access Request Information:**
-
--   **Accesses** \[Type = UnicodeString\]: the list of access rights which were used by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
-
-| Access                                                                                 | Hex Value,<br>Schema Value  | Description         |
-|----------------------------------------------------------------------------------------|-----------------------------|---------------------|
-| ReadData (or ListDirectory) <br><br>(For registry objects, this is “Query key value.”) | 0x1,<br>%%4416              | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory.                                                                                                                                                                                                                       |
-| WriteData (or AddFile) <br><br>(For registry objects, this is “Set key value.”)        | 0x2,<br>%%4417              | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory.                                                                                                                                                                                                                                                            |
-| AppendData (or AddSubdirectory or CreatePipeInstance)                                  | 0x4,<br>%%4418              | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe.                                                                                                                                                                                                                                                              |
-| ReadEA<br>(For registry objects, this is “Enumerate sub-keys.”)                        | 0x8,<br>%%4419               | The right to read extended file attributes.                                                                                                                             |
-| WriteEA                                                                                | 0x10,<br>%%4420              | The right to write extended file attributes.                                                                                                                                                                                                                                               |
-| Execute/Traverse                                                                       | 0x20,<br>%%4421               | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information.                                                       |
-| DeleteChild                                                                            | 0x40,<br>%%4422               | For a directory, the right to delete a directory and all the files it contains, including read-only files.                                                                                                                                                                                                                               |
-| ReadAttributes                                                                         | 0x80,<br>%%4423               | The right to read file attributes.                                                                                                                                                                              |
-| WriteAttributes                                                                        | 0x100,<br>%%4424              | The right to write file attributes.                                                                                                                                     |
-| DELETE                                                                                 | 0x10000,<br>%%1537            | The right to delete the object.                                                                                                                                         |
-| READ\_CONTROL                                                                          | 0x20000,<br>%%1538            | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).                                                                                                                                                                                                    |
-| WRITE\_DAC                                                                             | 0x40000,<br>%%1539            | The right to modify the discretionary access control list (DACL) in the object's security descriptor.                                                                                                                                                                                                                      |
-| WRITE\_OWNER                                                                           | 0x80000,<br>%%1540            | The right to change the owner in the object's security descriptor                                                                                                                                                                                                                                    |
-| SYNCHRONIZE                                                                            | 0x100000,<br>%%1541           | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.                                                                                                                                                                               |
-| ACCESS\_SYS\_SEC                                                                       | 0x1000000,<br>%%1542          | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor.                                                                                                                                                                                                                                           |
-
-> Table 15. File System objects access rights.
-
--   **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.
-
-## Security Monitoring Recommendations
-
-For 4663(S): An attempt was made to access an object.
-
-For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
-
-For other types of objects, the following recommendations apply.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have critical file system objects for which you need to monitor all access attempts, monitor this event for **Object Name**.
-
--   If you have critical file system objects for which you need to monitor certain access attempts (for example, write actions), monitor this event for **Object Name** in relation to **Access Request Information\\Accesses**.
-
--   If you have file system objects with specific attributes, for which you need to monitor access attempts, monitor this event for **Resource Attributes**.
-
--   If **Object Name** is a sensitive or critical registry key for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4663](event-4663.md) events with the corresponding **Access Request Information\\Accesses**.
-
-<!-- -->
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   For file system objects, we recommend that you monitor for these **Access Request Information\\Accesses** rights:
-
-    -   WriteData (or AddFile)
-
-    -   AppendData (or AddSubdirectory or CreatePipeInstance)
-
-    -   WriteEA
-
-    -   DeleteChild
-
-    -   WriteAttributes
-
-    -   DELETE
-
-    -   WRITE\_DAC
-
-    -   WRITE\_OWNER
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
deleted file mode 100644
index 79af8c22de..0000000000
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: 4664(S) An attempt was made to create a hard link. 
-description: Describes security event 4664(S) An attempt was made to create a hard link.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4664(S): An attempt was made to create a hard link.
-
-
-<img src="images/event-4664.png" alt="Event 4664 illustration" width="449" height="419" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit File System](audit-file-system.md)
-
-***Event Description:***
-
-This event generates when an NTFS hard link was successfully created.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4664</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12800</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-21T23:50:26.871375900Z" /> 
- <EventRecordID>276680</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="2624" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x43659</Data> 
- <Data Name="FileName">C:\\notepad.exe</Data> 
- <Data Name="LinkName">C:\\Docs\\My.exe</Data> 
- <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to create the hard link. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to create the hard link.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Link Information:**
-
--   **File Name** \[Type = UnicodeString\]**:** the name of a file or folder that new hard link refers to.
-
--   **Link Name** \[Type = UnicodeString\]**:** full path name with new hard link file name.
-
--   **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-## Security Monitoring Recommendations
-
-For 4664(S): An attempt was made to create a hard link.
-
--   We recommend monitoring for any [4664](event-4664.md) event, because this action is not typical for normal operating system behavior and can be a sign of malicious activity.
-
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
deleted file mode 100644
index 45d44238be..0000000000
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ /dev/null
@@ -1,273 +0,0 @@
----
-title: 4670(S) Permissions on an object were changed. 
-description: Describes security event 4670(S) Permissions on an object were changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4670(S): Permissions on an object were changed.
-
-
-<img src="images/event-4670.png" alt="Event 4670 illustration" width="449" height="605" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Registry](audit-registry.md), [Audit Authentication Policy Change](audit-authentication-policy-change.md), and [Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
-
-This event does not generate if the [SACL](/windows/win32/secauthz/access-control-lists) (Auditing ACL) was changed.
-
-Before this event can generate, certain ACEs might need to be set in the object’s [SACL](/windows/win32/secauthz/access-control-lists). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4670</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13570</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" /> 
- <EventRecordID>269529</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x43659</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data> 
- <Data Name="HandleId">0x3f0</Data> 
- <Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data> 
- <Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data> 
- <Data Name="ProcessId">0xdb0</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change object’s permissions” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change object’s permissions” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which permissions were changed. For example, for a file, the path would be included. For Token objects, this field typically equals “-“.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the permissions were changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Permissions Change:**
-
--   **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
-
--   **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
-
-> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
-> Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
-> See the list of possible values in the table below:
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous logon                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network logon user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service logon user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         |                                 | "RP"                 | Read All Properties      |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights |                                 | "SW"                 | Self Write               |
-| "KA"                       | KEY ALL ACCESS                  | "LO"                 | List Object              |
-| "KR"                       | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
-
-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
-
-## Security Monitoring Recommendations
-
-For 4670(S): Permissions on an object were changed.
-
-For token objects, this is typically an informational event, and at the same time it is difficult to identify which token's permission were changed. For token objects, there are no monitoring recommendations for this event in this document.
-
-For file system and registry objects, the following recommendations apply.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
-- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
-- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
-
-- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers<b>.</b> For example, you could monitor the **ntds.dit** file on domain controllers.
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
deleted file mode 100644
index f027eb4094..0000000000
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: 4671(-) An application attempted to access a blocked ordinal through the TBS. 
-description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4671(-): An application attempted to access a blocked ordinal through the TBS.
-
-*
-Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
deleted file mode 100644
index d1ea01797e..0000000000
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: 4672(S) Special privileges assigned to new logon. 
-description: Describes security event 4672(S) Special privileges assigned to new logon.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4672(S): Special privileges assigned to new logon.
-
-
-<img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" />
-</br>
-<b><em>Subcategory:</em></b>&nbsp;<a href="audit-special-logon.md" data-raw-source="[Audit Special Logon](audit-special-logon.md)">Audit Special Logon</a>
-
-***Event Description:***
-
-This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
-
--   SeTcbPrivilege - Act as part of the operating system
-
--   SeBackupPrivilege - Back up files and directories
-
--   SeCreateTokenPrivilege - Create a token object
-
--   SeDebugPrivilege - Debug programs
-
--   SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
-
--   SeAuditPrivilege - Generate security audits
-
--   SeImpersonatePrivilege - Impersonate a client after authentication
-
--   SeLoadDriverPrivilege - Load and unload device drivers
-
--   SeSecurityPrivilege - Manage auditing and security log
-
--   SeSystemEnvironmentPrivilege - Modify firmware environment values
-
--   SeAssignPrimaryTokenPrivilege - Replace a process-level token
-
--   SeRestorePrivilege - Restore files and directories,
-
--   SeTakeOwnershipPrivilege - Take ownership of files or other objects
-
-You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4672</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12548</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-11T01:10:57.091809600Z" /> 
- <EventRecordID>237692</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x671101</Data> 
- <Data Name="PrivilegeList">SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account to which special privileges were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account to which special privileges were assigned.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Privileges** \[Type = UnicodeString\]**:** the list of sensitive privileges, assigned to the new logon. The following table contains the list of possible privileges for this event:
-
-| Privilege Name                | User Right Group Policy Name                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|-------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token                                  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeAuditPrivilege              | Generate security audits                                       | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeBackupPrivilege             | Back up files and directories                                  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                                                                                |
-| SeCreateTokenPrivilege        | Create a token object                                          | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeDebugPrivilege              | Debug programs                                                 | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeEnableDelegationPrivilege   | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.                                                                                                                                                                                                                      |
-| SeImpersonatePrivilege        | Impersonate a client after authentication                      | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| SeLoadDriverPrivilege         | Load and unload device drivers                                 | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeRestorePrivilege            | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege           | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeSystemEnvironmentPrivilege  | Modify firmware environment values                             | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeTakeOwnershipPrivilege      | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTcbPrivilege                | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-
-## Security Monitoring Recommendations
-
-For 4672(S): Special privileges assigned to new logon.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**.
-
--   If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for example, SeDebugPrivilege), use this event to monitor for those “**Privileges**.”
-
-<!-- -->
-
--   If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
deleted file mode 100644
index 492ddbcfe0..0000000000
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ /dev/null
@@ -1,195 +0,0 @@
----
-title: 4673(S, F) A privileged service was called. 
-description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4673(S, F): A privileged service was called.
-
-
-<img src="images/event-4673.png" alt="Event 4673 illustration" width="449" height="503" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
-
-***Event Description:***
-
-This event generates when an attempt was made to perform privileged system service operations.
-
-This event generates, for example, when **SeSystemtimePrivilege**, **SeCreateGlobalPrivilege**, or **SeTcbPrivilege** privilege was used.
-
-Failure event generates when service call attempt fails.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4673</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13056</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-09T00:37:36.434836600Z" /> 
- <EventRecordID>1099777</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="496" ThreadID="504" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="ObjectServer">NT Local Security Authority / Authentication Service</Data> 
- <Data Name="Service">LsaRegisterLogonProcess()</Data> 
- <Data Name="PrivilegeList">SeTcbPrivilege</Data> 
- <Data Name="ProcessId">0x1f0</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\lsass.exe</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Service**:
-
--   **Server** \[Type = UnicodeString\]: contains the name of the Windows subsystem calling the routine. Subsystems examples are:
-
-    -   Security
-
-    -   Security Account Manager
-
-    -   NT Local Security Authority / Authentication Service
-
-    -   SC Manager
-
-    -   Win32 SystemShutdown module
-
-    -   LSA
-
--   **Service Name** \[Type = UnicodeString\] \[Optional\]: supplies a name of the privileged subsystem service or function. For example, "RESET RUNTIME LOCAL SECURITY" might be specified by a **Local Security Authority** service used to update the local security policy database or **LsaRegisterLogonProcess()** might be specified by a **NT Local Security Authority / Authentication Service** used to register new logon process.
-
-**Process:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to call the privileged service. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Service Request Information**:
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
-
-|     **Subcategory of event**      |                        **Privilege Name: <br>User Right Group Policy Name**                         |                                                                                                                                                                                           **Description**                                                                                                                                                                                           |
-|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use |               <b>SeChangeNotifyPrivilege: <br></b>Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use |                 <b>SeCreateGlobalPrivilege: <br></b>Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
-| Audit Non Sensitive Privilege Use |                  <b>SeCreatePagefilePrivilege: <br></b>Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
-| Audit Non Sensitive Privilege Use |          <b>SeCreatePermanentPrivilege: <br></b>Create permanent shared objects           |                                                                Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
-| Audit Non Sensitive Privilege Use |              <b>SeCreateSymbolicLinkPrivilege: <br></b>Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
-| Audit Non Sensitive Privilege Use |         <b>SeIncreaseBasePriorityPrivilege: <br></b>Increase scheduling priority          |                            Required to increase the base priority of a process. <br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
-| Audit Non Sensitive Privilege Use |          <b>SeIncreaseQuotaPrivilege: <br></b>Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
-| Audit Non Sensitive Privilege Use |         <b>SeIncreaseWorkingSetPrivilege: <br></b>Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
-| Audit Non Sensitive Privilege Use |                  <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory                   |                         Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
-| Audit Non Sensitive Privilege Use |             <b>SeMachineAccountPrivilege: <br></b>Add workstations to domain              |                                                                                                                                        With this privilege, the user can create a computer account. <br>This privilege is valid only on domain controllers.                                                                                                                                         |
-| Audit Non Sensitive Privilege Use |           <b>SeManageVolumePrivilege: <br></b>Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use |            <b>SeProfileSingleProcessPrivilege: <br></b>Profile single process             |                                                                                                      Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
-| Audit Non Sensitive Privilege Use |                   <b>SeRelabelPrivilege: <br></b>Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
-| Audit Non Sensitive Privilege Use |         <b>SeRemoteShutdownPrivilege: <br></b>Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use |                   <b>SeShutdownPrivilege: <br></b>Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
-| Audit Non Sensitive Privilege Use |            <b>SeSyncAgentPrivilege: <br></b>Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
-| Audit Non Sensitive Privilege Use |              <b>SeSystemProfilePrivilege: <br></b>Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
-| Audit Non Sensitive Privilege Use |                 <b>SeSystemtimePrivilege: <br></b>Change the system time                  |                     Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. <br>If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
-| Audit Non Sensitive Privilege Use |                   <b>SeTimeZonePrivilege: <br></b>Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | <b>SeTrustedCredManAccessPrivilege: <br></b>Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
-| Audit Non Sensitive Privilege Use |            <b>SeUndockPrivilege: <br></b>Remove computer from docking station             |                                                                                                                             Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
-
-|   **Subcategory of event**    |                               **Privilege Name: <br>User Right Group Policy Name**                               |                                                                                                                                                                                                                                                                                                        **Description**                                                                                                                                                                                                                                                                                                         |
-|-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use |                <b>SeAssignPrimaryTokenPrivilege: <br></b>Replace a process-level token                 |                                                                                                                                                                     Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                      |
-| Audit Sensitive Privilege Use |                         <b>SeAuditPrivilege: <br></b>Generate security audits                          |                                                                                                                                                                                                                                                                               With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                               |
-| Audit Sensitive Privilege Use |                        <b>SeCreateTokenPrivilege: <br></b>Create a token object                        |                                                                                                                         Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                          |
-| Audit Sensitive Privilege Use |                              <b>SeDebugPrivilege: <br></b>Debug programs                               |                                                                                                 Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                  |
-| Audit Sensitive Privilege Use |              <b>SeImpersonatePrivilege: <br></b>Impersonate a client after authentication              |                                                                                                                                                                                                                                                                                 With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                  |
-| Audit Sensitive Privilege Use |                    <b>SeLoadDriverPrivilege: <br></b>Load and unload device drivers                    |                                                                                                                                                                                                   Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                    |
-| Audit Sensitive Privilege Use |                         <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory                         |                                                                                                                                        Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                         |
-| Audit Sensitive Privilege Use |              <b>SeSystemEnvironmentPrivilege: <br></b>Modify firmware environment values               |                                                                                                                                                                                                                                                       Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                       |
-| Audit Sensitive Privilege Use |                     <b>SeTcbPrivilege: <br></b>Act as part of the operating system                     |                                                                                                                                                                                          This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                           |
-| Audit Sensitive Privilege Use | <b>SeEnableDelegationPrivilege: <br></b>Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
-
-## Security Monitoring Recommendations
-
-For 4673(S, F): A privileged service was called.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. See subcategories [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use) and [Audit Non Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use) for more details.
-
--   If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.”
-
--   If you need to monitor events related to specific Windows security services or functions (“**Service\\Service Name**”), for example **LsaRegisterLogonProcess()**, monitor this event for the corresponding “**Service\\Service Name**.”
-
-<!-- -->
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   For a specific “**Subject\\Security ID**,” if there is a defined list of allowed privileges, monitor for “**Privileges**” that it should not be able to use.
-
--   If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
-
--   If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
deleted file mode 100644
index 6f571b60ea..0000000000
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ /dev/null
@@ -1,223 +0,0 @@
----
-title: 4674(S, F) An operation was attempted on a privileged object. 
-description: Describes security event 4674(S, F) An operation was attempted on a privileged object.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4674(S, F): An operation was attempted on a privileged object.
-
-
-<img src="images/event-4674.png" alt="Event 4674 illustration" width="449" height="543" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
-
-***Event Description:***
-
-This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
-
-This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
-
-Failure event generates when operation attempt fails.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4674</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13056</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-09T00:22:36.237816000Z" /> 
- <EventRecordID>1099680</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="496" ThreadID="504" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-19</Data> 
- <Data Name="SubjectUserName">LOCAL SERVICE</Data> 
- <Data Name="SubjectDomainName">NT AUTHORITY</Data> 
- <Data Name="SubjectLogonId">0x3e5</Data> 
- <Data Name="ObjectServer">LSA</Data> 
- <Data Name="ObjectType">-</Data> 
- <Data Name="ObjectName">-</Data> 
- <Data Name="HandleId">0x0</Data> 
- <Data Name="AccessMask">16777216</Data> 
- <Data Name="PrivilegeList">SeSecurityPrivilege</Data> 
- <Data Name="ProcessId">0x1f0</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\lsass.exe</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\] \[Optional\]: Contains the name of the Windows subsystem calling the routine. Subsystems examples are:
-
-    -   Security
-
-    -   Security Account Manager
-
-    -   NT Local Security Authority / Authentication Service
-
-    -   SC Manager
-
-    -   Win32 SystemShutdown module
-
-    -   LSA
-
--   **Object Type** \[Type = UnicodeString\] \[Optional\]: The type of an object that was accessed during the operation.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device             |
-|-------------------------|--------------|----------------------|--------------------|
-| Mutant                  | Type         | File                 | Token              |
-| Thread                  | Section      | WindowStation        | DebugObject        |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion       |
-| Controller              | SymbolicLink | WmiGuid              | Process            |
-| Profile                 | Desktop      | KeyedEvent           | SC\_MANAGER OBJECT |
-| Key                     | WaitablePort | Callback             |                    |
-| Job                     | Port         | FilterConnectionPort |                    |
-| ALPC Port               | Semaphore    | Adapter              |                    |
-
--   **Object Name** \[Type = UnicodeString\] \[Optional\]: the name of the object that was accessed during the operation.
-
--   **Object Handle** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle to an object was requested” event in appropriate/other subcategory. This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the operation on the privileged object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Requested Operation**:
-
--   **Desired Access** \[Type = UnicodeString\]: The desired access mask. This mask depends on **Object Server** and **Object Type** parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If **Desired Access** is not presented, then this parameter will have “**0**” value.
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
-
-|     **Subcategory of event**      |                        **Privilege Name: <br>User Right Group Policy Name**                         |                                                                                                                                                                                           **Description**                                                                                                                                                                                           |
-|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use |               <b>SeChangeNotifyPrivilege: <br></b>Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use |                 <b>SeCreateGlobalPrivilege: <br></b>Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
-| Audit Non Sensitive Privilege Use |                  <b>SeCreatePagefilePrivilege: <br></b>Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
-| Audit Non Sensitive Privilege Use |          <b>SeCreatePermanentPrivilege: <br></b>Create permanent shared objects           |                                                                Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
-| Audit Non Sensitive Privilege Use |              <b>SeCreateSymbolicLinkPrivilege: <br></b>Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
-| Audit Non Sensitive Privilege Use |         <b>SeIncreaseBasePriorityPrivilege: <br></b>Increase scheduling priority          |                             Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
-| Audit Non Sensitive Privilege Use |          <b>SeIncreaseQuotaPrivilege: <br></b>Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
-| Audit Non Sensitive Privilege Use |         <b>SeIncreaseWorkingSetPrivilege: <br></b>Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
-| Audit Non Sensitive Privilege Use |                  <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory                   |                         Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
-| Audit Non Sensitive Privilege Use |             <b>SeMachineAccountPrivilege: <br></b>Add workstations to domain              |                                                                                                                                          With this privilege, the user can create a computer account. This privilege is valid only on domain controllers.                                                                                                                                           |
-| Audit Non Sensitive Privilege Use |           <b>SeManageVolumePrivilege: <br></b>Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use |            <b>SeProfileSingleProcessPrivilege: <br></b>Profile single process             |                                                                                                      Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
-| Audit Non Sensitive Privilege Use |                   <b>SeRelabelPrivilege: <br></b>Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
-| Audit Non Sensitive Privilege Use |         <b>SeRemoteShutdownPrivilege: <br></b>Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use |                   <b>SeShutdownPrivilege: <br></b>Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
-| Audit Non Sensitive Privilege Use |            <b>SeSyncAgentPrivilege: <br></b>Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
-| Audit Non Sensitive Privilege Use |              <b>SeSystemProfilePrivilege: <br></b>Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
-| Audit Non Sensitive Privilege Use |                 <b>SeSystemtimePrivilege: <br></b>Change the system time                  |                     Required to modify the system time. <br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
-| Audit Non Sensitive Privilege Use |                   <b>SeTimeZonePrivilege: <br></b>Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | <b>SeTrustedCredManAccessPrivilege: <br></b>Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
-| Audit Non Sensitive Privilege Use |            <b>SeUndockPrivilege: <br></b>Remove computer from docking station             |                                                                                                                             Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
-
-|   **Subcategory of event**    |                  **Privilege Name: <br>User Right Group Policy Name**                   |                                                                                                                                                                                                                                                                                                                                                                                                    **Description**                                                                                                                                                                                                                                                                                                                                                                                                    |
-|-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use |    <b>SeAssignPrimaryTokenPrivilege: <br></b>Replace a process-level token    |                                                                                                                                                                                                                                                               Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                               |
-| Audit Sensitive Privilege Use |             <b>SeAuditPrivilege: <br></b>Generate security audits             |                                                                                                                                                                                                                                                                                                                                                                          With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                           |
-| Audit Sensitive Privilege Use |          <b>SeBackupPrivilege: <br></b>Back up files and directories          |                                                     -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. <br>The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                     |
-| Audit Sensitive Privilege Use |           <b>SeCreateTokenPrivilege: <br></b>Create a token object            |                                                                                                                                                                                                                   Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. <br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                   |
-| Audit Sensitive Privilege Use |                  <b>SeDebugPrivilege: <br></b>Debug programs                  |                                                                                                                                                                                         Required to debug and adjust the memory of a process owned by another account. <br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. <br>This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                         |
-| Audit Sensitive Privilege Use | <b>SeImpersonatePrivilege: <br></b>Impersonate a client after authentication  |                                                                                                                                                                                                                                                                                                                                                                             With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                             |
-| Audit Sensitive Privilege Use |       <b>SeLoadDriverPrivilege: <br></b>Load and unload device drivers        |                                                                                                                                                                                                                                                                                             Required to load or unload a device driver. <br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                             |
-| Audit Sensitive Privilege Use |            <b>SeLockMemoryPrivilege: <br></b>Lock pages in memory             |                                                                                                                                                                                                                                  Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                  |
-| Audit Sensitive Privilege Use |         <b>SeRestorePrivilege: <br></b>Restore files and directories          | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| Audit Sensitive Privilege Use |       <b>SeSecurityPrivilege: <br></b>Manage auditing and security log        |                                                                                                                                                                                                                        Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. <br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                        |
-| Audit Sensitive Privilege Use |  <b>SeSystemEnvironmentPrivilege: <br></b>Modify firmware environment values  |                                                                                                                                                                                                                                                                                                                                                  Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                   |
-| Audit Sensitive Privilege Use | <b>SeTakeOwnershipPrivilege: <br></b>Take ownership of files or other objects |                                                                                                                                                                                            Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. <br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                            |
-
-## Security Monitoring Recommendations
-
-For 4674(S, F): An operation was attempted on a privileged object.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
-
-<!-- -->
-
--   If you need to monitor events related to specific Windows subsystems (“**Object Server**”), for example **LSA** or **Security Account Manager**, monitor this event for the corresponding “**Object Server**.”
-
--   <span id="Reccomendations_Object_Type" class="anchor"></span>If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
-<!-- -->
-
--   If you know that specific “**Subject\\Security ID**” should only be able to use the privileges in a pre-defined list, monitor for events in which “**Subject\\Security ID**” used “**Privileges**” that are not on that list.
-
-<!-- -->
-
--   If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
-
--   If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
deleted file mode 100644
index 50f41a4220..0000000000
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: 4675(S) SIDs were filtered. 
-description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4675(S): SIDs were filtered.
-
-
-This event generates when SIDs were filtered for specific Active Directory trust.
-
-See more information about SID filtering here: <https://technet.microsoft.com/library/cc772633(v=ws.10).aspx>.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
-
-***Event Schema:***
-
-*SIDs were filtered.*
-
-*Target Account:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
-
-*Trust Information:*
-
-> *Trust Direction:%4*
->
-> *Trust Attributes:%5*
->
-> *Trust Type:%6*
->
-> *TDO Domain SID:%7*
->
-> *Filtered SIDs:%8*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   If you need to monitor all SID filtering events/operations for specific or all Active Directory trusts, you can use this event to get all required information.
-
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
deleted file mode 100644
index 3dd248ad3c..0000000000
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ /dev/null
@@ -1,215 +0,0 @@
----
-title: 4688(S) A new process has been created. 
-description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 01/24/2022
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4688(S): A new process has been created. (Windows 10)
-
-
-<img src="images/event-4688.png" alt="Event 4688 illustration" width="417" height="479" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Process Creation](audit-process-creation.md)
-
-***Event Description:***
-
-This event generates every time a new process starts.
-
-> [Note]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4688</EventID> 
- <Version>2</Version> 
- <Level>0</Level> 
- <Task>13312</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" /> 
- <EventRecordID>2814</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="400" /> 
- <Channel>Security</Channel> 
- <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="NewProcessId">0x2bc</Data> 
- <Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data> 
- <Data Name="TokenElevationType">%%1938</Data> 
- <Data Name="ProcessId">0xe74</Data> 
- <Data Name="CommandLine" /> 
- <Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x4a5af0</Data> 
- <Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data> 
- <Data Name="MandatoryLabel">S-1-16-8192</Data> 
- </EventData>
-</Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:***
-
--   0 - Windows Server 2008, Windows Vista.
-
--   1 - Windows Server 2012 R2, Windows 8.1.
-
-    -   Added "Process Command Line" field.
-
--   2 - Windows 10.
-
-    -   **Subject** renamed to **Creator Subject**.
-
-    -   Added "**Target Subject**" section.
-
-    -   Added "**Mandatory Label**" field.
-
-    -   Added "**Creator Process Name**" field.
-
-***Field Descriptions:***
-
-**Creator Subject** \[Value for versions 0 and 1 – **Subject**\]**:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the "create process" operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> [Note]
-> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the "create process" operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
-
-**Target Subject** \[Version 2\]**:**
-
-> [Note]
-> This event includes the principal of the process creator, but this is not always sufficient if the target context is different from the creator context. In that situation, the subject specified in the process termination event does not match the subject in the process creation event even though both events refer to the same process ID. Therefore, in addition to including the creator of the process, we will also include the target principal when the creator and target do not share the same logon.
-
--   **Security ID** \[Type = SID\] \[Version 2\]**:** SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> [Note]
-> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account.
-
--   **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target account's domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-
--   **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
-
-**Process Information:**
-
--   **New Process ID** \[Type = Pointer\]: hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
--   **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
-
--   **Token Elevation Type** \[Type = UnicodeString\]**:**
-
-    -   **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC is disabled by default), service account, or local system account.
-
-    -   **%%1937:** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
-
-    -   **%%1938:** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
-
--   **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](/windows/win32/secauthz/mandatory-integrity-control) which was assigned to the new process. Can have one of the following values:
-
-| SID          | RID        | RID label                                    | Meaning                |
-|--------------|------------|----------------------------------------------|------------------------|
-| S-1-16-0     | 0x00000000 | SECURITY\_MANDATORY\_UNTRUSTED\_RID          | Untrusted.             |
-| S-1-16-4096  | 0x00001000 | SECURITY\_MANDATORY\_LOW\_RID                | Low integrity.         |
-| S-1-16-8192  | 0x00002000 | SECURITY\_MANDATORY\_MEDIUM\_RID             | Medium integrity.      |
-| S-1-16-8448  | 0x00002100 | SECURITY\_MANDATORY\_MEDIUM\_PLUS\_RID       | Medium high integrity. |
-| S-1-16-12288 | 0X00003000 | SECURITY\_MANDATORY\_HIGH\_RID               | High integrity.        |
-| S-1-16-16384 | 0x00004000 | SECURITY\_MANDATORY\_SYSTEM\_RID             | System integrity.      |
-| S-1-16-20480 | 0x00005000 | SECURITY\_MANDATORY\_PROTECTED\_PROCESS\_RID | Protected process.     |
-
--   **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-> You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
-
--   **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
--   **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable "Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" group policy to include command line in process creation events:
-
-    <img src="images/group-policy.png" alt="Group policy illustration" width="490" height="448" />
-
-    By default **Process Command Line** field is empty.
-
-## Security Monitoring Recommendations
-
-For 4688(S): A new process has been created.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                       |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used.                                                          |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an "allowlist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allowlist.                                 |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts.                                        |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about.                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** for names that don't comply with naming conventions.                                                                                     |
-
-- If you have a pre-defined "**New** **Process Name**" or **"Creator Process Name**" for the process reported in this event, monitor all events with "**New** **Process Name**" or **"Creator Process Name**" not equal to your defined value.
-
-- You can monitor to see if "**New** **Process Name**" or **"Creator Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-- If you have a pre-defined list of restricted substrings or words in process names (for example "**mimikatz**" or "**cain.exe**"), check for these substrings in "**New** **Process Name**" or **"Creator Process Name**."
-
-- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
-
-- Monitor for **Token Elevation Type** with value **%%1936** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
-
-- Monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges.
-
-- You can also monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
-
-- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event.
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
deleted file mode 100644
index fdda28bf9a..0000000000
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-title: 4689(S) A process has exited. 
-description: Describes security event 4689(S) A process has exited. This event is generates when a process exits.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4689(S): A process has exited.
-
-
-<img src="images/event-4689.png" alt="Event 4689 illustration" width="449" height="421" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Process Termination](audit-process-termination.md)
-
-***Event Description:***
-
-This event generates every time a process has exited.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4689</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13313</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" /> 
- <EventRecordID>187030</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="144" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x31365</Data> 
- <Data Name="Status">0x0</Data> 
- <Data Name="ProcessId">0xfb0</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “terminate process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “terminate process” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the ended/terminated process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md)(S): A new process has been created” **New Process ID** on this computer.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the executable name of the exited/terminated process.
-
--   **Exit Status** \[Type = HexInt32\]**:** hexadecimal exit code of exited/terminated process. This exit code is unique for every application, check application documentation for more details. The exit code value for a process reflects the specific convention implemented by the application developer for that process.
-
-## Security Monitoring Recommendations
-
-For 4689(S): A process has exited.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   If you have a critical processes list for the computer, with the requirement that these processes must always run and not stop, you can monitor **Process Name** field in [4689](event-4689.md) events for these process names.
-
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
deleted file mode 100644
index 7bb3a0ee1c..0000000000
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: 4690(S) An attempt was made to duplicate a handle to an object. 
-description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4690(S): An attempt was made to duplicate a handle to an object.
-
-
-<img src="images/event-4690.png" alt="Event 4690 illustration" width="449" height="463" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Handle Manipulation](audit-handle-manipulation.md)
-
-***Event Description:***
-
-This event generates if an attempt was made to duplicate a handle to an object.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4690</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12807</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T00:17:41.755998800Z" /> 
- <EventRecordID>338632</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="1100" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="SourceHandleId">0x438</Data> 
- <Data Name="SourceProcessId">0x674</Data> 
- <Data Name="TargetHandleId">0xd9c</Data> 
- <Data Name="TargetProcessId">0x4</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to duplicate a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to duplicate a handle to an object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Source Handle Information:**
-
--   **Source Handle ID** \[Type = Pointer\]: hexadecimal value of a handle which was duplicated. This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
-
--   **Source Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Source Handle ID** before it was duplicated. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-**New Handle Information:**
-
--   **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
-
--   **Target Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Target Handle ID**. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
-
-## Security Monitoring Recommendations
-
-For 4690(S): An attempt was made to duplicate a handle to an object.
-
--   Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
-
--   This event can be used to track all actions or operations related to a specific object handle.
-
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
deleted file mode 100644
index 3d757a2f5d..0000000000
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: 4691(S) Indirect access to an object was requested. 
-description: Describes security event 4691(S) Indirect access to an object was requested.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4691(S): Indirect access to an object was requested.
-
-
-<img src="images/event-4691.png" alt="Event 4691 illustration" width="485" height="515" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event indicates that indirect access to an object was requested.
-
-These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access request actions.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4691</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12804</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T01:03:49.834912100Z" /> 
- <EventRecordID>344382</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="2928" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x36509</Data> 
- <Data Name="ObjectType">ALPC Port</Data> 
- <Data Name="ObjectName">\\Sessions\\2\\Windows\\DwmApiPort</Data> 
- <Data Name="AccessList">%%4464</Data> 
- <Data Name="AccessMask">0x1</Data> 
- <Data Name="ProcessId">0xe60</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested an access to the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested an access to the object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object for which access was requested.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Object Name** \[Type = UnicodeString\]: full path and name of the object for which access was requested.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-**Access Request Information:**
-
--   **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
-
--   **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
-
-## Security Monitoring Recommendations
-
-For 4691(S): Indirect access to an object was requested.
-
--   Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
deleted file mode 100644
index bd3ed5f273..0000000000
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-title: 4692(S, F) Backup of data protection master key was attempted. 
-description: Describes security event 4692(S, F) Backup of data protection master key was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4692(S, F): Backup of data protection master key was attempted.
-
-
-<img src="images/event-4692.png" alt="Event 4692 illustration" width="448" height="396" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit DPAPI Activity](audit-dpapi-activity.md)
-
-***Event Description:***
-
-This event generates every time that a backup is attempted for the [DPAPI](/previous-versions/ms995355(v=msdn.10)) Master Key.
-
-When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
-
-Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
-
-This event also generates every time a new DPAPI Master Key is generated, for example.
-
-This event generates on domain controllers, member servers, and workstations.
-
-Failure event generates when a Master Key backup operation fails for some reason.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4692</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13314</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-25T01:59:14.573672700Z" /> 
- <EventRecordID>176964</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="540" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data> 
- <Data Name="SubjectUserName">ladmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30c08</Data> 
- <Data Name="MasterKeyId">16cfaea0-dbe3-4d92-9523-d494edb546bc</Data> 
- <Data Name="RecoveryServer" /> 
- <Data Name="RecoveryKeyId">806a0350-aeb1-4c56-91f9-ef16cf759291</Data> 
- <Data Name="FailureReason">0x0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested backup operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Here are some examples of formats:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Key Information:**
-
--   **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -&gt; %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
-
--   **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
-
--   **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
-
-    For Failure events, this field is typically empty.
-
-**Status Information:**
-
--   **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events, this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
-
-> \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)
-
-## Security Monitoring Recommendations
-
-For 4692(S, F): Backup of data protection master key was attempted.
-
--   This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
deleted file mode 100644
index 68957da33e..0000000000
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-title: 4693(S, F) Recovery of data protection master key was attempted. 
-description: Describes security event 4693(S, F) Recovery of data protection master key was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4693(S, F): Recovery of data protection master key was attempted.
-
-
-<img src="images/event-4693.png" alt="Event 4693 illustration" width="449" height="477" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit DPAPI Activity](audit-dpapi-activity.md)
-
-***Event Description:***
-
-This event generates every time that recovery is attempted for a [DPAPI](/previous-versions/ms995355(v=msdn.10)) Master Key.
-
-While unprotecting data, if DPAPI can't use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
-
-This event generates on domain controllers, member servers, and workstations.
-
-Failure event generates when a Master Key restore operation fails for some reason.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4693</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13314</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-22T06:25:14.589407700Z" /> 
- <EventRecordID>175809</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1340" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d7c</Data> 
- <Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data> 
- <Data Name="RecoveryReason">0x5c005c</Data> 
- <Data Name="RecoveryServer">DC01.contoso.local</Data> 
- <Data Name="RecoveryKeyId" /> 
- <Data Name="FailureId">0x380000</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “recover” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “recover” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Key Information:**
-
--   **Key Identifier** \[Type = UnicodeString\]**:** unique identifier of a master key which was recovered. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -&gt; %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
-
--   **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to recover your Master Key. For domain joined machines, it’s typically a name of a domain controller.
-
-> **Note**&nbsp;&nbsp;In this event Recovery Server field contains information from Recovery Reason field.
-
--   **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field you'll see unique Recovery key ID which was used for Master key recovery operation. This parameter might not be captured in the event, and in that case will be empty.
-
--   **Recovery Reason** \[Type = HexInt32\]: hexadecimal code of recovery reason.
-
-> **Note**&nbsp;&nbsp;In this event Recovery Reason field contains information from Recovery Server field.
-
-**Status Information:**
-
--   **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code. For Success events this field is typically “**0x380000**”.
-
-## Security Monitoring Recommendations
-
-For 4693(S, F): Recovery of data protection master key was attempted.
-
--   This event is typically an informational event and it's difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
-
--   For domain joined computers, **Recovery Reason** should typically be a domain controller DNS name.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
deleted file mode 100644
index e26a1ff60f..0000000000
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: 4694(S, F) Protection of auditable protected data was attempted. 
-description: Describes security event 4694(S, F) Protection of auditable protected data was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4694(S, F): Protection of auditable protected data was attempted.
-
-
-This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10))&thinsp; [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit DPAPI Activity](audit-dpapi-activity.md)
-
-***Event Schema:***
-
-*Protection of auditable protected data was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Protected Data:*
-
-> *Data Description:%6*
->
-> *Key Identifier:%5*
->
-> *Protected Data Flags:%7*
->
-> *Protection Algorithms:%8*
-
-*Status Information:*
-
-> *Status Code:%9*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
--   This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
deleted file mode 100644
index a19d09bf9b..0000000000
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: 4695(S, F) Unprotection of auditable protected data was attempted. 
-description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4695(S, F): Unprotection of auditable protected data was attempted.
-
-
-This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit DPAPI Activity](audit-dpapi-activity.md)
-
-***Event Schema:***
-
-*Unprotection of auditable protected data was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Protected Data:*
-
-> *Data Description:%6*
->
-> *Key Identifier:%5*
->
-> *Protected Data Flags:%7*
->
-> *Protection Algorithms:%8*
-
-*Status Information:*
-
-> *Status Code:%9*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
--   This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
deleted file mode 100644
index 570606c8de..0000000000
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ /dev/null
@@ -1,164 +0,0 @@
----
-title: 4696(S) A primary token was assigned to process. 
-description: Describes security event 4696(S) A primary token was assigned to process.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4696(S): A primary token was assigned to process.
-
-
-<img src="images/event-4696.png" alt="Event 4696 illustration" width="442" height="454" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Process Creation](audit-process-creation.md)
-
-***Event Description:***
-
-This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
-
-***IMPORTANT*:** this event is deprecated starting from Windows 7 and Windows 2008 R2.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
- <EventID>4696</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13312</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-25T21:33:42.401Z" /> 
- <EventRecordID>561</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="88" /> 
- <Channel>Security</Channel> 
- <Computer>Win2008.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">WIN2008$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TargetUserSid">S-1-5-18</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x1c8c5</Data> 
- <Data Name="TargetProcessId">0xf40</Data> 
- <Data Name="TargetProcessName">C:\\Windows\\System32\\WerFault.exe</Data> 
- <Data Name="ProcessId">0x698</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** this event is deprecated starting from Windows 7 and Windows 2008 R2.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “assign token to process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “assign token to process” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which started the new process with the new security token. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]: full path and the name of the executable for the process which ran the new process with new security token.
-
-**Target Process:**
-
--   **Target Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the new process with new security token. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Target Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
-
-**New Token Information:**
-
--   **Security ID** \[Type = SID\]**:** SID of account through which the security token will be assigned to the new process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account through which the security token will be assigned to the new process.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-## Security Monitoring Recommendations
-
-For 4696(S): A primary token was assigned to process.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                      |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allowlist.                                 |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts.                                                 |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about.                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor **“Subject\\Security ID”** or **“New Token Information\\Security ID”** for names that don’t comply with naming conventions.                                                                                     |
-
--   If you have a pre-defined “**Process Name**” or “**Target Process Name**” for the process reported in this event, monitor all events with “**Process Name**” or “**Target Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” or “**Target Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**” or “**Target Process Name**”.
-
--   It can be uncommon if process runs using local account.
-
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
deleted file mode 100644
index 01e5df45ef..0000000000
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-title: 4697(S) A service was installed in the system. 
-description: Describes security event 4697(S) A service was installed in the system.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4697(S): A service was installed in the system.
-
-
-<img src="images/event-4697.png" alt="Event 4697 illustration" width="438" height="380" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates when new service was installed in the system.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4697</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12289</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-12T01:36:11.991070500Z" /> 
- <EventRecordID>2778</EventRecordID> 
- <Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" /> 
- <Execution ProcessID="736" ThreadID="2800" /> 
- <Channel>Security</Channel> 
- <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="ServiceName">AppHostSvc</Data> 
- <Data Name="ServiceFileName">%windir%\\system32\\svchost.exe -k apphost</Data> 
- <Data Name="ServiceType">0x20</Data> 
- <Data Name="ServiceStartType">2</Data> 
- <Data Name="ServiceAccount">localSystem</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2016, Windows 10.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was used to install the service. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was used to install the service.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Service Information:**
-
--   **Service Name** \[Type = UnicodeString\]: the name of installed service.
-
-<img src="images/branchcache-properties.png" alt="BrancheCache Properties illustration" width="718" height="673" />
-
--   **Service File Name** \[Type = UnicodeString\]: This is the fully rooted path to the file that the Service Control Manager will execute to start the service. If command-line parameters are specified as part of the image path, those are logged.
-
-    Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events.
-
--   **Service Type** \[Type = HexInt32\]: Indicates the [type](/dotnet/api/system.serviceprocess.servicetype?cs-lang=csharp&cs-save-lang=1#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
-
-| Value | Service Type              | Description                                                                                                                                                                                   |
-|-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x1   | ​Kernel Driver            | ​A Kernel device driver such as a hard disk or other low-level hardware device driver.                                                                                                        |
-| 0x2   | ​File System Driver       | ​A file system driver, which is also a Kernel device driver.                                                                                                                                  |
-| 0x8   | ​Recognizer Driver        | ​A file system driver used during startup to determine the file systems present on the system.                                                                                                |
-| 0x10  | ​Win32 Own Process        | ​A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
-| 0x20  | ​Win32 Share Process      | ​A Win32 service that can share a process with other Win32 services.<br>(see: <https://msdn.microsoft.com/library/windows/desktop/ms685967(v=vs.85).aspx>                          |
-| 0x110 | ​Interactive Own Process  | ​A service that should be run as a standalone process and can communicate with the desktop.<br>(see: <https://msdn.microsoft.com/library/windows/desktop/ms683502(v=vs.85).aspx>)  |
-| 0x120 | Interactive Share Process | A service that can share address space with other services of the same type and can communicate with the desktop.                                                                             |
-
--   **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: <https://msdn.microsoft.com/library/windows/desktop/ms682450(v=vs.85).aspx)>:
-
-| Value | Service Type        | Description                                                                                                                                             |
-|-------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | ​ Boot              | ​A device driver started by the system loader. This value is valid only for driver services.                                                            |
-| 1     | ​ System            | ​A device driver started by the IoInitSystem() function. This value is valid only for driver services.                                                  |
-| 2     | ​ Automatic         | ​A service started automatically by the service control manager during system startup.                                                                  |
-| 2     | ​ Automatic Delayed | ​A service started after all auto-start services have started, plus a delay. Delayed Auto Start services are started one at a time in a serial fashion. |
-| 3     | ​ Manual            | ​Manual start. A service started by the service control manager when a process calls the StartService function.                                         |
-| 4     | ​ Disabled          | ​A service that cannot be started. Attempts to start the service result in the error code ERROR\_SERVICE\_DISABLED.                                     |
-
-Most services installed are configured to **Auto Load**, so that they start automatically after Services.exe process is started.
-
--   **Service Account** \[Type = UnicodeString\]: The security context that the service will run as when started. Note that this is what was configured when the service was installed, if the account is changed later that is not logged.
-
-    The service account parameter is only populated if the service type is a "Win32 Own Process" or "Win32 Share Process" (displayed as "User Mode Service."). Kernel drivers do not have a service account name logged.
-
-    If a service (Win32 Own/Share process) is installed but no account is supplied, then LocalSystem is used.
-
-    The token performing the logon is inspected, and if it has a SID then that SID value is populated in the event (in the System/Security node), if not, then it is blank.
-
-## Security Monitoring Recommendations
-
-For 4697(S): A service was installed in the system.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   We recommend monitoring for this event, especially on high value assets or computers, because a new service installation should be planned and expected. Unexpected service installation should trigger an alert.
-
--   Monitor for all events where **“Service File Name”** is not located in **%windir%** or **“Program Files/Program Files (x86)”** folders. Typically new services are located in these folders.
-
-<!-- -->
-
--   Report all “**Service Type**” equals “**0x1**”, “**0x2**” or “**0x8**”. These service types start first and have almost unlimited access to the operating system from the beginning of operating system startup. These types are very rarely installed.
-
--   Report all “**Service Start Type**” equals “**0**” or “**1**”. These service start types are used by drivers, which have unlimited access to the operating system.
-
--   Report all “**Service Start Type**” equals “**4**”. It is not common to install a new service in the **Disabled** state.
-
--   Report all “**Service Account**” not equals “**localSystem**”, “**localService**” or “**networkService**” to identify services which are running under a user account.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
deleted file mode 100644
index e270f187af..0000000000
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: 4698(S) A scheduled task was created. 
-description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4698(S): A scheduled task was created.
-
-
-<img src="images/event-4698.png" alt="Event 4698 illustration" width="361" height="555" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a new scheduled task is created.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4698</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12804</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T02:03:06.944522200Z" /> 
- <EventRecordID>344740</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="5048" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x364eb</Data> 
- <Data Name="TaskName">\\Microsoft\\StartListener</Data> 
- <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> 
- </EventData>
- </Event>
-
-```
->[!NOTE]
-> Windows 10 Versions 1903 and above augments the event with these additional properties:
-> Event Version 1.
->  ***Event XML:***
->```
->  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
->  <Data Name="ClientProcessId">3932</Data> 
->  <Data Name="ParentProcessId">5304</Data> 
->  <Data Name="RpcCallClientLocality">0</Data> 
->  <Data Name="FQDN">DESKTOP-Name</Data> 
-
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “create scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create scheduled task” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Task Information**:
-
--   **Task Name** \[Type = UnicodeString\]**:** new scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
-
-<img src="images/computer-management.png" alt="Task Scheduler Library illustration" width="840" height="176" />
-
--   **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f).”
-
-## Security Monitoring Recommendations
-
-For 4698(S): A scheduled task was created.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
-
--   Monitor for new tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
-
--   In the new task, if the **Task Content:** XML contains **&lt;LogonType&gt;Password&lt;/LogonType&gt;** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
deleted file mode 100644
index ea206aba73..0000000000
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: 4699(S) A scheduled task was deleted. 
-description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4699(S): A scheduled task was deleted.
-
-
-<img src="images/event-4699.png" alt="Event 4699 illustration" width="363" height="551" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a scheduled task was deleted.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4699</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12804</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T02:13:30.044244500Z" /> 
- <EventRecordID>344827</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="5048" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x364eb</Data> 
- <Data Name="TaskName">\\Microsoft\\My</Data> 
- <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-08-25T13:56:10.5315552</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>Password</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Windows\\notepad.exe</Command> </Exec> </Actions> </Task></Data> 
- </EventData>
- </Event>
-
-```
->[!NOTE]
-> Windows 10 Versions 1903 and above augments the event with these additional properties:
-> Event Version 1.
->  ***Event XML:***
->```
->  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
->  <Data Name="ClientProcessId">3932</Data> 
->  <Data Name="ParentProcessId">5304</Data> 
->  <Data Name="RpcCallClientLocality">0</Data> 
->  <Data Name="FQDN">DESKTOP-Name</Data> 
-
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete scheduled task” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Task Information**:
-
--   **Task Name** \[Type = UnicodeString\]**:** deleted scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
-
-<img src="images/computer-management.png" alt="Task Scheduler Library illustration" width="840" height="176" />
-
--   **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the deleted task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4699(S): A scheduled task was deleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   We recommend monitoring all scheduled task deletion events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions. However, this event does not often happen.
-
--   Monitor for deleted tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node. Deletion of such tasks can be a sign of malicious activity.
-
--   If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for [4699](event-4699.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
deleted file mode 100644
index aae8e027d4..0000000000
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: 4700(S) A scheduled task was enabled. 
-description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4700(S): A scheduled task was enabled.
-
-
-<img src="images/event-4700.png" alt="Event 4700 illustration" width="363" height="553" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a scheduled task is enabled.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4700</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12804</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T02:32:47.606423000Z" /> 
- <EventRecordID>344861</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="756" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x364eb</Data> 
- <Data Name="TaskName">\\Microsoft\\StartListener</Data> 
- <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> 
- </EventData>
- </Event>
-
-```
->[!NOTE]
-> Windows 10 Versions 1903 and above augments the event with these additional properties:
-> Event Version 1.
->  ***Event XML:***
->```
->  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
->  <Data Name="ClientProcessId">3932</Data> 
->  <Data Name="ParentProcessId">5304</Data> 
->  <Data Name="RpcCallClientLocality">0</Data> 
->  <Data Name="FQDN">DESKTOP-Name</Data> 
-
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Task Information**:
-
--   **Task Name** \[Type = UnicodeString\]**:** enabled scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
-
-<img src="images/computer-management.png" alt="Task Scheduler Library illustration" width="840" height="176" />
-
--   **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the enabled task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4700(S): A scheduled task was enabled.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
deleted file mode 100644
index f47c7a3379..0000000000
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: 4701(S) A scheduled task was disabled. 
-description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4701(S): A scheduled task was disabled.
-
-
-<img src="images/event-4701.png" alt="Event 4701 illustration" width="363" height="559" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a scheduled task is disabled.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4701</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12804</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T02:32:45.844066600Z" /> 
- <EventRecordID>344860</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="4364" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x364eb</Data> 
- <Data Name="TaskName">\\Microsoft\\StartListener</Data> 
- <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> 
- </EventData>
- </Event>
-
-```
->[!NOTE]
-> Windows 10 Versions 1903 and above augments the event with these additional properties:
-> Event Version 1.
->  ***Event XML:***
->```
->  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
->  <Data Name="ClientProcessId">3932</Data> 
->  <Data Name="ParentProcessId">5304</Data> 
->  <Data Name="RpcCallClientLocality">0</Data> 
->  <Data Name="FQDN">DESKTOP-Name</Data> 
-
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Task Information**:
-
--   **Task Name** \[Type = UnicodeString\]**:** disabled scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
-
-<img src="images/computer-management.png" alt="Task Scheduler Library illustration" width="840" height="176" />
-
--   **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the disabled task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4701(S): A scheduled task was disabled.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
deleted file mode 100644
index 4bb86d53b2..0000000000
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: 4702(S) A scheduled task was updated. 
-description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4702(S): A scheduled task was updated.
-
-
-<img src="images/event-4702.png" alt="Event 4702 illustration" width="363" height="555" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time scheduled task was updated/changed.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4702</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12804</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T03:00:59.343820000Z" /> 
- <EventRecordID>344863</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="596" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x364eb</Data> 
- <Data Name="TaskName">\\Microsoft\\StartListener</Data> 
- <Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data> 
- </EventData>
- </Event>
-
-```
->[!NOTE]
-> Windows 10 Versions 1903 and above augments the event with these additional properties:
-> Event Version 1.
->  ***Event XML:***
->```
->  <Data Name="ClientProcessStartKey">5066549580796854</Data> 
->  <Data Name="ClientProcessId">3932</Data> 
->  <Data Name="ParentProcessId">5304</Data> 
->  <Data Name="RpcCallClientLocality">0</Data> 
->  <Data Name="FQDN">DESKTOP-Name</Data> 
-
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change/update scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change/update scheduled task” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Task Information**:
-
--   **Task Name** \[Type = UnicodeString\]**:** updated/changed scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node:
-
-<img src="images/computer-management.png" alt="Task Scheduler Library illustration" width="840" height="176" />
-
--   **Task New Content** \[Type = UnicodeString\]: the new [XML](/previous-versions/aa286548(v=msdn.10)) for the updated task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4702(S): A scheduled task was updated.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Monitor for updated scheduled tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
-
--   In the updated scheduled task, if the **Task Content:** XML contains **&lt;LogonType&gt;Password&lt;/LogonType&gt;** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
deleted file mode 100644
index 0abe8a8e60..0000000000
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ /dev/null
@@ -1,198 +0,0 @@
----
-title: 4703(S) A user right was adjusted. 
-description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4703(S): A user right was adjusted.
-
-
-<img src="images/event-4703.png" alt="Event 4703 illustration" width="414" height="419" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates when [token privileges](/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--) were enabled or disabled for a specific account’s token.  As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-Token privileges provide the ability to take certain system-level actions that you only need to do at particular moments. For example, anybody can restart a computer, but the operating system doesn’t enable that privilege by default. Instead, the privilege is enabled when you click **Shutdown**. You can check the current state of the user’s token privileges using the **whoami /priv** command:
-
-<img src="images/whoami-privilege-list.png" alt="Whoami privilege list illustration" width="1147" height="475" />
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4703</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13570</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-12T20:49:46.365958700Z" /> 
- <EventRecordID>5245</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="3632" /> 
- <Channel>Security</Channel> 
- <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TargetUserSid">S-1-5-18</Data> 
- <Data Name="TargetUserName">WIN-GG82ULGC9GO$</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x3e7</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
- <Data Name="ProcessId">0x270</Data> 
- <Data Name="EnabledPrivilegeList">SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege</Data> 
- <Data Name="DisabledPrivilegeList">-</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2016, Windows 10.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “enable” or “disable” operation for **Target Account** privileges. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable” or “disable” operation for **Target Account** privileges.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account for which privileges were enabled or disabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which privileges were enabled or disabled.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that enabled or disabled token privileges. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-<!-- -->
-
--   **Enabled Privileges** \[Type = UnicodeString\]**:** the list of enabled user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
-
-| Privilege Name                  | User Right Group Policy Name                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege   | Replace a process-level token                                  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeAuditPrivilege                | Generate security audits                                       | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeBackupPrivilege               | Back up files and directories                                  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                                                                                |
-| SeChangeNotifyPrivilege         | Bypass traverse checking                                       | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeCreateGlobalPrivilege         | Create global objects                                          | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| SeCreatePagefilePrivilege       | Create a pagefile                                              | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| SeCreatePermanentPrivilege      | Create permanent shared objects                                | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeCreateSymbolicLinkPrivilege   | Create symbolic links                                          | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeCreateTokenPrivilege          | Create a token object                                          | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeDebugPrivilege                | Debug programs                                                 | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeEnableDelegationPrivilege     | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.                                                                                                                                                                                                                      |
-| SeImpersonatePrivilege          | Impersonate a client after authentication                      | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| SeIncreaseBasePriorityPrivilege | Increase scheduling priority                                   | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| SeIncreaseQuotaPrivilege        | Adjust memory quotas for a process                             | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeIncreaseWorkingSetPrivilege   | Increase a process working set                                 | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeLoadDriverPrivilege           | Load and unload device drivers                                 | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeLockMemoryPrivilege           | Lock pages in memory                                           | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeMachineAccountPrivilege       | Add workstations to domain                                     | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeManageVolumePrivilege         | Perform volume maintenance tasks                               | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeProfileSingleProcessPrivilege | Profile single process                                         | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeRelabelPrivilege              | Modify an object label                                         | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeRemoteShutdownPrivilege       | Force shutdown from a remote system                            | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| SeRestorePrivilege              | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege             | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeShutdownPrivilege             | Shut down the system                                           | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeSyncAgentPrivilege            | Synchronize directory service data                             | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeSystemEnvironmentPrivilege    | Modify firmware environment values                             | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeSystemProfilePrivilege        | Profile system performance                                     | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| SeSystemtimePrivilege           | Change the system time                                         | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTakeOwnershipPrivilege        | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTcbPrivilege                  | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTimeZonePrivilege             | Change the time zone                                           | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller                  | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeUndockPrivilege               | Remove computer from docking station                           | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeUnsolicitedInputPrivilege     | Not applicable                                                 | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
-**Disabled Privileges** \[Type = UnicodeString\]**:** the list of disabled user rights. See possible values in the table above.
-
-## Security Monitoring Recommendations
-
-For 4703(S): A user right was adjusted.
-
-As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
-
-Otherwise, see the recommendations in the following table.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                                                                                              |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                  |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                     |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used.                                                                                                                                                          |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled.                                                               |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                                                                                     |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                  |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account.                |
-| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor.                                                                                                                                                                                | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.<br>For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                                                                                        |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
deleted file mode 100644
index 9d80b0b5ba..0000000000
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-title: 4704(S) A user right was assigned. 
-description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4704(S): A user right was assigned.
-
-
-<img src="images/event-4704.png" alt="Event 4704 illustration" width="449" height="446" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local user right policy is changed and user right was assigned to an account.
-
-You will see unique event for every user.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4704</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13570</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T22:08:07.136050600Z" /> 
- <EventRecordID>1049866</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="1216" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="PrivilegeList">SeAuditPrivilege SeIncreaseWorkingSetPrivilege</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**New Right:**
-
--   **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
-
-| Privilege Name                  | User Right Group Policy Name                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege   | Replace a process-level token                                  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeAuditPrivilege                | Generate security audits                                       | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeBackupPrivilege               | Back up files and directories                                  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                                                                                |
-| SeChangeNotifyPrivilege         | Bypass traverse checking                                       | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeCreateGlobalPrivilege         | Create global objects                                          | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| SeCreatePagefilePrivilege       | Create a pagefile                                              | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| SeCreatePermanentPrivilege      | Create permanent shared objects                                | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeCreateSymbolicLinkPrivilege   | Create symbolic links                                          | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeCreateTokenPrivilege          | Create a token object                                          | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeDebugPrivilege                | Debug programs                                                 | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeEnableDelegationPrivilege     | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.                                                                                                                                                                                                                      |
-| SeImpersonatePrivilege          | Impersonate a client after authentication                      | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| SeIncreaseBasePriorityPrivilege | Increase scheduling priority                                   | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| SeIncreaseQuotaPrivilege        | Adjust memory quotas for a process                             | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeIncreaseWorkingSetPrivilege   | Increase a process working set                                 | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeLoadDriverPrivilege           | Load and unload device drivers                                 | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeLockMemoryPrivilege           | Lock pages in memory                                           | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeMachineAccountPrivilege       | Add workstations to domain                                     | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeManageVolumePrivilege         | Perform volume maintenance tasks                               | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeProfileSingleProcessPrivilege | Profile single process                                         | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeRelabelPrivilege              | Modify an object label                                         | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeRemoteShutdownPrivilege       | Force shutdown from a remote system                            | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| SeRestorePrivilege              | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege             | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeShutdownPrivilege             | Shut down the system                                           | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeSyncAgentPrivilege            | Synchronize directory service data                             | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeSystemEnvironmentPrivilege    | Modify firmware environment values                             | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeSystemProfilePrivilege        | Profile system performance                                     | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| SeSystemtimePrivilege           | Change the system time                                         | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTakeOwnershipPrivilege        | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTcbPrivilege                  | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTimeZonePrivilege             | Change the time zone                                           | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller                  | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeUndockPrivilege               | Remove computer from docking station                           | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeUnsolicitedInputPrivilege     | Not applicable                                                 | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
-
-## Security Monitoring Recommendations
-
-For 4704(S): A user right was assigned.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM.                                                                                                                                     | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.                                                                                                                                                                                                                                                                                                                                                                                                  |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                                                                          |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                             |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled.                                                                                                                                                                                                                                                                                                            |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                                                                                                                                                                                                                                                                                                                          |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account.                                                                                                                                                                                                                                                       |
-| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor.                                                                                                                                                                                | Monitor this event and compare the “**New Right\\User Right**” to your list of user rights, to see whether the right should be assigned to **“Target Account\\Account Name**.” Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.<br>For example, your list of restricted rights might say that only administrative accounts should have **SeAuditPrivilege**. As another example, your list might say that no accounts should have **SeTcbPrivilege** or **SeDebugPrivilege**. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
deleted file mode 100644
index aa5fedab07..0000000000
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-title: 4705(S) A user right was removed. 
-description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4705(S): A user right was removed.
-
-
-<img src="images/event-4705.png" alt="Event 4705 illustration" width="449" height="435" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local user right policy is changed and user right was removed from an account.
-
-You will see unique event for every user.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4705</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13570</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T22:08:07.152488600Z" /> 
- <EventRecordID>1049867</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="1216" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="PrivilegeList">SeTimeZonePrivilege</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**Removed Right:**
-
--   **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
-
-| Privilege Name                  | User Right Group Policy Name                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege   | Replace a process-level token                                  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeAuditPrivilege                | Generate security audits                                       | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeBackupPrivilege               | Back up files and directories                                  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                                                                                |
-| SeChangeNotifyPrivilege         | Bypass traverse checking                                       | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeCreateGlobalPrivilege         | Create global objects                                          | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| SeCreatePagefilePrivilege       | Create a pagefile                                              | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| SeCreatePermanentPrivilege      | Create permanent shared objects                                | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeCreateSymbolicLinkPrivilege   | Create symbolic links                                          | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeCreateTokenPrivilege          | Create a token object                                          | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeDebugPrivilege                | Debug programs                                                 | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeEnableDelegationPrivilege     | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.                                                                                                                                                                                                                      |
-| SeImpersonatePrivilege          | Impersonate a client after authentication                      | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| SeIncreaseBasePriorityPrivilege | Increase scheduling priority                                   | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| SeIncreaseQuotaPrivilege        | Adjust memory quotas for a process                             | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeIncreaseWorkingSetPrivilege   | Increase a process working set                                 | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeLoadDriverPrivilege           | Load and unload device drivers                                 | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeLockMemoryPrivilege           | Lock pages in memory                                           | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeMachineAccountPrivilege       | Add workstations to domain                                     | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeManageVolumePrivilege         | Perform volume maintenance tasks                               | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeProfileSingleProcessPrivilege | Profile single process                                         | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeRelabelPrivilege              | Modify an object label                                         | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeRemoteShutdownPrivilege       | Force shutdown from a remote system                            | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| SeRestorePrivilege              | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege             | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeShutdownPrivilege             | Shut down the system                                           | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeSyncAgentPrivilege            | Synchronize directory service data                             | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeSystemEnvironmentPrivilege    | Modify firmware environment values                             | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeSystemProfilePrivilege        | Profile system performance                                     | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| SeSystemtimePrivilege           | Change the system time                                         | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTakeOwnershipPrivilege        | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTcbPrivilege                  | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTimeZonePrivilege             | Change the time zone                                           | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller                  | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeUndockPrivilege               | Remove computer from docking station                           | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeUnsolicitedInputPrivilege     | Not applicable                                                 | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
-## Security Monitoring Recommendations
-
-For 4705(S): A user right was removed.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM.                                                                                                                                     | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.<br>If you have specific user rights policies, for example, an allowlist of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.”                                                                                                                                                                                                                                                |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.<br>For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.<br>As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case.                                                                                       |
-| **User rights that should be restricted**: You might have a list of user rights that you want to monitor.                                                                                                                                                                                                         | Monitor this event and compare the **“Removed Right”** to your list of restricted rights.<br>Monitor this event to discover the removal of a right that should never have been granted (for example, SeTcbPrivilege), so that you can investigate further.                                                                                                                                                                                                                                                                                                                                                                                                 |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
deleted file mode 100644
index d379640fbc..0000000000
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ /dev/null
@@ -1,149 +0,0 @@
----
-title: 4706(S) A new trust was created to a domain. 
-description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4706(S): A new trust was created to a domain.
-
-
-<img src="images/event-4706.png" alt="Event 4706 illustration" width="449" height="489" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when a new trust was created to a domain.
-
-This event is generated only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4706</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T20:41:13.189445500Z" /> 
- <EventRecordID>1049759</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4900" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DomainName">corp.contoso.local</Data> 
- <Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e99d6</Data> 
- <Data Name="TdoType">2</Data> 
- <Data Name="TdoDirection">3</Data> 
- <Data Name="TdoAttributes">32</Data> 
- <Data Name="SidFilteringEnabled">%%1796</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “create domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create domain trust” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Trusted Domain:**
-
--   **Domain Name** \[Type = UnicodeString\]**:** the name of new trusted domain.
-
--   **Domain ID** \[Type = SID\]**:** SID of new trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**Trust Information:**
-
--   **Trust Type** \[Type = UInt32\]**:** the type of new trust. The following table contains possible values for this field:
-
-| Value | Attribute Value        | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 1     | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000.                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 2     | TRUST\_TYPE\_UPLEVEL   | The domain controller of the trusted domain is a computer running Windows 2000 or later.                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 3     | TRUST\_TYPE\_MIT       | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
-| 4     | TRUST\_TYPE\_DCE       | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows.                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
--   **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. The following table contains possible values for this field:
-
-| Value | Attribute Value                 | Description                                                                                                 |
-|-------|---------------------------------|-------------------------------------------------------------------------------------------------------------|
-| 0     | TRUST\_DIRECTION\_DISABLED      | The trust relationship exists, but it has been disabled.                                                    |
-| 1     | TRUST\_DIRECTION\_INBOUND       | The trusted domain trusts the primary domain to perform operations such as name lookups and authentication. |
-| 2     | TRUST\_DIRECTION\_OUTBOUND      | The primary domain trusts the trusted domain to perform operations such as name lookups and authentication. |
-| 3     | TRUST\_DIRECTION\_BIDIRECTIONAL | Both domains trust one another for operations such as name lookups and authentication.                      |
-
--   **Trust Attributes** \[Type = UInt32\]**:** the decimal value of attributes for new trust. You need convert decimal value to hexadecimal and find it in the table below. The following table contains possible values for this field:
-
-| Value | Attribute Value                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x1   | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE                          | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A&lt;--&gt;B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A&lt;--&gt;B&lt;--&gt;C trust linkage.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 0x2   | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY                            | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x4   | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN                      | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section [4.1.2.2](/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) between the root domains of two [forests](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
-| 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section [3.3.5.7.5](/openspecs/windows_protocols/ms-kile/bac4dc69-352d-416c-a9f4-730b81ababb3) and [\[MS-APDS\]](/openspecs/windows_protocols/ms-apds/dd444344-fd7e-430e-b313-7e95ab9c338e) section [3.1.5](/openspecs/windows_protocols/ms-apds/f47e40e1-b9ca-47e2-b139-15a1e96b0e72).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
-| 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](/openspecs/windows_protocols/ms-ada3/d4b436de-0ba2-44e3-975c-9f4d8aa51885) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](/openspecs/windows_protocols/ms-adts/c964fca9-c50e-426a-9173-5bf3cb720e2e).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
-
--   **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](/previous-versions/windows/it-pro/windows-server-2003/cc772633(v=ws.10)) state for the new trust:
-
-    -   Enabled
-
-    -   Disabled
-
-## Security Monitoring Recommendations
-
-For 4706(S): A new trust was created to a domain.
-
--   Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
deleted file mode 100644
index a7d7e7fab3..0000000000
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: 4707(S) A trust to a domain was removed. 
-description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4707(S): A trust to a domain was removed.
-
-
-<img src="images/event-4707.png" alt="Event 4707 illustration" width="449" height="409" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when a domain trust was removed.
-
-This event is generated only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4707</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T20:41:13.080444700Z" /> 
- <EventRecordID>1049754</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="580" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DomainName">FABRIKAM</Data> 
- <Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e99d6</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “remove domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove domain trust” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Domain Information:**
-
--   **Domain Name** \[Type = UnicodeString\]**:** the name of removed trusted domain.
-
--   **Domain ID** \[Type = SID\]**:** SID of removed trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-## Security Monitoring Recommendations
-
-For 4707(S): A trust to a domain was removed.
-
--   Any changes related to Active Directory domain trusts (especially trust removal) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
-
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
deleted file mode 100644
index f83c8df8ce..0000000000
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: 4713(S) Kerberos policy was changed. 
-description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4713(S): Kerberos policy was changed.
-
-
-<img src="images/event-4713.png" alt="Event 4713 illustration" width="485" height="422" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when [Kerberos](/windows/win32/secauthn/microsoft-kerberos) policy was changed.
-
-This event is generated only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4713</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T23:15:50.811774300Z" /> 
- <EventRecordID>1049772</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4116" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="KerberosPolicyChange">KerMaxT: 0x10c388d000 (0x861c46800); KerMaxR: 0x19254d38000 (0xc92a69c000);</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to Kerberos policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to Kerberos policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Changes Made** \[Type = UnicodeString\]**:** '--' means no changes, otherwise each change is shown as: Parameter\_Name: new\_value (old\_value). Here is a list of possible parameter names:
-
-| Parameter Name | Description                                                                                                                                                                                             |
-|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| KerProxy       | 1.  Maximum tolerance for computer clock synchronization.<br>To convert the **KerProxy** to minutes you need to:<br>Convert the value to decimal value.<br>Divide value by 600000000. |
-| KerMaxR        | 1.  Maximum lifetime for user ticket renewal.<br>To convert the **KerProxy** to days you need to:<br>Convert the value to decimal value.<br>Divide value by 864000000000.             |
-| KerMaxT        | 1.  Maximum lifetime for user ticket.<br>To convert the **KerMaxT** to hours you need to:<br>Convert the value to decimal value.<br>Divide value by 36000000000.                      |
-| KerMinT        | 1.  Maximum lifetime for service ticket.<br>To convert the **KerMinT** to minutes you need to:<br>Convert the value to decimal value.<br>Divide value by 600000000.                   |
-| KerOpts        | -   Enforce user logon restrictions:<br>0x80 – Enabled<br>0x0 - Disabled                                                                                                                    |
-
-This event shows changes in “Kerberos policy”. Here is location of Kerberos policies in Group Policy management console:
-
-<img src="images/group-policy-editor.png" alt="Group policy editor illustration" width="790" height="171" />
-
-## Security Monitoring Recommendations
-
-For 4713(S): Kerberos policy was changed.
-
--   Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
deleted file mode 100644
index 13f82a2f64..0000000000
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: 4714(S) Encrypted data recovery policy was changed. 
-description: Describes security event 4714(S) Encrypted data recovery policy was changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4714(S): Encrypted data recovery policy was changed.
-
-
-<img src="images/event-4714.png" alt="Event 4714 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Description:***
-
-This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](/previous-versions/tn-archive/cc700811(v=technet.10))) has changed.
-
-This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](/previous-versions/windows/it-pro/windows-server-2003/cc778208(v=ws.10)) was changed for the computer or device.
-
-In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](/openspecs/windows_protocols/ms-gpef/34fd0504-84fc-4ad9-97ac-ee74b84419ac) registry value is changed during a Group Policy update.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
- <EventID>4714</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13573</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-08T05:27:40.740602500Z" /> 
- <EventRecordID>1080883</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="4856" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <ProcessingErrorData>
- <ErrorCode>13</ErrorCode> 
- <DataItemName>SubjectUserSid</DataItemName> 
- <EventPayload /> 
- </ProcessingErrorData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 4714(S): Encrypted data recovery policy was changed.
-
--   We recommend monitoring this event and if the change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
deleted file mode 100644
index b92a998c6d..0000000000
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ /dev/null
@@ -1,216 +0,0 @@
----
-title: 4715(S) The audit policy (SACL) on an object was changed. 
-description: Describes security event 4715(S) The audit policy (SACL) on an object was changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4715(S): The audit policy (SACL) on an object was changed.
-
-
-<img src="images/event-4715.png" alt="Event 4715 illustration" width="643" height="407" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local audit policy security descriptor changes.
-
-This event is always logged regardless of the "Audit Policy Change" sub-category setting.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4715</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-30T19:59:39.964601800Z" /> 
- <EventRecordID>1049425</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="4668" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x11ae30</Data> 
- <Data Name="OldSd">D:(A;;DCSWRPDTRC;;;BA)(D;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data> 
- <Data Name="NewSd">D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change local audit policy security descriptor (SACL)” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change local audit policy security descriptor (SACL)” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Audit Policy Change:**
-
--   **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the audit policy.
-
--   **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
-
-> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
-> Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
-> See the list of possible values in the table below:
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous logon                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network logon user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service logon user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         | "RP"                            | Read All Properties  |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights | "SW"                            | All Validated Writes |
-| "KA"                       | "LO"                            | "LO"                 | List Object              |
-| "K"                        | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
-
-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
-
-## Security Monitoring Recommendations
-
-For 4715(S): The audit policy (SACL) on an object was changed.
-
--   Monitor for all events of this type, especially on high value assets or computers, because any change of the local audit policy security descriptor should be planned. If this action was not planned, investigate the reason for the change.
-
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
deleted file mode 100644
index 42b0a6e238..0000000000
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ /dev/null
@@ -1,234 +0,0 @@
----
-title: 4716(S) Trusted domain information was modified. 
-description: Describes security event 4716(S) Trusted domain information was modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4716(S): Trusted domain information was modified.
-
-
-<img src="images/event-4716.png" alt="Event 4716 illustration" width="449" height="489" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when the trust was modified.
-
-This event is generated only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4716</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T22:55:54.560735500Z" /> 
- <EventRecordID>1049763</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4920" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x138eb0</Data> 
- <Data Name="DomainName">-</Data> 
- <Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data> 
- <Data Name="TdoType">2</Data> 
- <Data Name="TdoDirection">3</Data> 
- <Data Name="TdoAttributes">32</Data> 
- <Data Name="SidFilteringEnabled">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “modify domain trust settings” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify domain trust settings” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Trusted Domain:**
-
--   **Domain Name** \[Type = UnicodeString\]**:** the name of changed trusted domain. If this attribute was not changed, then it will have “**-**“ value.
-
--   **Domain ID** \[Type = SID\]**:** SID of changed trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**New Trust Information:**
-
--   **Trust Type** \[Type = UInt32\]**:** the type of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field:
-
-| Value | Attribute Value        | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 1     | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000.                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 2     | TRUST\_TYPE\_UPLEVEL   | The domain controller of the trusted domain is a computer running Windows 2000 or later.                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 3     | TRUST\_TYPE\_MIT       | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
-| 4     | TRUST\_TYPE\_DCE       | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows.                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
--   **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field:
-
-| Value | Attribute Value                 | Description                                                                                                 |
-|-------|---------------------------------|-------------------------------------------------------------------------------------------------------------|
-| 0     | TRUST\_DIRECTION\_DISABLED      | The trust relationship exists, but it has been disabled.                                                    |
-| 1     | TRUST\_DIRECTION\_INBOUND       | The trusted domain trusts the primary domain to perform operations such as name lookups and authentication. |
-| 2     | TRUST\_DIRECTION\_OUTBOUND      | The primary domain trusts the trusted domain to perform operations such as name lookups and authentication. |
-| 3     | TRUST\_DIRECTION\_BIDIRECTIONAL | Both domains trust one another for operations such as name lookups and authentication.                      |
-
--   **Trust Attributes** \[Type = UInt32\]**:** the decimal value of attributes for new trust. You need convert decimal value to hexadecimal and find it in the table below. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field:
-
-| Value | Attribute Value                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x1   | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE                          | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A&lt;--&gt;B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A&lt;--&gt;B&lt;--&gt;C trust linkage.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 0x2   | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY                            | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x4   | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN                      | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section [4.1.2.2](/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) between the root domains of two [forests](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
-| 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section [3.3.5.7.5](/openspecs/windows_protocols/ms-kile/bac4dc69-352d-416c-a9f4-730b81ababb3) and [\[MS-APDS\]](/openspecs/windows_protocols/ms-apds/dd444344-fd7e-430e-b313-7e95ab9c338e) section [3.1.5](/openspecs/windows_protocols/ms-apds/f47e40e1-b9ca-47e2-b139-15a1e96b0e72).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
-| 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](/openspecs/windows_protocols/ms-ada3/d4b436de-0ba2-44e3-975c-9f4d8aa51885) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](/openspecs/windows_protocols/ms-adts/c964fca9-c50e-426a-9173-5bf3cb720e2e).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |
-
--   **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](/previous-versions/windows/it-pro/windows-server-2003/cc772633(v=ws.10)) state for the new trust:
-
-    -   Enabled
-
-    -   Disabled
-
-        If this attribute was not changed, then it will have “**-**“ value or its old value.
-
-## Security Monitoring Recommendations
-
-For 4716(S): Trusted domain information was modified.
-
--   Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
-
-## Anonymous Logon account
-
-If the account reported in the event is **Anonymous Logon**, it means the password is changed by system automatic password reset. For example:
-
-```
-Log Name:      Security
-Source:        Microsoft-Windows-Security-Auditing
-Date:          <time>
-Event ID:      4716
-Task Category: Authentication Policy Change
-Level:         Information
-Keywords:      Audit Success
-User:          N/A
-Computer:      <fqdn>
-Description:
-Trusted domain information was modified.    //When trust gets reset, this event generates
-Subject:
- Security ID:  ANONYMOUS LOGON              //Confirms that anonymous logon account is reported when Automatic password reset for the trust is performed
- Account Name:  ANONYMOUS LOGON
- Account Domain:  NT AUTHORITY
- Logon ID:  0x3E6
-```
-
-After event 4716, you may see either event 4724 or event 4742 or both:
-
-```
-Log Name:      Security
-Source:        Microsoft-Windows-Security-Auditing
-Date:          <time>
-Event ID:      4724
-Task Category: User Account Management
-Level:         Information
-Keywords:      Audit Success
-User:          N/A
-Computer:      <FQDN>
-Description:
-An attempt was made to reset an account's password.
-
-Subject:
-	Security ID:		ANONYMOUS LOGON
-	Account Name:		ANONYMOUS LOGON
-	Account Domain:		NT AUTHORITY
-	Logon ID:		0x3E6
-
-Target Account:
-	Security ID:		CONTOSO\CONTOSOPEERTREE$     //OBJECT representing the TRUST object
-	Account Name:		CONTOSOPEERTREE$
-	Account Domain:		CONTOSO
-```
-
-```
-Log Name:      Security
-Source:        Microsoft-Windows-Security-Auditing
-Date:          <time>
-Event ID:      4742
-Task Category: Computer Account Management
-Level:         Information
-Keywords:      Audit Success
-User:          N/A
-Computer:      <FQDN>
-Description:
-A computer account was changed.
-
-Subject:
-	Security ID:		ANONYMOUS LOGON
-	Account Name:		ANONYMOUS LOGON
-	Account Domain:		NT AUTHORITY
-	Logon ID:		0x3E6
-
-Computer Account That Was Changed:
-	Security ID:		CONTOSO\CONTOSOPEERTREE$
-	Account Name:		CONTOSOPEERTREE$
-	Account Domain:		CONTOSO
-
-Changed Attributes:
-	...
-	Password Last Set:	<time>
-	...
-
-Additional Information:
-	Privileges:		-
-```
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
deleted file mode 100644
index c41a064781..0000000000
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-title: 4717(S) System security access was granted to an account. 
-description: Describes security event 4717(S) System security access was granted to an account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4717(S): System security access was granted to an account.
-
-
-<img src="images/event-4717.png" alt="Event 4717 illustration" width="449" height="435" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local [logon user right policy](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)) is changed and logon right was granted to an account.
-
-You will see unique event for every user if logon user rights were granted to multiple accounts.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4717</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T00:02:33.213572000Z" /> 
- <EventRecordID>1049777</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2064" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="AccessGranted">SeInteractiveLogonRight</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to local logon right user policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local logon right user policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Account Modified:**
-
--   **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**Access Granted:**
-
--   **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)), which are as follows:
-
-| Value                             | Group Policy Name                             |
-|-----------------------------------|-----------------------------------------------|
-| SeNetworkLogonRight               | Access this computer from the network         |
-| SeRemoteInteractiveLogonRight     | Allow logon through Terminal Services         |
-| SeDenyNetworkLogonRight           | Deny access to this computer from the network |
-| SeDenyBatchLogonRight             | Deny logon as a batch job                     |
-| SeDenyServiceLogonRight           | Deny logon as a service                       |
-| SeDenyInteractiveLogonRight       | Deny logon locally                            |
-| SeDenyRemoteInteractiveLogonRight | Deny logon through Terminal Services          |
-| SeBatchLogonRight                 | Log on as a batch job                         |
-| SeServiceLogonRight               | Log on as a service                           |
-| SeInteractiveLogonRight           | Log on locally                                |
-
-## Security Monitoring Recommendations
-
-For 4717(S): System security access was granted to an account.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM.                                                                                                                                     | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.                                                                                                                                                                                                                                                                                                                                                  |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                               |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                          |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                   |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.<br>If you have specific user logon rights policies, for example, an allowlist of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.”                                                                                  |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights.                                                                                            |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                       |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                     | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. |
-| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**).                                                                                                                                                           | Monitor this event and compare the **“Access Right”** to your list of restricted rights.                                                                                                                                                                                                                                                                                                                                                                                                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                                                                                                                                                                                                                                                                             |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
deleted file mode 100644
index 04e8efedd9..0000000000
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-title: 4718(S) System security access was removed from an account. 
-description: Describes security event 4718(S) System security access was removed from an account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4718(S): System security access was removed from an account.
-
-
-<img src="images/event-4718.png" alt="Event 4718 illustration" width="449" height="435" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local [logon user right policy](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)) is changed and logon right was removed from an account.
-
-You will see unique event for every user if logon user rights were removed for multiple accounts.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4718</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T23:35:46.375134200Z" /> 
- <EventRecordID>1049773</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="5028" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="AccessRemoved">SeInteractiveLogonRight</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to local logon right user policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local logon right user policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Account Modified:**
-
--   **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**Access Removed:**
-
--   **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)), which are as follows:
-
-| Value                             | Group Policy Name                             |
-|-----------------------------------|-----------------------------------------------|
-| SeNetworkLogonRight               | Access this computer from the network         |
-| SeRemoteInteractiveLogonRight     | Allow logon through Terminal Services         |
-| SeDenyNetworkLogonRight           | Deny access to this computer from the network |
-| SeDenyBatchLogonRight             | Deny logon as a batch job                     |
-| SeDenyServiceLogonRight           | Deny logon as a service                       |
-| SeDenyInteractiveLogonRight       | Deny logon locally                            |
-| SeDenyRemoteInteractiveLogonRight | Deny logon through Terminal Services          |
-| SeBatchLogonRight                 | Log on as a batch job                         |
-| SeServiceLogonRight               | Log on as a service                           |
-| SeInteractiveLogonRight           | Log on locally                                |
-
-## Security Monitoring Recommendations
-
-For 4718(S): System security access was removed from an account.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                                      | **Recommendation**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM.                                                                                                                                                        | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.                    | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                                   | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                                        | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                         | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.<br>If you have specific user logon rights policies, for example, an allowlist of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.”                                                                                                                                                                                                                                                                                                     |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                                    | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.<br>As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                                        | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all.                                                                                                                                        | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case.                                                                                                                                                                                                                     |
-| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**).<br>**“Deny” rights that should not be removed**: Your organization might use “Deny” rights that should not be removed, for example, SeDenyRemoteInteractiveLogonRight. | -   Monitor this event and compare the **“Access Right”** to your list of restricted rights.<br>Monitor this event to discover the removal of a right that should never have been granted, so that you can investigate further.<br>You can also monitor this event to discover the removal of “Deny” rights. When these rights are removed, it could be an approved action, done by mistake, or part of malicious activity. These rights include:<br>SeDenyNetworkLogonRight:<br>SeDenyBatchLogonRight<br>SeDenyServiceLogonRight<br>SeDenyInteractiveLogonRight<br>SeDenyRemoteInteractiveLogonRight                                                                              |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                                          | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
deleted file mode 100644
index 6df41ebce4..0000000000
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ /dev/null
@@ -1,164 +0,0 @@
----
-title: 4719(S) System audit policy was changed. 
-description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4719(S): System audit policy was changed.
-
-
-<img src="images/event-4719.png" alt="Event 4719 illustration" width="469" height="433" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates when the computer's audit policy changes.
-
-This event is always logged regardless of the "Audit Policy Change" sub-category setting.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4719</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-30T19:57:09.668217100Z" /> 
- <EventRecordID>1049418</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="4668" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="CategoryId">%%8274</Data> 
- <Data Name="SubcategoryId">%%12807</Data> 
- <Data Name="SubcategoryGuid">{0CCE9223-69AE-11D9-BED3-505054503030}</Data> 
- <Data Name="AuditPolicyChanges">%%8448, %%8450</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to local audit policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local audit policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Audit Policy Change:**
-
--   **Category:** the name of auditing Category which subcategory was changed. Possible values:
-
-    -   Account Logon
-
-    -   Account Management
-
-    -   Detailed Tracking
-
-    -   DS Access
-
-    -   Logon/Logoff
-
-    -   Object Access
-
-    -   Policy Change
-
-    -   Privilege Use
-
-    -   System
-
--   **Subcategory:** the name of auditing Subcategory which was changed. Possible values:
-
-| Credential Validation              | Process Termination                    | Network Policy Server          |
-|------------------------------------|----------------------------------------|--------------------------------|
-| Kerberos Authentication Service    | RPC Events                             | Other Logon/Logoff Events      |
-| Kerberos Service Ticket Operations | Detailed Directory Service Replication | Special Logon                  |
-| Other Logon/Logoff Events          | Directory Service Access               | Application Generated          |
-| Application Group Management       | Directory Service Changes              | Certification Services         |
-| Computer Account Management        | Directory Service Replication          | Detailed File Share            |
-| Distribution Group Management      | Account Lockout                        | File Share                     |
-| Other Account Management Events    | IPsec Extended Mode                    | File System                    |
-| Security Group Management          | IPsec Main Mode                        | Filtering Platform Connection  |
-| User Account Management            | IPsec Quick Mode                       | Filtering Platform Packet Drop |
-| DPAPI Activity                     | Logoff                                 | Handle Manipulation            |
-| Process Creation                   | Logon                                  | Kernel Object                  |
-| Other Object Access Events         | Filtering Platform Policy Change       | IPsec Driver                   |
-| Registry                           | MPSSVC Rule-Level Policy Change        | Other System Events            |
-| SAM                                | Other Policy Change Events             | Security State Change          |
-| Policy Change                      | Non-Sensitive Privilege Use            | Security System Extension      |
-| Authentication Policy Change       | Sensitive Privilege Use                | System Integrity               |
-| Authorization Policy Change        | Other Privilege Use Events             | Plug and Play Events           |
-| Group Membership                   |                                        |                                |
-
--   **Subcategory GUID:** the unique subcategory GUID. To see Subcategory GUIDs you can use this command: **auditpol /list /subcategory:\* /v**.
-
-<img src="images/auditpol-list-subcategory.png" alt="Auditpol list GUIDs illustration" width="951" height="506" />
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Changes:** changes which were made for **“Subcategory”**. Possible values:
-
-    -   Success removed
-
-    -   Failure removed
-
-    -   Success added
-
-    -   Failure added
-
-        It can be also a combination of any of the items above, separated by coma.
-
-## Security Monitoring Recommendations
-
-For 4719(S): System audit policy was changed.
-
--   Monitor for all events of this type, especially on high value assets or computers, because any change in local audit policy should be planned. If this action was not planned, investigate the reason for the change.
-
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
deleted file mode 100644
index 6e107ff555..0000000000
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ /dev/null
@@ -1,214 +0,0 @@
----
-title: 4720(S) A user account was created. 
-description: Describes security event 4720(S) A user account was created. This event is generated a user object is created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4720(S): A user account was created.
-
-
-<img src="images/event-4720.png" alt="Event 4720 illustration" width="449" height="783" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time a new user object is created.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4720</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-20T16:22:02.759912000Z" /> 
- <EventRecordID>175408</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1508" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">ksmith</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30dc2</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">ksmith</Data> 
- <Data Name="DisplayName">Ken Smith</Data> 
- <Data Name="UserPrincipalName">ksmith@contoso.local</Data> 
- <Data Name="HomeDirectory">-</Data> 
- <Data Name="HomePath">-</Data> 
- <Data Name="ScriptPath">-</Data> 
- <Data Name="ProfilePath">-</Data> 
- <Data Name="UserWorkstations">-</Data> 
- <Data Name="PasswordLastSet">%%1794</Data> 
- <Data Name="AccountExpires">%%1794</Data> 
- <Data Name="PrimaryGroupId">513</Data> 
- <Data Name="AllowedToDelegateTo">-</Data> 
- <Data Name="OldUacValue">0x0</Data> 
- <Data Name="NewUacValue">0x15</Data> 
- <Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data> 
- <Data Name="UserParameters">-</Data> 
- <Data Name="SidHistory">-</Data> 
- <Data Name="LogonHours">%%1793</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “create user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create user account” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**New Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of created user account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the user account that was created. For example: dadmin.
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain name of created user account. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local accounts, this field will contain the name of the computer to which this new account belongs, for example: “Win81”.
-
-**Attributes:**
-
-- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new user object. For example: ksmith. For local account this field contains the name of new user account.
-
-- **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new user object. It is a name displayed in the address book for a particular account .This is usually the combination of the user's first name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. Local accounts contain **Full Name** attribute in this field, but for new local accounts this field typically has value “**&lt;value not set&gt;**”.
-
-- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new user object. For example, ksmith@contoso.local. For local users this field is not applicable and has value “**-**“. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
-- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new user object. For new local accounts this field typically has value “**&lt;value not set&gt;**”. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
-
-- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. This parameter contains the value of **homeDrive** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**&lt;value not set&gt;**”.
-
-- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. This parameter contains the value of **scriptPath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**&lt;value not set&gt;**”.
-
-- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**&lt;value not set&gt;**”.
-
-- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a user object. This parameter contains the value of **userWorkstations** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For local users this field is not applicable and typically has value “**&lt;value not set&gt;**”.
-
-- **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. For manually created user account, using Active Directory Users and Computers snap-in, this field typically has value “**&lt;never&gt;”**. This parameter contains the value of **pwdLastSet** attribute of new user object.
-
-- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For manually created local and domain user accounts this field typically has value “**&lt;never&gt;**”.
-
-- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of user’s object primary group.
-
-> **Note**&nbsp;&nbsp;**Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
-
-Typically, **Primary Group** field for new user accounts has the following values:
-
--   513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
-
-    See this article </windows/security/identity-protection/access-control/security-identifiers> for more information. This parameter contains the value of **primaryGroupID** attribute of new user object.
-
-<!-- -->
-
--   **Allowed To Delegate To** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of user account, if this account has at least one SPN registered. This parameter contains the value of **AllowedToDelegateTo** attribute of new user object. For local user accounts this field is not applicable and typically has value “**-**“. For new domain user accounts it is typically has value “**-**“. See description of **AllowedToDelegateTo** field for “[4738](event-4738.md)(S): A user account was changed.” event for more details.
-
-> **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-
--   **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-
--   **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
-
--   **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **&lt;value changed, but not displayed&gt;** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**&lt;value not set&gt;**”.
-
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new user object. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will typically see “**&lt;value not set&gt;**” value for new manually created user accounts in event 4720. For new local accounts this field is not applicable and typically has value “**All**”.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4720(S): A user account was created.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Some organizations monitor every [4720](event-4720.md) event.
-
--   Consider whether to track the following fields and values:
-
-| **Field and value to track**                                                                                                                                              | **Reason to track**                                                                                                                                                                                         |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **SAM Account Name** is empty or -                                                                                                                                        | This field must contain the user account name. If it is empty or **-**, it might indicate an anomaly.                                                                                                       |
-| **User Principal Name** is empty or -                                                                                                                                     | Typically this field should not be empty for new user accounts. If it is empty or **-**, it might indicate an anomaly.                                                                                      |
-| **Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not - | Typically these fields are **-** for new user accounts. Other values might indicate an anomaly and should be monitored. <br>For local accounts these fields should display **&lt;value not set&gt;**. |
-| **Password Last Set** is **&lt;never&gt;**                                                                                                                                | This typically means this is a manually created user account, which you might need to monitor.                                                                                                              |
-| **Password Last Set** is a time in the future                                                                                                                             | This might indicate an anomaly.                                                                                                                                                                             |
-| **Account Expires** is not **&lt;never&gt;**                                                                                                                              | Typically this field is **&lt;never&gt;** for new user accounts. Other values might indicate an anomaly and should be monitored.                                                                            |
-| **Primary Group ID** is not 513                                                                                                                                           | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored.                                                                                                 |
-| **Allowed To Delegate To** is not -                                                                                                                                       | Typically this field is **-** for new user accounts. Other values might indicate an anomaly and should be monitored.                                                                                        |
-| **Old UAC Value** is not 0x0                                                                                                                                              | Typically this field is **0x0** for new user accounts. Other values might indicate an anomaly and should be monitored.                                                                                      |
-| **SID History** is not -                                                                                                                                                  | This field will always be set to - unless the account was migrated from another domain.                                                                                                                     |
-| **Logon Hours** value other than **&lt;value not set&gt;** or** “All”**                                                                                                   | This should always be **&lt;value not set&gt;** for new domain user accounts, and **“All”** for new local user accounts.                                                                                    |
-
--   Consider whether to track the following user account control flags:
-
-| **User account control flag to track**                                                                                                                                                                                                                                                      | **Information about the flag**                                                                                                                                                                                                               |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **'Normal Account'** – Disabled                                                                                                                                                                                                                                                             | Should not be disabled for user accounts.                                                                                                                                                                                                    |
-| **'Encrypted Text Password Allowed'** – Enabled<br>**'Smartcard Required'** – Enabled<br>**'Not Delegated'** – Enabled<br>**'Use DES Key Only'** – Enabled<br>**'Don't Require Preauth'** – Enabled<br>**'Trusted To Authenticate For Delegation'** – Enabled | By default, these flags should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in.                                                                                                         |
-| **'Server Trust Account'** – Enabled                                                                                                                                                                                                                                                        | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts.                                                                                                                                            |
-| **'Don't Expire Password'** – Enabled                                                                                                                                                                                                                                                       | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. |
-| **'Trusted For Delegation'** – Enabled                                                                                                                                                                                                                                                      | By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. It is enabled by default only for new domain controllers.                                                 |
-
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
deleted file mode 100644
index 9cfac3ba8c..0000000000
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: 4722(S) A user account was enabled. 
-description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4722(S): A user account was enabled.
-
-
-<img src="images/event-4722.png" alt="Event 4722 illustration" width="449" height="420" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time user or computer object is enabled.
-
-For user accounts, this event generates on domain controllers, member servers, and workstations.
-
-For computer accounts, this event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4722</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-21T23:55:11.038308600Z" /> 
- <EventRecordID>175716</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1112" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">Auditor</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d5f</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “enable account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable account” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was enabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was enabled.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-## Security Monitoring Recommendations
-
-For 4722(S): A user account was enabled.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a high-value domain or local account for which you need to monitor every change, monitor all [4722](event-4722.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   If you have domain or local accounts that should never be enabled, you can monitor all [4722](event-4722.md) events with the “**Target Account\\Security ID”** fields that correspond to the accounts.
-
--   We recommend monitoring all [4722](event-4722.md) events for local accounts, because these accounts usually do not change often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
-
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
deleted file mode 100644
index 7793556fa9..0000000000
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: 4723(S, F) An attempt was made to change an account's password. 
-description: Describes security event 4723(S, F) An attempt was made to change an account's password.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4723(S, F): An attempt was made to change an account's password.
-
-
-<img src="images/event-4723.png" alt="Event 4723 illustration" width="449" height="461" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time a user attempts to change his or her password.
-
-For user accounts, this event generates on domain controllers, member servers, and workstations.
-
-For domain accounts, a Failure event generates if new password fails to meet the password policy.
-
-For local accounts, a Failure event generates if new password fails to meet the password policy or old password is wrong.
-
-For domain accounts if old password was wrong, then “[4771](event-4771.md): Kerberos pre-authentication failed” or “[4776](event-4776.md): The computer attempted to validate the credentials for an account” will be generated on domain controller if specific subcategories were enabled on it.
-
-Typically you will see 4723 events with the same **Subject\\Security ID** and **Target Account\\Security ID** fields, which is normal behavior.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4723</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-22T01:32:51.494558000Z" /> 
- <EventRecordID>175722</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1112" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x1a9b76</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to change Target’s Account password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to change Target’s Account password.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:** account for which the password change was requested.
-
--   **Security ID** \[Type = SID\]**:** SID of account for which the password change was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the password change was requested.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4723(S, F): An attempt was made to change an account's password.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a high-value domain or local user account for which you need to monitor every password change attempt, monitor all [4723](event-4723.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   If you have a high-value domain or local account for which you need to monitor every change, monitor all [4723](event-4723.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   If you have domain or local accounts for which the password should never be changed, you can monitor all [4723](event-4723.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
deleted file mode 100644
index 8ce482061b..0000000000
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ /dev/null
@@ -1,132 +0,0 @@
----
-title: 4724(S, F) An attempt was made to reset an account's password. 
-description: Describes security event 4724(S, F) An attempt was made to reset an account's password.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4724(S, F): An attempt was made to reset an account's password.
-
-
-<img src="images/event-4724.png" alt="Event 4724 illustration" width="449" height="417" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time an account attempted to reset the password for another account.
-
-For user accounts, this event generates on domain controllers, member servers, and workstations.
-
-For domain accounts, a Failure event generates if the new password fails to meet the password policy.
-
-A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.
-
-This event also generates if a computer account reset procedure was performed.
-
-For local accounts, a Failure event generates if the new password fails to meet the local password policy.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4724</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-22T01:58:21.725864900Z" /> 
- <EventRecordID>175740</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="548" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">User1</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1107</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d5f</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to reset Target’s Account password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to reset Target’s Account password.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:** account for which password reset was requested.
-
--   **Security ID** \[Type = SID\]**:** SID of account for which password reset was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which password reset was requested.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-## Security Monitoring Recommendations
-
-For 4724(S, F): An attempt was made to reset an account's password.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a high-value domain or local user account for which you need to monitor every password reset attempt, monitor all [4724](event-4724.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   If you have a high-value domain or local account for which you need to monitor every change, monitor all [4724](event-4724.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   If you have domain or local accounts for which the password should never be reset, you can monitor all [4724](event-4724.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   We recommend monitoring all [4724](event-4724.md) events for local accounts, because their passwords usually do not change often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
-
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
deleted file mode 100644
index 5b0a882eac..0000000000
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: 4725(S) A user account was disabled. 
-description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4725(S): A user account was disabled.
-
-
-<img src="images/event-4725.png" alt="Event 4725 illustration" width="449" height="420" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time user or computer object is disabled.
-
-For user accounts, this event generates on domain controllers, member servers, and workstations.
-
-For computer accounts, this event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4725</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-21T23:55:07.657358900Z" /> 
- <EventRecordID>175714</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1112" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">Auditor</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d5f</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “disable account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “disable account” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was disabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was disabled.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-## Security Monitoring Recommendations
-
-For 4725(S): A user account was disabled.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a high-value domain or local account for which you need to monitor every change, monitor all [4725](event-4725.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   If you have domain or local accounts that should never be disabled (for example, service accounts), you can monitor all [4725](event-4725.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   We recommend monitoring all [4725](event-4725.md) events for local accounts, because these accounts usually do not change often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
-
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
deleted file mode 100644
index 08c38bd0b8..0000000000
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-title: 4726(S) A user account was deleted. 
-description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4726(S): A user account was deleted.
-
-
-<img src="images/event-4726.png" alt="Event 4726 illustration" width="449" height="461" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time user object was deleted.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4726</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-22T00:52:25.104613800Z" /> 
- <EventRecordID>175720</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1112" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">ksmith</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d5f</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete user account” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was deleted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was deleted.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4726(S): A user account was deleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a high-value domain or local account for which you need to monitor every change (or deletion), monitor all [4726](event-4726.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   If you have a domain or local account that should never be deleted (for example, service accounts), monitor all [4726](event-4726.md) events with the **“Target Account\\Security ID”** that corresponds to the account.
-
--   We recommend monitoring all [4726](event-4726.md) events for local accounts, because these accounts typically are not deleted often. This is especially relevant for critical servers, administrative workstations, and other high value assets.
-
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
deleted file mode 100644
index f932a95fbb..0000000000
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: 4731(S) A security-enabled local group was created. 
-description: Describes security event 4731(S) A security-enabled local group was created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4731(S): A security-enabled local group was created.
-
-
-<img src="images/event-4731.png" alt="Event 4731 illustration" width="449" height="515" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security Group Management](audit-security-group-management.md)
-
-***Event Description:***
-
-This event generates every time a new security-enabled (security) local group was created.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4731</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13826</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-19T01:01:50.646049700Z" /> 
- <EventRecordID>174849</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="512" ThreadID="1092" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">AccountOperators</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3031e</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">AccountOperators</Data> 
- <Data Name="SidHistory">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “create group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**New Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of created group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was created. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]: domain or computer name of the created group. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
-
-**Attributes:**
-
--   **SAM Account Name** \[Type = UnicodeString\]: This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group.
-
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new group object. This parameter might not be captured in the event, and in that case appears as “-”. For local groups it is not applicable and always has “**-**“ value.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4731(S): A security-enabled local group was created.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor each time a new security group is created, to see who created the group and when, monitor this event.
-
--   If you need to monitor the creation of local security groups on different servers, and you use Windows Event Forwarding to collect events in a central location, check “**New Group\\Group Domain.**” It should not be the name of the domain, but instead should be the computer name.
-
--   If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
-
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
deleted file mode 100644
index 2256f550a0..0000000000
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: 4732(S) A member was added to a security-enabled local group. 
-description: Describes security event 4732(S) A member was added to a security-enabled local group.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4732(S): A member was added to a security-enabled local group.
-
-
-<img src="images/event-4732.png" alt="Event 4732 illustration" width="470" height="519" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security Group Management](audit-security-group-management.md)
-
-***Event Description:***
-
-This event generates every time a new member was added to a security-enabled (security) local group.
-
-This event generates on domain controllers, member servers, and workstations.
-
-For every added member you will get separate 4732 event.
-
-You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4732 event.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4732</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13826</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-19T03:02:38.563110400Z" /> 
- <EventRecordID>174856</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="512" ThreadID="1092" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-500</Data> 
- <Data Name="TargetUserName">AccountOperators</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3031e</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “add member to the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add member to the group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Member:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if new member is a domain account. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of the group to which new member was added. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group to which new member was added. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]: domain or computer name of the group to which the new member was added. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4732(S): A member was added to a security-enabled local group.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                                                                                         | **Recommendation**                                                                                                                                                                                                                            |
-|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Addition of members to local or domain security groups:** You might need to monitor the addition of members to local or domain security groups.                                                                                                                                                                                                                                       | If you need to monitor each time a member is added to a local or domain security group, to see who added the member and when, monitor this event.<br>Typically, this event is used as an informational event, to be reviewed if needed. |
-| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes).<br>Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups.                                                                                                                 |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.                                                                       | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                                   |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                                                                                      | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                   |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                                                                                           | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                               |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                                                                            | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.                                                                                                    |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                                                                                       | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                   |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                                                                                           | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                                                                                            | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                               |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                                                                                             | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                      |
-| **Mismatch between type of account (user or computer) and the group it was added to**: You might want to monitor to ensure that a computer account was not added to a group intended for users, or a user account was not added to a group intended for computers.                                                                                                                      | Monitor the type of account added to the group to see if it matches what the group is intended for.                                                                                                                                           |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
deleted file mode 100644
index 9dadc5c6bf..0000000000
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ /dev/null
@@ -1,163 +0,0 @@
----
-title: 4733(S) A member was removed from a security-enabled local group. 
-description: Describes security event 4733(S) A member was removed from a security-enabled local group.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4733(S): A member was removed from a security-enabled local group.
-
-
-<img src="images/event-4733.png" alt="Event 4733 illustration" width="473" height="534" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security Group Management](audit-security-group-management.md)
-
-***Event Description:***
-
-This event generates every time member was removed from security-enabled (security) local group.
-
-This event generates on domain controllers, member servers, and workstations.
-
-For every removed member you will get separate 4733 event.
-
-You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4733 event.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4733</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13826</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-19T16:51:00.376806500Z" /> 
- <EventRecordID>175037</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="TargetUserName">AccountOperators</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x35e38</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “remove member from the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove member from the group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Member:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if removed member is a domain account. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of the group from which the member was removed. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group from which the member was removed. For example: ServiceDesk
-
-<!-- -->
-
--   **Group Domain** \[Type = UnicodeString\]: domain or computer name of the group from which the member was removed. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    <!-- -->
-
-    -   For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
-
-    <!-- -->
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4733(S): A member was removed from a security-enabled local group.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                                                                                    | **Recommendation**                                                                                                                                                                                                                                |
-|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Removal of members from local or domain security groups:** You might need to monitor the removal of members from local or domain security groups.                                                                                                                                                                                                                                | If you need to monitor each time a member is removed from a local or domain security group, to see who added the member and when, monitor this event.<br>Typically, this event is used as an informational event, to be reviewed if needed. |
-| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes).<br>Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups.                                                                                                                     |
-| **Local or domain security groups with required members**: You might need to ensure that for certain local or domain security groups, particular members are never removed.                                                                                                                                                                                                        | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed.                                                                        |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.                                                                  | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                                       |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                                                                                 | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                                       |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                                                                                      | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                                   |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                                                                                       | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.                                                                                                        |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                                                                                  | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                                       |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                                                                                      | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                    |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                                                                                       | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                                   |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                                                                                        | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                          |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
deleted file mode 100644
index ec84652e18..0000000000
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-title: 4734(S) A security-enabled local group was deleted. 
-description: Describes security event 4734(S) A security-enabled local group was deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4734(S): A security-enabled local group was deleted.
-
-
-<img src="images/event-4734.png" alt="Event 4734 illustration" width="449" height="463" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security Group Management](audit-security-group-management.md)
-
-***Event Description:***
-
-This event generates every time security-enabled (security) local group is deleted.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4734</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13826</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-19T18:23:42.426245700Z" /> 
- <EventRecordID>175039</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1072" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">AccountOperators</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x35e38</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of deleted group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was deleted. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]: domain or computer name of the deleted group. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4734(S): A security-enabled local group was deleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical local or domain security groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on.
-
--   If you need to monitor each time a local or domain security group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
deleted file mode 100644
index 7aadb30077..0000000000
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: 4735(S) A security-enabled local group was changed. 
-description: Describes security event 4735(S) A security-enabled local group was changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4735(S): A security-enabled local group was changed.
-
-
-<img src="images/event-4735.png" alt="Event 4735 illustration" width="449" height="519" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security Group Management](audit-security-group-management.md)
-
-***Event Description:***
-
-This event generates every time a security-enabled (security) local group is changed.
-
-This event generates on domain controllers, member servers, and workstations.
-
-Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in group account properties.
-
-If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
-
-If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
-
-From 4735 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4735</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13826</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-19T02:00:45.537440000Z" /> 
- <EventRecordID>174850</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="512" ThreadID="1092" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">AccountOperators\_NEW</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3031e</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">AccountOperators\_NEW</Data> 
- <Data Name="SidHistory">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;Sometimes you can see the **Group\\Security ID** field contains an old group name in Event Viewer (as you can see in the event example). That happens because Event Viewer caches names for SIDs that it has already resolved for the current session.
-> 
-> **Note**&nbsp;&nbsp;**Security ID** field has the same value as new group name (**Changed Attributes&gt;SAM Account Name**). That is happens because event is generated after name was changed and SID resolves to the new name. It is always better to use SID instead of group names for queries or filtering of events, because you will know for sure that this the right object you are looking for or want to monitor.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was changed. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]: domain or computer name of the changed group. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Changed Attributes:**
-
-> **Note**&nbsp;&nbsp;If attribute was not changed it will have “-“ value.
-
-You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4735 event will generate, but all attributes will be “-“.
-
--   **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
-
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of group object was changed, you will see the new value here. For local groups it is not applicable and always has “**-**“ value.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4735(S): A security-enabled local group was changed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for any change, monitor events with the “**Group\\Group Name”** values that correspond to the critical local or domain security groups.
-
--   If you need to monitor each time a member is added to a local or domain security group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-
--   If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
deleted file mode 100644
index 2bf505a3b7..0000000000
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ /dev/null
@@ -1,264 +0,0 @@
----
-title: 4738(S) A user account was changed. 
-description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4738(S): A user account was changed.
-
-:::image type="content" source="images/event-4738.png" alt-text="Event 4738 illustration.":::
-
-***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time user object is changed.
-
-This event generates on domain controllers, member servers, and workstations.
-
-For each change, a separate 4738 event will be generated.
-
-You might see this event without any changes inside, that is, where all **Changed Attributes** appear as `-`. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4738 event will generate, but all attributes will be `-`.
-
-Some changes do not invoke a 4738 event.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-**Event XML:**
-
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4738</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" /> 
- <EventRecordID>175413</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1508" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="Dummy">-</Data> 
- <Data Name="TargetUserName">ksmith</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30dc2</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">-</Data> 
- <Data Name="DisplayName">-</Data> 
- <Data Name="UserPrincipalName">-</Data> 
- <Data Name="HomeDirectory">-</Data> 
- <Data Name="HomePath">-</Data> 
- <Data Name="ScriptPath">-</Data> 
- <Data Name="ProfilePath">-</Data> 
- <Data Name="UserWorkstations">-</Data> 
- <Data Name="PasswordLastSet">-</Data> 
- <Data Name="AccountExpires">-</Data> 
- <Data Name="PrimaryGroupId">-</Data> 
- <Data Name="AllowedToDelegateTo">-</Data> 
- <Data Name="OldUacValue">0x15</Data> 
- <Data Name="NewUacValue">0x211</Data> 
- <Data Name="UserAccountControl">%%2050 %%2089</Data> 
- <Data Name="UserParameters">-</Data> 
- <Data Name="SidHistory">-</Data> 
- <Data Name="LogonHours">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-  > [!NOTE]
-  > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change user account” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was changed.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-**Changed Attributes:**
-
-If attribute was not changed it will have “–“ value.
-
-Unfortunately, for local accounts, all fields, except changed attributes, will have previous values populated. Also, the User Account Control field will have values only if it was modified. Changed attributes will have new values, but it is hard to understand which attribute was really changed.
-
--   **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of user object was changed, you will see the new value here. For example: ladmin. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **Display Name** \[Type = UnicodeString\]: it is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. If the value of **displayName** attribute of user object was changed, you will see the new value here. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. If the value of **userPrincipalName** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always has `-` value.
-
--   **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. If the value of **homeDirectory** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. If the value of **homeDrive** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. If the value of **scriptPath** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. If the value of **profilePath** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. If the value of **userWorkstations** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always appears as `<value not set>`.
-
--   **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. If the value of **pwdLastSet** attribute of user object was changed, you will see the new value here. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **Account Expires** \[Type = UnicodeString\]: the date when the account expires. If the value of **accountExpires** attribute of user object was changed, you will see the new value here. . For example, “9/21/2015 12:00:00 AM”. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
-
--   **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of user’s object primary group.
-
-  > [!NOTE]
-  > **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
-
-This field will contain some value if user’s object primary group was changed. You can change user’s primary group using Active Directory Users and Computers management console in the **Member Of** tab of user object properties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a default primary group for users.
-
-Typical **Primary Group** values for user accounts:
-
--   513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
-
-    See the [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers) for more information. If the value of **primaryGroupID** attribute of user object was changed, you will see the new value here.
-
-<!-- -->
-
--   **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of user account, if at least one SPN is registered for user account. If the SPNs list on **Delegation** tab of a user account was changed, you will see the new SPNs list in **AllowedToDelegateTo** field (note that you will see the new list instead of changes) of this event. This is an example of **AllowedToDelegateTo**:
-
-    -   dcom/WIN2012
-
-    -   dcom/WIN2012.contoso.local
-
-        If the value of **msDS-AllowedToDelegateTo** attribute of user object was changed, you will see the new value here.
-
-        The value can be `<value not set>`, for example, if delegation was disabled.
-
-        For local accounts, this field is not applicable and always has `-` value.
-
-  > [!NOTE]
-  > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-
--   **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-
--   **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
-
--   **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
-
--   **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see `<value changed, but not displayed>` in this field. For local accounts, this field is not applicable and always has `<value not set>` value.
-
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of user object was changed, you will see the new value here.
-
--   **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. If the value of **logonHours** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. Here is an example of this field:
-
-    Sunday 12:00 AM - 7:00 PM
-
-    Sunday 9:00 PM -Monday 1:00 PM
-
-    Monday 2:00 PM -Tuesday 6:00 PM
-
-    Tuesday 8:00 PM -Wednesday 10:00 AM
-
-    For local accounts this field is not applicable and typically has value “**All**”.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4738(S): A user account was changed.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Some organizations monitor every [4738](event-4738.md) event.
-
--   If you have critical user computer accounts (for example, domain administrator accounts or service accounts) for which you need to monitor each change, monitor this event with the **“Target Account\\Account Name”** that corresponds to the critical account or accounts.
-
--   If you have user accounts for which any change in the services list on the **Delegation** tab should be monitored, monitor this event when **AllowedToDelegateTo** is not -. This value means the services list was changed.
-
--   Consider whether to track the following fields:
-
-  | **Field to track**  | **Reason to track**  |
-  |---|---|
-  | **Display Name**<br>**User Principal Name**<br>**Home Directory**<br>**Home Drive**<br>**Script Path**<br>**Profile Path**<br>**User Workstations**<br>**Password Last Set**<br>**Account Expires**<br>**Primary Group ID<br>Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts.  |
-  | **Primary Group ID** is not 513  | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored.  |
-  | For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked `<value not set>`   | If **AllowedToDelegateTo** is marked `<value not set>` on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
-  | **SID History** is not -  | This field will always be set to - unless the account was migrated from another domain.  |
-
--   Consider whether to track the following user account control flags:
-
-| **User account control flag to track**  | **Information about the flag**  |
-|---|---|
-| **'Normal Account'** – Disabled  | Should not be disabled for user accounts.  |
-| **'Password Not Required'** – Enabled  | Should not typically be enabled for user accounts because it weakens security for the account. |
-| **'Encrypted Text Password Allowed'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account. |
-| **'Server Trust Account'** – Enabled | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts.  |
-| **'Don't Expire Password'** – Enabled | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. |
-| **'Smartcard Required'** – Enabled  | Should be monitored for critical accounts.  |
-| **'Password Not Required'** – Disabled  | Should be monitored for all accounts where the setting should be “**Enabled**.”   |
-| **'Encrypted Text Password Allowed'** – Disabled  | Should be monitored for all accounts where the setting should be “**Enabled**.”  |
-| **'Don't Expire Password'** – Disabled  | Should be monitored for all accounts where the setting should be “**Enabled**.”  |
-| **'Smartcard Required'** – Disabled  | Should be monitored for all accounts where the setting should be “**Enabled**.”  |
-| **'Trusted For Delegation'** – Enabled  | Means that Kerberos Constraint or Unconstraint delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.  |
-| **'Trusted For Delegation'** – Disabled                 | Means that Kerberos Constraint or Unconstraint delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.<br>Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts. |
-| **'Trusted To Authenticate For Delegation'** – Enabled  | Means that Protocol Transition delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.  |
-| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.<br>Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts.  |
-| **'Not Delegated'** – Enabled                           | Means that **Account is sensitive and cannot be delegated** was checked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.  |
-| **'Not Delegated'** – Disabled                          | Should be monitored for all accounts where the setting should be “**Enabled**.” Means that **Account is sensitive and cannot be delegated** was unchecked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.  |
-| **'Use DES Key Only'** – Enabled                        | Should not typically be enabled for user accounts because it weakens security for the account’s Kerberos authentication.  |
-| **'Don't Require Preauth'** – Enabled                   | Should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication.  |
-| **'Use DES Key Only'** – Disabled                       | Should be monitored for all accounts where the setting should be “**Enabled**.”   |
-| **'Don't Require Preauth'** – Disabled                  | Should be monitored for all accounts where the setting should be “**Enabled**.”  |
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
deleted file mode 100644
index 3aac4840a8..0000000000
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ /dev/null
@@ -1,226 +0,0 @@
----
-title: 4739(S) Domain Policy was changed. 
-description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4739(S): Domain Policy was changed.
-
-
-<img src="images/event-4739.png" alt="Event 4739 illustration" width="449" height="685" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when one of the following changes was made to local computer security policy:
-
--   Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified.
-
--   Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified.
-
--   "Network security: Force logoff when logon hours expire" group policy setting was changed.
-
--   Domain functional level was changed or some other attributes changed (see details in event description).
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4739</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T00:45:37.587380900Z" /> 
- <EventRecordID>1049781</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="1648" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DomainPolicyChanged">Password Policy</Data> 
- <Data Name="DomainName">CONTOSO</Data> 
- <Data Name="DomainSid">S-1-5-21-3457937927-2839227994-823803824</Data> 
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="MinPasswordAge">-</Data> 
- <Data Name="MaxPasswordAge">-</Data> 
- <Data Name="ForceLogoff">-</Data> 
- <Data Name="LockoutThreshold">-</Data> 
- <Data Name="LockoutObservationWindow">-</Data> 
- <Data Name="LockoutDuration">-</Data> 
- <Data Name="PasswordProperties">-</Data> 
- <Data Name="MinPasswordLength">-</Data> 
- <Data Name="PasswordHistoryLength">13</Data> 
- <Data Name="MachineAccountQuota">-</Data> 
- <Data Name="MixedDomainMode">-</Data> 
- <Data Name="DomainBehaviorVersion">-</Data> 
- <Data Name="OemInformation">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Change Type** \[Type = UnicodeString\]**:** the type of change which was made. The format is “**policy\_name** modified”. These are some possible values of **policy\_name**:
-
-| Value           | Group Policy Name \\ Description                                                                                                                        |
-|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Lockout Policy  | Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified.                                                      |
-| Password Policy | Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified.                                                             |
-| Logoff Policy   | "[Network security: Force logoff when logon hours expire](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852195(v=ws.11))" group policy setting was changed. |
-| -               | Machine Account Quota ([ms-DS-MachineAccountQuota](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391926(v=ws.10))) domain attribute was modified.  |
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to specific local policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to specific local policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Domain:**
-
--   **Domain Name** \[Type = UnicodeString\]**:** the name of domain for which policy changes were made.
-
-<!-- -->
-
--   **Domain ID** \[Type = SID\]**:** the SID of domain for which policy changes were made. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**Changed Attributes:** For attributes which were not changed the value will be “**-**“.
-
--   **Min. Password Age** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Minimum password age” group policy. Numeric value.
-
-<!-- -->
-
--   **Max. Password Age** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Maximum password age” group policy. Numeric value.
-
--   **Force Logoff** \[Type = UnicodeString\]: “\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire” group policy.
-
--   **Lockout Threshold** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold” group policy. Numeric value.
-
--   **Lockout Observation Window** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after” group policy. Numeric value.
-
--   **Lockout Duration** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration” group policy. Numeric value.
-
--   **Password Properties** \[Type = UnicodeString\]:
-
-| Value | Group Policy settings                                                                                                                                                                                                                   |
-|-------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Disabled.<br>\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled. |
-| 1     | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Disabled.<br>\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled.  |
-| 16    | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled.<br>\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled.  |
-| 17    | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled.<br>\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled.   |
-
--   **Min. Password Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Minimum password length” group policy. Numeric value.
-
--   **Password History Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Enforce password history” group policy. Numeric value.
-
--   **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391926(v=ws.10)) domain attribute was modified. Numeric value.
-
--   **Mixed Domain Mode** \[Type = UnicodeString\]: there is no information about this field in this document.
-
--   **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](/openspecs/windows_protocols/ms-adts/d7422d35-448a-451a-8846-6a7def0044df) domain attribute was modified. Numeric value. Possible values:
-
-| Value | Identifier                                  | Domain controller operating systems that are allowed in the domain                                                                                                                                                                                                                                                                               |
-|-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | DS\_BEHAVIOR\_WIN2000                       | Windows 2000 Server operating system<br>Windows Server 2003 operating system<br>Windows Server 2008 operating system<br>Windows Server 2008 R2 operating system<br>Windows Server 2012 operating system<br>Windows Server 2012 R2 operating system<br>Windows Server 2016 operating system |
-| 1     | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                     |
-| 2     | DS\_BEHAVIOR\_WIN2003                       | Windows Server 2003<br>Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                     |
-| 3     | DS\_BEHAVIOR\_WIN2008                       | Windows Server 2008<br>Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                  |
-| 4     | DS\_BEHAVIOR\_WIN2008R2                     | Windows Server 2008 R2<br>Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                                               |
-| 5     | DS\_BEHAVIOR\_WIN2012                       | Windows Server 2012<br>Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                                                                               |
-| 6     | DS\_BEHAVIOR\_WIN2012R2                     | Windows Server 2012 R2<br>Windows Server 2016                                                                                                                                                                                                                                                                            |
-| 7     | DS\_BEHAVIOR\_WINTHRESHOLD                  | Windows Server 2016                                                                                                                                                                                                                                                                                                            |
-
--   **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
-
-| Privilege Name                  | User Right Group Policy Name                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege   | Replace a process-level token                                  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeAuditPrivilege                | Generate security audits                                       | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeBackupPrivilege               | Back up files and directories                                  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE                                                                                                                |
-| SeChangeNotifyPrivilege         | Bypass traverse checking                                       | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeCreateGlobalPrivilege         | Create global objects                                          | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| SeCreatePagefilePrivilege       | Create a pagefile                                              | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| SeCreatePermanentPrivilege      | Create permanent shared objects                                | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeCreateSymbolicLinkPrivilege   | Create symbolic links                                          | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeCreateTokenPrivilege          | Create a token object                                          | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeDebugPrivilege                | Debug programs                                                 | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| SeEnableDelegationPrivilege     | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.                                                                                                                                                                                                                      |
-| SeImpersonatePrivilege          | Impersonate a client after authentication                      | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| SeIncreaseBasePriorityPrivilege | Increase scheduling priority                                   | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| SeIncreaseQuotaPrivilege        | Adjust memory quotas for a process                             | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeIncreaseWorkingSetPrivilege   | Increase a process working set                                 | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SeLoadDriverPrivilege           | Load and unload device drivers                                 | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeLockMemoryPrivilege           | Lock pages in memory                                           | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeMachineAccountPrivilege       | Add workstations to domain                                     | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| SeManageVolumePrivilege         | Perform volume maintenance tasks                               | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeProfileSingleProcessPrivilege | Profile single process                                         | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeRelabelPrivilege              | Modify an object label                                         | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeRemoteShutdownPrivilege       | Force shutdown from a remote system                            | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| SeRestorePrivilege              | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege             | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeShutdownPrivilege             | Shut down the system                                           | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| SeSyncAgentPrivilege            | Synchronize directory service data                             | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| SeSystemEnvironmentPrivilege    | Modify firmware environment values                             | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| SeSystemProfilePrivilege        | Profile system performance                                     | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| SeSystemtimePrivilege           | Change the system time                                         | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTakeOwnershipPrivilege        | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTcbPrivilege                  | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| SeTimeZonePrivilege             | Change the time zone                                           | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller                  | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| SeUndockPrivilege               | Remove computer from docking station                           | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| SeUnsolicitedInputPrivilege     | Not applicable                                                 | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-
-## Security Monitoring Recommendations
-
-For 4739(S): Domain Policy was changed.
-
--   Any settings changes to “**Account Lockout Policy**”, “**Password Policy**”, or “**Network security: Force logoff when logon hours expire**”, plus any **domain functional level and attributes** changes that are reported by this event, must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
deleted file mode 100644
index 5447618950..0000000000
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: 4740(S) A user account was locked out. 
-description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4740(S): A user account was locked out.
-
-
-<img src="images/event-4740.png" alt="Event 4740 illustration" width="449" height="447" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time a user account is locked out.
-
-For user accounts, this event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4740</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-21T22:06:08.576887500Z" /> 
- <EventRecordID>175703</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1112" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">Auditor</Data> 
- <Data Name="TargetDomainName">WIN81</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that performed the lockout operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the lockout operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Account That Was Locked Out:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was locked out. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was locked out.
-
-**Additional Information:**
-
--   **Caller Computer Name** \[Type = UnicodeString\]**:** the name of computer account from which logon attempt was received and after which target account was locked out. For example: WIN81.
-
-## Security Monitoring Recommendations
-
-For 4740(S): A user account was locked out.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   If you have high-value domain or local accounts (for example, domain administrator accounts) for which you need to monitor every lockout, monitor all [4740](event-4740.md) events with the **“Account That Was Locked Out \\Security ID”** values that correspond to the accounts.
-
-<!-- -->
-
--   If you have a high-value domain or local account for which you need to monitor every change, monitor all [4740](event-4740.md) events with the **“Account That Was Locked Out \\Security ID”** that corresponds to the account.
-
--   If the user account **“Account That Was Locked Out\\Security ID”** should not be used (for authentication attempts) from the **Additional Information\\Caller Computer Name**, then trigger an alert.
-
--   Monitor for all [4740](event-4740.md) events where **Additional Information\\Caller Computer Name** is not from your domain. However, be aware that even if the computer is not in your domain you will get the computer name instead of an IP address in the [4740](event-4740.md) event.
-
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
deleted file mode 100644
index 37842d6609..0000000000
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ /dev/null
@@ -1,271 +0,0 @@
----
-title: 4741(S) A computer account was created. 
-description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4741(S): A computer account was created.
-
-![Event 4741 illustration](images/event-4741.png)
-
-***Subcategory:***&nbsp;[Audit Computer Account Management](audit-computer-account-management.md)
-
-***Event Description:***
-
-This event generates every time a new computer object is created.
-
-This event generates only on domain controllers.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-***Event XML:***
-
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4741</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13825</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-12T18:41:39.201898100Z" /> 
- <EventRecordID>170254</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1096" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">WIN81$</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0xc88b2</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">WIN81$</Data> 
- <Data Name="DisplayName">-</Data> 
- <Data Name="UserPrincipalName">-</Data> 
- <Data Name="HomeDirectory">-</Data> 
- <Data Name="HomePath">-</Data> 
- <Data Name="ScriptPath">-</Data> 
- <Data Name="ProfilePath">-</Data> 
- <Data Name="UserWorkstations">-</Data> 
- <Data Name="PasswordLastSet">8/12/2015 11:41:39 AM</Data> 
- <Data Name="AccountExpires">%%1794</Data> 
- <Data Name="PrimaryGroupId">515</Data> 
- <Data Name="AllowedToDelegateTo">-</Data> 
- <Data Name="OldUacValue">0x0</Data> 
- <Data Name="NewUacValue">0x80</Data> 
- <Data Name="UserAccountControl">%%2087</Data> 
- <Data Name="UserParameters">-</Data> 
- <Data Name="SidHistory">-</Data> 
- <Data Name="LogonHours">%%1793</Data> 
- <Data Name="DnsHostName">Win81.contoso.local</Data> 
- <Data Name="ServicePrincipalNames">HOST/Win81.contoso.local RestrictedKrbHost/Win81.contoso.local HOST/WIN81 RestrictedKrbHost/WIN81</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “create Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-  > [!NOTE]
-  > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create Computer object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**New Computer Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of created computer account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the computer account that was created. For example: WIN81$
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain name of created computer account. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-**Attributes:**
-
--   **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new computer object. For example: WIN81$.
-
--   **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new computer object. It is a name displayed in the address book for a particular account (typically – user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form `DRIVE\_LETTER:`. For example – `H:`. This parameter contains the value of **homeDrive** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account's logon script. This parameter contains the value of **scriptPath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. This parameter contains the value of **userWorkstations** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. For manually created computer account, using Active Directory Users and Computers snap-in, this field typically has value `<never>`. For computer account created during standard domain join procedure this field will contains time when computer object was created, because password creates during domain join procedure. For example: 8/12/2015 11:41:39 AM. This parameter contains the value of **pwdLastSet** attribute of new computer object.
-
--   **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
-
--   **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of computer’s object primary group.
-
-  > [!NOTE]
-  > **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
-
-Typically, **Primary Group** field for new computer accounts has the following values:
-
--   516 (Domain Controllers) – for domain controllers.
-
--   521 (Read-only Domain Controllers) – for read-only domain controllers (RODC).
-
--   515 (Domain Computers) – for member servers and workstations.
-
-    See the [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers) for more information. This parameter contains the value of **primaryGroupID** attribute of new computer object.
-
-<!-- -->
-
--   **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of computer account. Typically it is set to `-` for new computer objects. This parameter contains the value of **AllowedToDelegateTo** attribute of new computer object. See description of **AllowedToDelegateTo** field for “[4742](event-4742.md): A computer account was changed” event for more details.
-
-  > [!NOTE]
-  > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-
--   **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-
--   **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
-
-- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `<value changed, but not displayed>` in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as `-`.
-
-- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as `-`.
-
-- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see `<value not set>` value for new created computer accounts in event 4741.
-
-- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value `-`.
-
-- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals `-`. This is an example of **Service Principal Names** field for new domain joined workstation:
-
-  HOST/Win81.contoso.local
-
-  RestrictedKrbHost/Win81.contoso.local
-
-  HOST/WIN81
-
-  RestrictedKrbHost/WIN81
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as `-`. See full list of user privileges in the table below:
-
-| Privilege Name  | User Right Group Policy Name  | Description  |
-|---|---|---|
-| SeAssignPrimaryTokenPrivilege   | Replace a process-level token  | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.  |
-| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log.  |
-| SeBackupPrivilege  | Back up files and directories  | -   Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE  |
-| SeChangeNotifyPrivilege         | Bypass traverse checking  | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.  |
-| SeCreateGlobalPrivilege         | Create global objects  | Required to create named file mapping objects in the global namespace during Terminal Services sessions.   |
-| SeCreatePagefilePrivilege       | Create a pagefile | With this privilege, the user can create and change the size of a pagefile.  |
-| SeCreatePermanentPrivilege      | Create permanent shared objects  | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
-| SeCreateSymbolicLinkPrivilege   | Create symbolic links  | Required to create a symbolic link.  |
-| SeCreateTokenPrivilege          | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
-| SeDebugPrivilege                | Debug programs  | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.  |
-| SeEnableDelegationPrivilege     | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Delegation** setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set.  |
-| SeImpersonatePrivilege | Impersonate a client after authentication  | With this privilege, the user can impersonate other accounts.  |
-| SeIncreaseBasePriorityPrivilege | Increase scheduling priority  | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.  |
-| SeIncreaseQuotaPrivilege        | Adjust memory quotas for a process  | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process.  |
-| SeIncreaseWorkingSetPrivilege   | Increase a process working set  | Required to allocate more memory for applications that run in the context of users.  |
-| SeLoadDriverPrivilege           | Load and unload device drivers  | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.  |
-| SeLockMemoryPrivilege           | Lock pages in memory | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).  |
-| SeMachineAccountPrivilege       | Add workstations to domain  | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers.  |
-| SeManageVolumePrivilege         | Perform volume maintenance tasks  | Required to run maintenance tasks on a volume, such as remote defragmentation.  |
-| SeProfileSingleProcessPrivilege | Profile single process  | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.   |
-| SeRelabelPrivilege              | Modify an object label | Required to modify the mandatory integrity level of an object.  |
-| SeRemoteShutdownPrivilege       | Force shutdown from a remote system | Required to shut down a system using a network request.  |
-| SeRestorePrivilege              | Restore files and directories                                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| SeSecurityPrivilege             | Manage auditing and security log                               | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log.  |
-| SeShutdownPrivilege             | Shut down the system                                           | Required to shut down a local system.  |
-| SeSyncAgentPrivilege            | Synchronize directory service data                             | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.  |
-| SeSystemEnvironmentPrivilege    | Modify firmware environment values  | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
-| SeSystemProfilePrivilege        | Profile system performance  | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.  |
-| SeSystemtimePrivilege           | Change the system time  | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.   |
-| SeTakeOwnershipPrivilege        | Take ownership of files or other objects                       | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.  |
-| SeTcbPrivilege                  | Act as part of the operating system                            | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.  |
-| SeTimeZonePrivilege             | Change the time zone   | Required to adjust the time zone associated with the computer's internal clock.  |
-| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller  | Required to access Credential Manager as a trusted caller.  |
-| SeUndockPrivilege               | Remove computer from docking station  | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on.  |
-| SeUnsolicitedInputPrivilege     | Not applicable  | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device.  |
-
-> <span id="_Ref433296229" class="anchor"></span>Table 8. User Privileges.
-
-## Security Monitoring Recommendations
-
-For 4741(S): A computer account was created.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If your information security monitoring policy requires you to monitor computer account creation, monitor this event.
-
--   Consider whether to track the following fields and values:
-
-  | **Field and value to track**   | **Reason to track**  |
-  |---|---|
-  | **SAM Account Name**: empty or `-`  | This field must contain the computer account name. If it is empty or **-**, it might indicate an anomaly.  |
-  | **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**AllowedToDelegateTo** is not - | Typically these fields are **-** for new computer accounts. Other values might indicate an anomaly and should be monitored.  |
-  | **Password Last Set** is `<never>`  | This typically means this is a manually created computer account, which you might need to monitor. |
-  | **Account Expires** is not `<never>`  | Typically this field is `<never>` for new computer accounts. Other values might indicate an anomaly and should be monitored.  |
-  | **Primary Group ID** is any value other than 515. | Typically, the **Primary Group ID** value is one of the following:<br>**516** for domain controllers<br>**521** for read only domain controllers (RODCs)<br>**515** for servers and workstations (domain computers)<br>If the **Primary Group ID** is 516 or 521, it is a new domain controller or RODC, and the event should be monitored.<br>If the value is not 516, 521, or 515, it is not a typical value and should be monitored. |
-  | **Old UAC Value** is not 0x0  | Typically this field is **0x0** for new computer accounts. Other values might indicate an anomaly and should be monitored.  |
-  | **SID History** is not `-`  | This field will always be set to - unless the account was migrated from another domain.  |
-  | **Logon Hours** value other than `<value not set>`  | This should always be `<value not set>` for new computer accounts.  |
-
--   Consider whether to track the following account control flags:
-
-  | **User account control flag to track** | **Information about the flag** |
-  |---|---|
-  | **'Encrypted Text Password Allowed'** – Enabled  | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers.  |
-  | **'Server Trust Account'** – Enabled  | Should be enabled **only** for domain controllers.  |
-  | **'Don't Expire Password'** – Enabled  | Should not be enabled for new computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. |
-  | **'Smartcard Required'** – Enabled | Should not be enabled for new computer accounts.  |
-  | **'Trusted For Delegation'** – Enabled   | Should not be enabled for new member servers and workstations. It is enabled by default for new domain controllers.  |
-  | **'Not Delegated'** – Enabled  | Should not be enabled for new computer accounts.  |
-  | **'Use DES Key Only'** – Enabled  | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers.  |
-  | **'Don't Require Preauth'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers.  |
-  | **'Trusted To Authenticate For Delegation'** – Enabled | Should not be enabled for new computer accounts by default.   |
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
deleted file mode 100644
index a397156de0..0000000000
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ /dev/null
@@ -1,267 +0,0 @@
----
-title: 4742(S) A computer account was changed. 
-description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4742(S): A computer account was changed.
-
-:::image type="content" source="images/event-4742.png" alt-text="Event 4742 illustration":::
-
-***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
-
-***Event Description:***
-
-This event generates every time a computer object is changed.
-
-This event generates only on domain controllers.
-
-You might see the same values for **Subject**\\**Security ID** and **Computer Account That Was Changed**\\**Security ID** in this event. This usually happens when you reboot a computer after adding it to the domain (the change takes effect after the reboot).
-
-For each change, a separate 4742 event will be generated.
-
-Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
-
-You might see this event without any changes inside, that is, where all **Changed Attributes** appear as `-`. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4742 event will generate, but all attributes will be `-`.
-
-> [!IMPORTANT]
-> 
-> - If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
-> 
-> - For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4742</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13825</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-14T02:35:01.252397000Z" /> 
- <EventRecordID>171754</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1108" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ComputerAccountChange">-</Data> 
- <Data Name="TargetUserName">WIN81$</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x2e80c</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">-</Data> 
- <Data Name="DisplayName">-</Data> 
- <Data Name="UserPrincipalName">-</Data> 
- <Data Name="HomeDirectory">-</Data> 
- <Data Name="HomePath">-</Data> 
- <Data Name="ScriptPath">-</Data> 
- <Data Name="ProfilePath">-</Data> 
- <Data Name="UserWorkstations">-</Data> 
- <Data Name="PasswordLastSet">-</Data> 
- <Data Name="AccountExpires">-</Data> 
- <Data Name="PrimaryGroupId">-</Data> 
- <Data Name="AllowedToDelegateTo">%%1793</Data> 
- <Data Name="OldUacValue">0x80</Data> 
- <Data Name="NewUacValue">0x2080</Data> 
- <Data Name="UserAccountControl">%%2093</Data> 
- <Data Name="UserParameters">-</Data> 
- <Data Name="SidHistory">-</Data> 
- <Data Name="LogonHours">-</Data> 
- <Data Name="DnsHostName">-</Data> 
- <Data Name="ServicePrincipalNames">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-  > [!NOTE]
-  > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change Computer object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Computer Account That Was Changed:**
-
--   **Security ID** \[Type = SID\]**:** SID of changed computer account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the computer account that was changed. For example: WIN81$
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain name of changed computer account. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-**Changed Attributes:**
-
-> [!NOTE]
-> If attribute was not changed it will have `-` value.
-
--   **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of computer object was changed, you will see the new value here. For example: WIN8$.
-
--   **Display Name** \[Type = UnicodeString\]: it is a name displayed in the address book for a particular account (typically – user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. If the value of **displayName** attribute of computer object was changed, you will see the new value here.
-
--   **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. If the value of **userPrincipalName** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. If the value of **homeDirectory** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form `DRIVE\_LETTER:`. For example – `H:`. If the value of **homeDrive** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. If the value of **scriptPath** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. If the value of **profilePath** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. If the value of **userWorkstations** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. If the value of **pwdLastSet** attribute of computer object was changed, you will see the new value here. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset action or automatically every 30 days by default for computer objects.
-
--   **Account Expires** \[Type = UnicodeString\]: the date when the account expires. If the value of **accountExpires** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of computer’s object primary group.
-
-  > [!NOTE]
-  > **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
-
-This field will contain some value if computer’s object primary group was changed. You can change computer’s primary group using Active Directory Users and Computers management console in the **Member Of** tab of computer object properties. You will see a RID of new primary group as a field value. For example, 515 (Domain Computers) for workstations, is a default primary group.
-
-Typical **Primary Group** values for computer accounts:
-
--   516 (Domain Controllers) – for domain controllers.
-
--   521 (Read-only Domain Controllers) – read-only domain controllers (RODC).
-
--   515 (Domain Computers) – servers and workstations.
-
-    See the [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers) for more information. If the value of **primaryGroupID** attribute of computer object was changed, you will see the new value here.
-
-<!-- -->
-
--   **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of computer account. If the SPNs list on **Delegation** tab of a computer account was changed, you will see the new SPNs list in **AllowedToDelegateTo** field (note that you will see the new list instead of changes) of this event. This is an example of **AllowedToDelegateTo**:
-
-    -   dcom/WIN2012
-
-    -   dcom/WIN2012.contoso.local
-
-        If the value of **msDS-AllowedToDelegateTo** attribute of computer object was changed, you will see the new value here.
-
-        The value can be `<value not set>`, for example, if delegation was disabled.
-
-  > [!NOTE]
-  > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-
--   **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-
--   **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
-
--   **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `<value changed, but not displayed>` in this field.
-
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of computer object was changed, you will see the new value here.
-
--   **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. If the value of **logonHours** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
-
--   **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. If the value of **dNSHostName** attribute of computer object was changed, you will see the new value here.
-
-<!-- -->
-
-- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
-
-  Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots<b>:</b>
-
-  HOST/Win81.contoso.local
-
-  RestrictedKrbHost/Win81.contoso.local
-
-  HOST/WIN81
-
-  RestrictedKrbHost/WIN81
-
-TERMSRV/Win81.contoso.local
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as `-`. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4742(S): A computer account was changed.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have critical domain computer accounts (database servers, domain controllers, administration workstations, and so on) for which you need to monitor each change, monitor this event with the **“Computer Account That Was Changed\\Security ID”** that corresponds to the high-value account or accounts.
-
--   If you have computer accounts for which any change in the services list on the **Delegation** tab should be monitored, monitor this event when **AllowedToDelegateTo** is not -. This value means the services list was changed.
-
--   Consider whether to track the following fields and values:
-
-  | **Field and value to track**  | **Reason to track**  |
-  |---|---|
-  | **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**Account Expires** is not -<br>**Logon Hours** is not - | Typically these fields are `-` for computer accounts. Other values might indicate an anomaly and should be monitored. |
-  | **Password Last Set** changes occur more often than usual  | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack.  |
-  | **Primary Group ID** is not 516, 521, or 515  | Typically, the **Primary Group ID** value is one of the following:<br>**516** for domain controllers<br>**521** for read only domain controllers (RODCs)<br>**515** for servers and workstations (domain computers)<br>Other values should be monitored. |
-  | For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked `<value not set>`  | If **AllowedToDelegateTo** is marked `<value not set>` on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared.  |
-  | **SID History** is not - | This field will always be set to `-` unless the account was migrated from another domain.  |
-
--   Consider whether to track the following account control flags:
-
-  | **User account control flag to track**  | **Information about the flag**  |
-  |---|---|
-  | **'Password Not Required'** – Enabled  | Should not be set for computer accounts. Computer accounts typically require a password by default, except manually created computer objects. |
-  | **'Encrypted Text Password Allowed'** – Enabled  | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers.  |
-  | **'Server Trust Account'** – Enabled  | Should be enabled **only** for domain controllers.  |
-  | **'Server Trust Account'** – Disabled  | Should **not** be disabled for domain controllers.  |
-  | **'Don't Expire Password'** – Enabled  | Should not be enabled for computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers.  |
-  | **'Smartcard Required'** – Enabled  | Should not be enabled for computer accounts.  |
-  | **'Trusted For Delegation'** – Enabled  | Means that Kerberos Constraint or Unconstraint delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.  |
-  | **'Trusted For Delegation'** – Disabled  | Means that Kerberos Constraint or Unconstraint delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.<br>Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. |
-  | **'Trusted To Authenticate For Delegation'** – Enabled  | Means that Protocol Transition delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.  |
-  | **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.<br>Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts.  |
-  | **'Not Delegated'** – Enabled  | Means that **Account is sensitive and cannot be delegated** was selected for the computer account. For computer accounts, this flag cannot be set using the graphical interface. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
-  | **'Use DES Key Only'** – Enabled  | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers.  |
-  | **'Don't Require Preauth'** - Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers.  |
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
deleted file mode 100644
index 7761fa540b..0000000000
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: 4743(S) A computer account was deleted. 
-description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4743(S): A computer account was deleted.
-
-
-<img src="images/event-4743.png" alt="Event 4743 illustration" width="509" height="461" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Computer Account Management](audit-computer-account-management.md)
-
-***Event Description:***
-
-This event generates every time a computer object is deleted.
-
-This event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4743</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13825</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-14T15:57:08.104214100Z" /> 
- <EventRecordID>172103</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1108" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">COMPUTERACCOUNT$</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6118</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3007b</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete Computer object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Computer:**
-
--   **Security ID** \[Type = SID\]**:** SID of deleted computer account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the computer account that was deleted. For example: WIN81$
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain name of deleted computer account. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4743(S): A computer account was deleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have critical domain computer accounts (database servers, domain controllers, administration workstations, and so on) for which you need to monitor each action (especially deletion), monitor this event with the **“Target Computer\\Security ID”** or “**Target Computer\\Account Name**” that corresponds to the high-value account or accounts.
-
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
deleted file mode 100644
index f0d009b637..0000000000
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: 4749(S) A security-disabled global group was created. 
-description: Describes security event 4749(S) A security-disabled global group was created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4749(S): A security-disabled global group was created.
-
-
-<img src="images/event-4749.png" alt="Event 4749 illustration" width="449" height="518" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Distribution Group Management](audit-distribution-group-management.md)
-
-***Event Description:***
-
-This event generates every time a new security-disabled (distribution) global group was created.
-
-This event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4749</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13827</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-14T16:16:35.568878700Z" /> 
- <EventRecordID>172181</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1108" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">ServiceDesk</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3007b</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">ServiceDesk</Data> 
- <Data Name="SidHistory">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “create group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of created group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was created. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]**:** domain name of created group. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-**Attributes:**
-
--   **SAM Account Name** \[Type = UnicodeString\]: This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new group object. For example: ServiceDesk
-
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new group object. This parameter might not be captured in the event, and in that case appears as “-”.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4749(S): A security-disabled global group was created.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor each time a new distribution group is created, to see who created the group and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-
--   If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
-
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
deleted file mode 100644
index 3a7433f4de..0000000000
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-title: 4750(S) A security-disabled global group was changed. 
-description: Describes security event 4750(S) A security-disabled global group was changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4750(S): A security-disabled global group was changed.
-
-
-<img src="images/event-4750.png" alt="Event 4750 illustration" width="449" height="517" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Distribution Group Management](audit-distribution-group-management.md)
-
-***Event Description:***
-
-This event generates every time security-disabled (distribution) global group is changed.
-
-This event generates only on domain controllers.
-
-Some changes do not invoke a 4750 event, for example, changes made using the Active Directory Users and Computers management console in **Managed By** tab in group account properties.
-
-If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
-
-If you change the group type, you get a change event from the new group type auditing subcategory instead of 4750. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
-
-From 4750 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4750</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13827</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-14T16:38:37.902710700Z" /> 
- <EventRecordID>172188</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1108" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">ServiceDeskMain</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3007b</Data> 
- <Data Name="PrivilegeList">-</Data> 
- <Data Name="SamAccountName">ServiceDeskMain</Data> 
- <Data Name="SidHistory">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;Sometimes you can see the **Group\\Security ID** field contains an old group name in Event Viewer (as you can see in the event example). That happens because Event Viewer caches names for SIDs that it has already resolved for the current session.
-> 
-> **Note**&nbsp;&nbsp;**Security ID** field has the same value as new group name (**Changed Attributes&gt;SAM Account Name**). That is happens because event is generated after name was changed and SID resolves to the new name. It is always better to use SID instead of group names for queries or filtering of events, because you will know for sure that this the right object you are looking for or want to monitor.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was changed. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]**:** domain name of changed group. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Changed Attributes:**
-
-> **Note**&nbsp;&nbsp;If attribute was not changed it will have “-“ value.
-> 
-> **Note**&nbsp;&nbsp;You might see a 4750 event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4750 event will generate, but all attributes will be “-“.
-
--   **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk.
-
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of group object was changed, you will see the new value here.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4750(S): A security-disabled global group was changed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups.
-
--   If you need to monitor each time a member is added to a distribution group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-
--   If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
deleted file mode 100644
index cf6278c300..0000000000
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ /dev/null
@@ -1,160 +0,0 @@
----
-title: 4751(S) A member was added to a security-disabled global group. 
-description: Describes security event 4751(S) A member was added to a security-disabled global group.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4751(S): A member was added to a security-disabled global group.
-
-
-<img src="images/event-4751.png" alt="Event 4751 illustration" width="449" height="530" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Distribution Group Management](audit-distribution-group-management.md)
-
-***Event Description:***
-
-This event generates every time a new member was added to a security-disabled (distribution) global group.
-
-This event generates only on domain controllers.
-
-For every added member you will get separate 4751 event.
-
-You will typically see “[4750](event-4750.md): A security-disabled global group was changed.” event without any changes in it prior to 4751 event.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4751</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13827</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-15T00:01:10.821144700Z" /> 
- <EventRecordID>172221</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1108" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="TargetUserName">ServiceDeskSecond</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3007b</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “add member to the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add member to the group” operation.
-
-<!-- -->
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    <!-- -->
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-<!-- -->
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Member:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of the group to which new member was added. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group to which new member was added. For example: ServiceDesk
-
-<!-- -->
-
--   **Group Domain** \[Type = UnicodeString\]**:** domain name of the group to which new member was added. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4751(S): A member was added to a security-disabled global group.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Addition of members to distribution groups:** You might need to monitor the addition of members to distribution groups.                                                                                                                                                                                         | If you need to monitor each time a member is added to a distribution group, to see who added the member and when, monitor this event.<br>Typically, this event is used as an informational event, to be reviewed if needed. |
-| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes).                                                                                              | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups.                                                                                                                 |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                       |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                       |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                   |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.                                                                                        |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                       |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                    |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                   |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                          |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
deleted file mode 100644
index e81f6a3046..0000000000
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: 4752(S) A member was removed from a security-disabled global group. 
-description: Describes security event 4752(S) A member was removed from a security-disabled global group.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4752(S): A member was removed from a security-disabled global group.
-
-
-<img src="images/event-4752.png" alt="Event 4752 illustration" width="449" height="530" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Distribution Group Management](audit-distribution-group-management.md)
-
-***Event Description:***
-
-This event generates every time member was removed from the security-disabled (distribution) global group.
-
-This event generates only on domain controllers.
-
-For every removed member you will get separate 4752 event.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4752</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13827</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-15T00:20:57.315863900Z" /> 
- <EventRecordID>172229</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1108" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="TargetUserName">ServiceDeskSecond</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3007b</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “remove member from the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove member from the group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Member:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of the group from which the member was removed. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group from which the member was removed. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]**:** domain name of the group from which the member was removed. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4752(S): A member was removed from a security-disabled global group.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                      |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Removal of members from distribution groups:** You might need to monitor the removal of members from distribution groups.                                                                                                                                                                                       | If you need to monitor each time a member is removed from a distribution group, to see who removed the member and when, monitor this event.<br>Typically, this event is used as an informational event, to be reviewed if needed. |
-| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes).                                                                                                   | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups.                                                                                                                       |
-| **Distribution groups with required members**: You might need to ensure that for certain distribution groups, particular members are never removed.                                                                                                                                                               | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed.                                                              |
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts.                                                                                             |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.                                                             |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used.                                                                                         |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.                                                                                              |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected.                                                             |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                          |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                                                                         |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
deleted file mode 100644
index ad1a890f3c..0000000000
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: 4753(S) A security-disabled global group was deleted. 
-description: Describes security event 4753(S) A security-disabled global group was deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4753(S): A security-disabled global group was deleted.
-
-
-<img src="images/event-4753.png" alt="Event 4753 illustration" width="449" height="461" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Distribution Group Management](audit-distribution-group-management.md)
-
-***Event Description:***
-
-This event generates every time security-disabled (distribution) global group is deleted.
-
-This event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4753</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13827</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-15T00:59:33.621155200Z" /> 
- <EventRecordID>172230</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1504" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">ServiceDeskSecond</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3007b</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete group” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of deleted group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was deleted. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]**:** domain name of deleted group. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4753(S): A security-disabled global group was deleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups.
-
--   If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
deleted file mode 100644
index 7edbd2330a..0000000000
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-title: 4764(S) A group's type was changed. 
-description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4764(S): A group’s type was changed.
-
-
-<img src="images/event-4764.png" alt="Event 4764 illustration" width="603" height="489" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security Group Management](audit-security-group-management.md)
-
-***Event Description:***
-
-This event generates every time group’s type is changed.
-
-This event generates for both security and distribution groups.
-
-This event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4764</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13826</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-20T00:25:33.459568000Z" /> 
- <EventRecordID>175221</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="1072" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="GroupTypeChange">Security Enabled Local Group Changed to Security Disabled Local Group.</Data> 
- <Data Name="TargetUserName">CompanyAuditors</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6608</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38200</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “change group type” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group type” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Change Type** \[Type = UnicodeString\]**:** contains three parts: “&lt;Param1&gt; **Changed To** &lt;Param2&gt;.”. These two parameters can have the following values (they cannot have the same value at the same time):
-
--   Security Disabled Local Group
-
--   Security Disabled Universal Group
-
--   Security Disabled Global Group
-
--   Security Enabled Local Group
-
--   Security Enabled Universal Group
-
--   Security Enabled Global Group
-
-**Group:**
-
--   **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name** \[Type = UnicodeString\]**:** the name of the group, which type was changed. For example: ServiceDesk
-
--   **Group Domain** \[Type = UnicodeString\]: domain or computer name of the changed group. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
-
-    -   [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4764(S): A group’s type was changed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a list of critical local or domain groups in the organization, and need to specifically monitor these groups for any change, especially group type change, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, critical distribution groups, and so on.
-
--   If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
deleted file mode 100644
index 6f98fc7e25..0000000000
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: 4765(S) SID History was added to an account. 
-description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4765(S): SID History was added to an account.
-
-
-This event generates when [SID History](/windows/win32/adschema/a-sidhistory) was added to an account.
-
-See more information about SID History here: <https://technet.microsoft.com/library/cc779590(v=ws.10).aspx>.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Schema:***
-
-*SID History was added to an account.*
-
-*Subject:*
-
-> *Security ID:%6*
->
-> *Account Name:%7*
->
-> *Account Domain:%8*
->
-> *Logon ID:%9*
-
-*Target Account:*
-
-> *Security ID:%5*
->
-> *Account Name:%3*
->
-> *Account Domain:%4*
-
-*Source Account:*
-
-> *Security ID:%2*
->
-> *Account Name:%1*
-
-*Additional Information:*
-
-> *Privileges:%10*
->
-> *SID List:%11*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
deleted file mode 100644
index 59ca2a65fa..0000000000
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: 4766(F) An attempt to add SID History to an account failed. 
-description: Describes security event 4766(F) An attempt to add SID History to an account failed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4766(F): An attempt to add SID History to an account failed.
-
-
-This event generates when an attempt to add [SID History](/windows/win32/adschema/a-sidhistory) to an account failed.
-
-See more information about SID History here: <https://technet.microsoft.com/library/cc779590(v=ws.10).aspx>.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Schema:***
-
-*An attempt to add SID History to an account failed.*
-
-*Subject:*
-
-> *Security ID:-*
->
-> *Account Name:%5*
->
-> *Account Domain:%6*
->
-> *Logon ID:%7*
-
-*Target Account:*
-
-> *Security ID:%4*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
-
-*Source Account:*
-
-> *Account Name:%1*
-
-*Additional Information:*
-
-> *Privileges:%8*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
deleted file mode 100644
index 8ef81340aa..0000000000
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: 4767(S) A user account was unlocked. 
-description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4767(S): A user account was unlocked.
-
-
-<img src="images/event-4767.png" alt="Event 4767 illustration" width="449" height="421" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time a user account is unlocked.
-
-For user accounts, this event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4767</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-21T22:31:01.871931700Z" /> 
- <EventRecordID>175705</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1520" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">Auditor</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d5f</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that performed the unlock operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the unlock operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that was unlocked. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was unlocked.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-## Security Monitoring Recommendations
-
-For 4767(S): A user account was unlocked.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   We recommend monitoring all [4767](event-4767.md) events for local accounts.
-
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
deleted file mode 100644
index d0f63ca03a..0000000000
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ /dev/null
@@ -1,353 +0,0 @@
----
-title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. 
-description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 10/20/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
-
-
-:::image type="content" alt-text="Event 4768 illustration." source="images/event-4768.png":::
-
-***Subcategory:***&nbsp;[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
-
-***Event Description:***
-
-This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
-
-This event generates only on domain controllers.
-
-If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
-
-This event doesn't generate for **Result Codes**: 0x10 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4768</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14339</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" /> 
- <EventRecordID>166747</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1496" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO.LOCAL</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="ServiceName">krbtgt</Data> 
- <Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data> 
- <Data Name="TicketOptions">0x40810010</Data> 
- <Data Name="Status">0x0</Data> 
- <Data Name="TicketEncryptionType">0x12</Data> 
- <Data Name="PreAuthType">15</Data> 
- <Data Name="IpAddress">::ffff:10.0.0.12</Data> 
- <Data Name="IpPort">49273</Data> 
- <Data Name="CertIssuerName">contoso-DC01-CA-1</Data> 
- <Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data> 
- <Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Account Information:**
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of account, for which (TGT) ticket was requested. Computer account name ends with **$** character.
-
-    -   User account example: dadmin
-
-    -   Computer account example: WIN81$
-
--   **Supplied Realm Name** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    > [!NOTE]
-    > A **Kerberos Realm** is a set of managed nodes that share the same Kerberos database. The Kerberos database resides on the Kerberos master computer system, which should be kept in a physically secure room. Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
-
--   **User ID** \[Type = SID\]**:** SID of account for which (TGT) ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    For example: CONTOSO\\dadmin or CONTOSO\\WIN81$.
-
-    -   **NULL SID** – this value shows in [4768](event-4768.md) Failure events.
-
-    > [!NOTE]
-    > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-**Service Information:**
-
--   **Service Name** \[Type = UnicodeString\]: the name of the service in the Kerberos Realm to which TGT request was sent. Typically has value “**krbtgt”** for TGT requests, which means Ticket Granting Ticket issuing service.
-
-    -   For Failure events **Service Name** typically has the following format: **krbtgt/REALM\_NAME**. For example: krbtgt/CONTOSO.
-
--   **Service ID** \[Type = SID\]**:** SID of the service account in the Kerberos Realm to which TGT request was sent. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    Domain controllers have a specific service account (**krbtgt**) that is used by the [Key Distribution Center](/windows/win32/secauthn/key-distribution-center) (KDC) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S-1-5-21-[DOMAIN\_IDENTIFIER](/previous-versions/windows/it-pro/windows-2000-server/cc962011(v=technet.10))-502.
-
-    -   **NULL SID** – this value shows in [4768](event-4768.md) Failure events.
-
-**Network Information:**
-
--   **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following:
-
-    -   **IPv6** or **IPv4** address.
-
-    -   **::ffff:IPv4\_address**.
-
-    -   **::1** - localhost.
-
--   **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGT request connection).
-
-    -   0 for local (localhost) requests.
-
-**Additional information:**
-
--   **Ticket Options** \[Type = HexInt32\]: this is a set of different ticket flags in hexadecimal format.
-
-    Example:
-
-    -   Ticket Options: 0x40810010
-
-    -   Binary view: 01000000100000010000000000010000
-
-    -   Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
-
-> [!NOTE]
-> In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
-> 
-> <img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
-
-The most common values:
-
--   0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
-
--   0x40810000 - Forwardable, Renewable, Canonicalize
-
--   0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
-
-| Bit   | Flag Name                | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | Reserved                 | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 1     | Forwardable              | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 2     | Forwarded                | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 3     | Proxiable                | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 4     | Proxy                    | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 5     | Allow-postdate           | Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 6     | Postdated                | Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 7     | Invalid                  | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 8     | Renewable                | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| 9     | Initial                  | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 10    | Pre-authent              | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 11    | Opt-hardware-auth        | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.                                                                                                                                                                                                                                                                                                                                                    |
-| 12    | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 13    | Ok-as-delegate           | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 14    | Request-anonymous        | KILE not use this flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| 15    | Name-canonicalize        | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 16-25 | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 26    | Disable-transited-check  | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag isn't supported by KILE. |
-| 27    | Renewable-ok             | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.                                                                                                                                                                                                                                                                           |
-| 28    | Enc-tkt-in-skey          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 29    | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 30    | Renew                    | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.                                                                                                                                                                                                                                                  |
-| 31    | Validate                 | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-
-## Table 2. Kerberos ticket flags
-
-> [!NOTE]
-> [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.
-
--   **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event.
-
-| Code | Code Name                              | Description                                                                 | Possible causes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-|------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x0                                                        | KDC\_ERR\_NONE                         | No error                                                                    | No errors were found.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| 0x1                                                        | KDC\_ERR\_NAME\_EXP                    | Client's entry in KDC database has expired                                  | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x2                                                        | KDC\_ERR\_SERVICE\_EXP                 | Server's entry in KDC database has expired                                  | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x3                                                        | KDC\_ERR\_BAD\_PVNO                    | Requested Kerberos version number not supported                             | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x4                                                        | KDC\_ERR\_C\_OLD\_MAST\_KVNO           | Client's key encrypted in old master key                                    | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x5                                                        | KDC\_ERR\_S\_OLD\_MAST\_KVNO           | Server's key encrypted in old master key                                    | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x6                                                        | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN        | Client not found in Kerberos database                                       | The username doesn’t exist.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x7                                                        | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN        | Server not found in Kerberos database                                       | This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found.                                                                                                                                                                                                                                                                                                                                                                                                        |
-| 0x8                                                        | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE       | Multiple principal entries in KDC database                                  | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one.                                                                                                                                                                                                                                                                             |
-| 0x9                                                        | KDC\_ERR\_NULL\_KEY                    | The client or server has a null key (master key)                            | No master key was found for client or server. Usually it means that administrator should reset the password on the account.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0xA                                                        | KDC\_ERR\_CANNOT\_POSTDATE             | Ticket (TGT) not eligible for postdating                                    | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC.                                                                                                                                                                                                                                                                                                                                                                   |
-| 0xB                                                        | KDC\_ERR\_NEVER\_VALID                 | Requested start time is later than end time                                 | There is a time difference between the KDC and the client.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 0xC                                                        | KDC\_ERR\_POLICY                       | Requested start time is later than end time                                 | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction.                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 0xD                                                        | KDC\_ERR\_BADOPTION                    | KDC cannot accommodate requested option                                     | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials isn't in its Allowed-to-delegate-to list                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| 0xE                                                        | KDC\_ERR\_ETYPE\_NOTSUPP               | KDC has no support for encryption type                                      | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 0xF                                                        | KDC\_ERR\_SUMTYPE\_NOSUPP              | KDC has no support for checksum type                                        | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket.                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 0x10                                                       | KDC\_ERR\_PADATA\_TYPE\_NOSUPP         | KDC has no support for PADATA type (pre-authentication data)                | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
-| 0x11                                                       | KDC\_ERR\_TRTYPE\_NO\_SUPP             | KDC has no support for transited type                                       | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x12                                                       | KDC\_ERR\_CLIENT\_REVOKED              | Client’s credentials have been revoked                                      | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out.                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x13                                                       | KDC\_ERR\_SERVICE\_REVOKED             | Credentials for server have been revoked                                    | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x14                                                       | KDC\_ERR\_TGT\_REVOKED                 | TGT has been revoked                                                        | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details.                                                                                                                                                                                                                |
-| 0x15                                                       | KDC\_ERR\_CLIENT\_NOTYET               | Client not yet valid—try again later                                        | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x16                                                       | KDC\_ERR\_SERVICE\_NOTYET              | Server not yet valid—try again later                                        | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x17                                                       | KDC\_ERR\_KEY\_EXPIRED                 | Password has expired—change password to reset                               | The user’s password has expired.                                                                                                                                                                                                                                                                                                                                                     |
-| 0x18                                                       | KDC\_ERR\_PREAUTH\_FAILED              | Pre-authentication information was invalid                                  | The wrong password was provided.<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event.                                                                                                                                                                                                                                                                                                                                                     |
-| 0x19                                                       | KDC\_ERR\_PREAUTH\_REQUIRED            | Additional pre-authentication required                                      | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way.                                                                                                                                                                                              |
-| 0x1A                                                       | KDC\_ERR\_SERVER\_NOMATCH              | KDC does not know about the requested server                                | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x1D                                                       | KDC\_ERR\_SVC\_UNAVAILABLE             | KDC is unavailable                                                          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x1F                                                       | KRB\_AP\_ERR\_BAD\_INTEGRITY           | Integrity check on decrypted field failed                                   | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise.                                                                                                                                                                                                                                                                                                                                                                     |
-| 0x20                                                       | KRB\_AP\_ERR\_TKT\_EXPIRED             | The ticket has expired                                                      | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message.                                                                                                                                                                                                                                                                                                                                                                                 |
-| 0x21                                                       | KRB\_AP\_ERR\_TKT\_NYV                 | The ticket is not yet valid                                                 | The ticket presented to the server isn't yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well.                                                                                                                                                                                                                                           |
-| 0x22                                                       | KRB\_AP\_ERR\_REPEAT                   | The request is a replay                                                     | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received.                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x23                                                       | KRB\_AP\_ERR\_NOT\_US                  | The ticket is not for us                                                    | The server has received a ticket that was meant for a different realm.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| 0x24                                                       | KRB\_AP\_ERR\_BADMATCH                 | The ticket and authenticator do not match                                   | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There is an account mismatch during protocol transition.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| 0x25                                                       | KRB\_AP\_ERR\_SKEW                     | The clock skew is too great                                                 | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy.                                                                                                                                                                                                                                                                                                                                                                       |
-| 0x26                                                       | KRB\_AP\_ERR\_BADADDR                  | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid.                                              |
-| 0x27                                                       | KRB\_AP\_ERR\_BADVERSION               | Protocol version numbers don't match (PVNO)                                 | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.<br>The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.<br>See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details.                                                                                                                                                                                              |
-| 0x28                                                       | KRB\_AP\_ERR\_MSG\_TYPE                | Message type is unsupported                                                 | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication.                                                                                                                                                                                                                                                                                                                                                  |
-| 0x29                                                       | KRB\_AP\_ERR\_MODIFIED                 | Message stream modified and checksum didn't match                           | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client.                                                                                                                                               |
-| 0x2A                                                       | KRB\_AP\_ERR\_BADORDER                 | Message out of order (possible tampering)                                   | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details.                                                                                                                                                                                                                                                                                                                                                                                             |
-| 0x2C                                                       | KRB\_AP\_ERR\_BADKEYVER                | Specified version of key isn't available                                   | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ isn't one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned.                                                                                                                                                                                                                                                                                          |
-| 0x2D                                                       | KRB\_AP\_ERR\_NOKEY                    | Service key not available                                                   | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket.                                                                                                                                         |
-| 0x2E                                                       | KRB\_AP\_ERR\_MUT\_FAIL                | Mutual authentication failed                                                | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x2F                                                       | KRB\_AP\_ERR\_BADDIRECTION             | Incorrect message direction                                                 | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x30                                                       | KRB\_AP\_ERR\_METHOD                   | Alternative authentication method required                                  | According to [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| 0x31                                                       | KRB\_AP\_ERR\_BADSEQ                   | Incorrect sequence number in message                                        | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x32                                                       | KRB\_AP\_ERR\_INAPP\_CKSUM             | Inappropriate type of checksum in message (checksum may be unsupported)     | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM).                                                                                                                                                                                                                                 |
-| 0x33                                                       | KRB\_AP\_PATH\_NOT\_ACCEPTED           | Desired path is unreachable                                                 | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x34                                                       | KRB\_ERR\_RESPONSE\_TOO\_BIG           | Too much data                                                               | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails.                                                                                                                                                                                                                                                                                                                                                                                                 |
-| 0x3C                                                       | KRB\_ERR\_GENERIC                      | Generic error                                                               | Group membership has overloaded the PAC.<br>Multiple recent password changes have not propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts.                                                                                                                                                                                                                                                                                                                                                                                             |
-| 0x3D                                                       | KRB\_ERR\_FIELD\_TOOLONG               | Field is too long for this implementation                                   | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream.                                                                                 |
-| 0x3E                                                       | KDC\_ERR\_CLIENT\_NOT\_TRUSTED         | The client trust failed or isn't implemented                               | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller.                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| 0x3F                                                       | KDC\_ERR\_KDC\_NOT\_TRUSTED            | The KDC server trust failed or could not be verified                        | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details.                                                                                                                                                                                                      |
-| 0x40                                                       | KDC\_ERR\_INVALID\_SIG                 | The signature is invalid                                                    | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG.                                                                                                                                                                                                                                                                                                                                                                                       |
-| 0x41                                                       | KDC\_ERR\_KEY\_TOO\_WEAK               | A higher encryption level is needed                                         | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK.                                                                                                                                                                                                                                                                    |
-| 0x42                                                       | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required                                      | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED.                                                                                                                                                                                                                               |
-| 0x43                                                       | KRB\_AP\_ERR\_NO\_TGT                  | No TGT was presented or available                                           | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 0x44                                                       | KDC\_ERR\_WRONG\_REALM                 | Incorrect domain or principal                                               | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS.                                                                                                                                                                                                                                                                                                                                                                                                                           |
-
-<span id="_Ref432868145" class="anchor"></span>
-
-## Table 3. TGT/TGS issue error codes
-
--   **Ticket Encryption Type** \[Type = HexInt32\]: the cryptographic suite that was used for issued TGT.
-
-
-<span id="kerberos-encryption-types" />
-
-## Table 4. Kerberos encryption types
-
-| Type | Type Name               | Description                                                                       |
-|-----------------------------------------------------------------|-------------------------|-----------------------------------------------------------------------------------|
-| 0x1                                                             | DES-CBC-CRC             | Disabled by default starting from Windows 7 and Windows Server 2008 R2.           |
-| 0x3                                                             | DES-CBC-MD5             | Disabled by default starting from Windows 7 and Windows Server 2008 R2.           |
-| 0x11                                                            | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista.                    |
-| 0x12                                                            | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista.                    |
-| 0x17                                                            | RC4-HMAC                | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
-| 0x18                                                            | RC4-HMAC-EXP            | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
-| 0xFFFFFFFF or 0xffffffff                                        | -                       | This type shows in Audit Failure events.                                          |
-
-
--   **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type which was used in TGT request.
-
-<span id="kerberos-preauthentication-types" />
-
-## Table 5. Kerberos Pre-Authentication types
-
-| Type | Type Name              | Description                                                                                                                                                                                                                                                                                                                                                                                                      |
-|------------------------------------------------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0                                                                      | -                      | Logon without Pre-Authentication.                                                                                                                                                                                                                                                                                                                                                                                |
-| 2                                                                      | PA-ENC-TIMESTAMP       | This is a normal type for standard password authentication.                                                                                                                                                                                                                                                                                                                                                      |
-| 11                                                                     | PA-ETYPE-INFO          | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment.  |
-| 15                                                                     | PA-PK-AS-REP\_OLD      | Used for Smart Card logon authentication.                                                                                                                                                                                                                                                                                                                                                                        |
-| 16                                                                     | PA-PK-AS-REQ           | Request sent to KDC in Smart Card authentication scenarios.                  |
-| 17                                                                     | PA-PK-AS-REP           | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen.                                                                                                                                                                                                                                                                                     |
-| 19                                                                     | PA-ETYPE-INFO2         | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
-| 20                                                                     | PA-SVR-REFERRAL-INFO   | Used in KDC Referrals tickets.                                                                                                                                                                                                                                                                                                                                                                                   |
-| 138                                                                    | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients.                                                                                                                                                                                                                                                                                      |
-| -                                                                      |                        | This type shows in Audit Failure events.                                                                                                                                                                                                                                                                                                                                                                         |
-
-**Certificate Information:**
-
-- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate.
-
-- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate.
-
-- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate.
-
-## Security Monitoring Recommendations
-
-For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
-
-| Type of monitoring required | Recommendation |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“User ID”** for accounts that are outside the allowlist.                                  |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location.                                                   |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**User ID”** for names that don’t comply with naming conventions.                                                                                     |
-
--   You can track all [4768](event-4768.md) events where the **Client Address** isn't from your internal IP address range or not from private IP address ranges.
-
--   If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** isn't from the allowlist, generate the alert.
-
--   All **Client Address** = `::1` means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = `::1` and **Account Name** isn't allowed to log on to any domain controller.
-
--   All [4768](event-4768.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.
-
--   Also consider monitoring the fields shown in the following table, to discover the issues listed:
-
-| Field | Issue to discover |
-|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Certificate Issuer Name** | Certification authority name is not from your PKI.                                                                                                                                                                                                                                                                                       |
-| **Certificate Issuer Name** | Certification authority name is not authorized to issue smart card authentication certificates.                                                                                                                                                                                                                                                         |
-| **Pre-Authentication Type** | Value is **0**, which means that pre-authentication was not used. All accounts should use Pre-Authentication, except accounts configured with “Do not require Kerberos preauthentication,” which is a security risk. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                         |
-| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                                                                                                                                                                   |
-| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                                                                                                                                                 |
-| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                                                                                                                                  |
-| **Ticket Encryption Type**  | Value is **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types).                             |
-| **Ticket Encryption Type**  | Starting with Windows Vista and Windows Server 2008, monitor for values **other than 0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types).                                            |
-| **Result Code**             | **0x6** (The username doesn't exist), if you see, for example N events in last N minutes. This can be an indicator of account enumeration attack, especially for highly critical accounts.                                                                                                                                                              |
-| **Result Code**             | **0x7** (Server not found in Kerberos database). This error can occur if the domain controller cannot find the server's name in Active Directory.                                                                                                                                                                                                       |
-| **Result Code**             | **0x8** (Multiple principal entries in KDC database). This will help you to find duplicate SPNs faster.                                                                                                                                                                                                                                                 |
-| **Result Code**             | **0x9** (The client or server has a null key (master key)). This error can help you to identify problems with Kerberos authentication faster.                                                                                                                                                                                                           |
-| **Result Code**             | **0xA** (Ticket (TGT) not eligible for postdating). Microsoft systems should not request postdated tickets. These events could help identify anomaly activity.                                                                                                                                                                                          |
-| **Result Code**             | **0xC** (Requested start time is later than end time), if you see, for example N events in last N minutes. This can be an indicator of an account compromise attempt, especially for highly critical accounts.                                                                                                                                          |
-| **Result Code**             | **0xE** (KDC has no support for encryption type). In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. Monitor for these events because this should not happen in a standard Active Directory environment.                                                                                                  |
-| **Result Code**             | **0xF** (KDC has no support for checksum type). Monitor for these events because this should not happen in a standard Active Directory environment.                                                                                                                                                                                                     |
-| **Result Code**             | **0x12** (Client's credentials have been revoked), if you see, for example N events in last N minutes. This can be an indicator of anomaly activity or brute-force attack, especially for highly critical accounts.                                                                                                                                     |
-| **Result Code**             | **0x1F** (Integrity check on decrypted field failed). The authenticator was encrypted with something other than the session key. The result is that the KDC cannot decrypt the TGT. The modification of the message could be the result of an attack or it could be because of network noise.                                                           |
-| **Result Code**             | **0x22** (The request is a replay). This error indicates that a specific authenticator showed up twice—the KDC has detected that this session ticket duplicates one that it has already received. It could be a sign of attack attempt.                                                                                                                 |
-| **Result Code**             | **0x29** (Message stream modified and checksum didn't match). The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environment. |
-| **Result Code**             | **0x3C** (Generic error). This error can help you more quickly identify problems with Kerberos authentication.                                                                                                                                                                                                                                          |
-| **Result Code**             | **0x3E** (The client trust failed or is not implemented). This error helps you identify logon attempts with revoked certificates and the situations when the root Certification Authority that issued the smart card certificate (through a chain) is not trusted by a domain controller.                                                               |
-| **Result Code**             | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication.                                                                                                                                                                                                          |
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
deleted file mode 100644
index dde7e668e1..0000000000
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ /dev/null
@@ -1,293 +0,0 @@
----
-title: 4769(S, F) A Kerberos service ticket was requested. 
-description: Describes security event 4769(S, F) A Kerberos service ticket was requested.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4769(S, F): A Kerberos service ticket was requested.
-
-
-<img src="images/event-4769.png" alt="Event 4769 illustration" width="512" height="678" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-
-***Event Description:***
-
-This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.
-
-This event generates only on domain controllers.
-
-If TGS issue fails then you'll see Failure event with **Failure Code** field not equal to “**0x0**”.
-
-You'll typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
-<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
-<EventID>4769</EventID>
-<Version>0</Version>
-<Level>0</Level>
-<Task>14337</Task>
-<Opcode>0</Opcode>
-<Keywords>0x8020000000000000</Keywords>
-<TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
-<EventRecordID>166746</EventRecordID>
-<Correlation />
-<Execution ProcessID="520" ThreadID="1496" />
-<Channel>Security</Channel>
-<Computer>DC01.contoso.local</Computer>
-<Security />
-</System>
-- <EventData>
-<Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
-<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
-<Data Name="ServiceName">WIN2008R2$</Data>
-<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
-<Data Name="TicketOptions">0x40810000</Data>
-<Data Name="TicketEncryptionType">0x12</Data>
-<Data Name="IpAddress">::ffff:10.0.0.12</Data>
-<Data Name="IpPort">49272</Data>
-<Data Name="Status">0x0</Data>
-<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
-<Data Name="TransmittedServices">-</Data>
-</EventData>
-</Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Account Information:**
-
-- **Account Name** \[Type = UnicodeString\]**:** the user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with **$** character in the user name part. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
-
-  - User account example: dadmin@CONTOSO.LOCAL
-
-  - Computer account example: WIN81$@CONTOSO.LOCAL
-
-    > **Note** Although this field is in the UPN format, this isn't the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name.
-
-    This parameter in this event is optional and can be empty in some cases.
-
-- **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
-
-  -   Domain NETBIOS name example: CONTOSO
-
-  -   Lowercase full domain name: contoso.local
-
-  -   Uppercase full domain name: CONTOSO.LOCAL
-
-      This parameter in this event is optional and can be empty in some cases.
-
-- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same **Logon GUID**. These events are “[4624](event-4624.md): An account was successfully logged on”, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
-
-  This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-**Service Information:**
-
--   **Service Name** \[Type = UnicodeString\]: the name of the account or computer for which the TGS ticket was requested.
-
-    -   This parameter in this event is optional and can be empty in some cases.
-
--   **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-    -   **NULL SID** – this value shows in Failure events.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-**Network Information:**
-
--   **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGS request was received. Formats vary, and include the following:
-
-    -   **IPv6** or **IPv4** address.
-
-    -   **::ffff:IPv4\_address**.
-
-    -   **::1** - localhost.
-
--   **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGS request connection).
-
-    -   0 for local (localhost) requests.
-
-**Additional information:**
-
--   **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
-
-    Example:
-
-    -   Ticket Options: 0x40810010
-
-    -   Binary view: 01000000100000010000000000010000
-
-    -   Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
-
-> **Note**&nbsp;&nbsp;In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
-
-The most common values:
-
--   0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
-
--   0x40810000 - Forwardable, Renewable, Canonicalize
-
--   0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
-
-|                  Bit                  |        Flag Name         |                                                                                                                                                                                                                                                                                                                   Description                                                                                                                                                                                                                                                                                                                    |
-|---------------------------------------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                   0                   |         Reserved         |                                                                                                                                                                                                                                                                                                                        -                                                                                                                                                                                                                                                                                                                         |
-|                   1                   |       Forwardable        |                                                                                                                                                                                                                                        (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.                                                                                                                                                                                                                                         |
-|                   2                   |        Forwarded         |                                                                                                                                                                                                                                                                         Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.                                                                                                                                                                                                                                                                         |
-|                   3                   |        Proxiable         |                                                                                                                                                                                                                                                       (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.                                                                                                                                                                                                                                                       |
-|                   4                   |          Proxy           |                                                                                                                                                                                                                                                                 Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.                                                                                                                                                                                                                                                                 |
-|                   5                   |      Allow-postdate      |                                                                                                                                                                                                                                                  Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                  |
-|                   6                   |        Postdated         |                                                                                                                                                                                                                                                  Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                  |
-|                   7                   |         Invalid          |                                                                                                                                                                                                                                         This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.                                                                                                                                                                                                                                          |
-|                   8                   |        Renewable         |                                                                                                                                                                                                                                                     Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.                                                                                                                                                                                                                                                     |
-|                   9                   |         Initial          |                                                                                                                                                                                                                                                                 Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.                                                                                                                                                                                                                                                                 |
-|                  10                   |       Pre-authent        |                                                                                                                                                                                                    Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.                                                                                                                                                                                                    |
-|                  11                   |    Opt-hardware-auth     |                                                                                                                                                                    This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.                                                                                                                                                                     |
-|                  12                   | Transited-policy-checked |                                                                                                                                                                                                                                                        KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.                                                                                                                                                                                                                                                         |
-|                  13                   |      Ok-as-delegate      |                                                                                                                                                                                                                                                                            The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.                                                                                                                                                                                                                                                                            |
-|                  14                   |    Request-anonymous     |                                                                                                                                                                                                                                                                                                             KILE not use this flag.                                                                                                                                                                                                                                                                                                              |
-|                  15                   |    Name-canonicalize     |                                                                                                                                                                                                                                                        In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                        |
-|                 16-25                 |          Unused          |                                                                                                                                                                                                                                                                                                                        -                                                                                                                                                                                                                                                                                                                         |
-|                  26                   | Disable-transited-check  | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag isn't supported by KILE. |
-|                  27                   |       Renewable-ok       |                                                                                                                                The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life can't otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.                                                                                                                                |
-|                  28                   |     Enc-tkt-in-skey      |                                                                                                                                                                                                                                                                                                                 No information.                                                                                                                                                                                                                                                                                                                  |
-|                  29                   |          Unused          |                                                                                                                                                                                                                                                                                                                        -                                                                                                                                                                                                                                                                                                                         |
-|                  30                   |          Renew           |                                                                                                                    The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header.                                                                                                                    |
-|                  31                   |         Validate         |                         This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. |
-
--   **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
-
-| Type                     | Type Name               | Description                                                                       |
-|--------------------------|-------------------------|-----------------------------------------------------------------------------------|
-| 0x1                      | DES-CBC-CRC             | Disabled by default starting from Windows 7 and Windows Server 2008 R2.           |
-| 0x3                      | DES-CBC-MD5             | Disabled by default starting from Windows 7 and Windows Server 2008 R2.           |
-| 0x11                     | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista.                    |
-| 0x12                     | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista.                    |
-| 0x17                     | RC4-HMAC                | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
-| 0x18                     | RC4-HMAC-EXP            | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
-| 0xFFFFFFFF or 0xffffffff | -                       | This type shows in Audit Failure events.                                          |
-
--   **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. 
-Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags:
-- 0x01: Audit SPN unknown errors.
-- 0x10: Log audit events on encryption type (ETYPE) and bad options errors.
-
-The table below contains the list of the most common error codes for this event:
-
-| Code | Code Name                              | Description                                                                 | Possible causes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-|------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x0  | KDC\_ERR\_NONE                         | No error                                                                    | No errors were found.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| 0x1  | KDC\_ERR\_NAME\_EXP                    | Client's entry in KDC database has expired                                  | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x2  | KDC\_ERR\_SERVICE\_EXP                 | Server's entry in KDC database has expired                                  | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x3  | KDC\_ERR\_BAD\_PVNO                    | Requested Kerberos version number not supported                             | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x4  | KDC\_ERR\_C\_OLD\_MAST\_KVNO           | Client's key encrypted in old master key                                    | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x5  | KDC\_ERR\_S\_OLD\_MAST\_KVNO           | Server's key encrypted in old master key                                    | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x6  | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN        | Client not found in Kerberos database                                       | The username doesn’t exist.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x7  | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN        | Server not found in Kerberos database                                       | This error can occur if the domain controller can't find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name can't be found.                                                                                                                                                                                                                                                                                                                                                                                                        |
-| 0x8  | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE       | Multiple principal entries in KDC database                                  | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one.                                                                                                                                                                                                                                                                             |
-| 0x9  | KDC\_ERR\_NULL\_KEY                    | The client or server has a null key (master key)                            | No master key was found for client or server. Usually it means that administrator should reset the password on the account.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0xA  | KDC\_ERR\_CANNOT\_POSTDATE             | Ticket (TGT) not eligible for postdating                                    | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC.                                                                                                                                                                                                                                                                                                                                                                   |
-| 0xB  | KDC\_ERR\_NEVER\_VALID                 | Requested start time is later than end time                                 | There's a time difference between the KDC and the client.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 0xC  | KDC\_ERR\_POLICY                       | Requested start time is later than end time                                 | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction.                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 0xD  | KDC\_ERR\_BADOPTION                    | KDC cannot accommodate requested option                                     | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials isn't in its Allowed-to-delegate-to list                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| 0xE  | KDC\_ERR\_ETYPE\_NOTSUPP               | KDC has no support for encryption type                                      | In general, this error occurs when the KDC or a client receives a packet that it can't decrypt.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 0xF  | KDC\_ERR\_SUMTYPE\_NOSUPP              | KDC has no support for checksum type                                        | The KDC, server, or client receives a packet for which it doesn't have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket.                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP         | KDC has no support for PADATA type (pre-authentication data)                | Smart card logon is being attempted and the proper certificate can't be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA can't be contacted.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
-| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP             | KDC has no support for transited type                                       | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x12 | KDC\_ERR\_CLIENT\_REVOKED              | Client’s credentials have been revoked                                      | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out.                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x13 | KDC\_ERR\_SERVICE\_REVOKED             | Credentials for server have been revoked                                    | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x14 | KDC\_ERR\_TGT\_REVOKED                 | TGT has been revoked                                                        | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details.                                                                                                                                                                                                                |
-| 0x15 | KDC\_ERR\_CLIENT\_NOTYET               | Client not yet valid—try again later                                        | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x16 | KDC\_ERR\_SERVICE\_NOTYET              | Server not yet valid—try again later                                        | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x17 | KDC\_ERR\_KEY\_EXPIRED                 | Password has expired—change password to reset                               | The user’s password has expired.<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event.                                                                                                                                                                                                                                                                                                                                                     |
-| 0x18 | KDC\_ERR\_PREAUTH\_FAILED              | Pre-authentication information was invalid                                  | The wrong password was provided.<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event.                                                                                                                                                                                                                                                                                                                                                     |
-| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED            | Additional pre-authentication required                                      | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients don't request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way.                                                                                                                                                                                              |
-| 0x1A | KDC\_ERR\_SERVER\_NOMATCH              | KDC does not know about the requested server                                | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER         | Server principal valid for user2user only                                   | This error occurs because the service is missing an SPN.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY           | Integrity check on decrypted field failed                                   | The authenticator was encrypted with something other than the session key. The result is that the client can't decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise.                                                                                                                                                                                                                                                                                                                                                                     |
-| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED             | The ticket has expired                                                      | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message.                                                                                                                                                                                                                                                                                                                                                                                 |
-| 0x21 | KRB\_AP\_ERR\_TKT\_NYV                 | The ticket is not yet valid                                                 | The ticket presented to the server isn't yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client aren't synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well.                                                                                                                                                                                                                                           |
-| 0x22 | KRB\_AP\_ERR\_REPEAT                   | The request is a replay                                                     | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received.                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x23 | KRB\_AP\_ERR\_NOT\_US                  | The ticket is not for us                                                    | The server has received a ticket that was meant for a different realm.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| 0x24 | KRB\_AP\_ERR\_BADMATCH                 | The ticket and authenticator do not match                                   | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There's an account mismatch during protocol transition.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| 0x25 | KRB\_AP\_ERR\_SKEW                     | The clock skew is too great                                                 | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy.                                                                                                                                                                                                                                                                                                                                                                       |
-| 0x26 | KRB\_AP\_ERR\_BADADDR                  | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid.                                              |
-| 0x27 | KRB\_AP\_ERR\_BADVERSION               | Protocol version numbers don't match (PVNO)                                 | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.<br>The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.<br>See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details.                                                                                                                                                                                              |
-| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE                | Message type is unsupported                                                 | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication.                                                                                                                                                                                                                                                                                                                                                  |
-| 0x29 | KRB\_AP\_ERR\_MODIFIED                 | Message stream modified and checksum didn't match                           | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client.                                                                                                                                               |
-| 0x2A | KRB\_AP\_ERR\_BADORDER                 | Message out of order (possible tampering)                                   | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details.                                                                                                                                                                                                                                                                                                                                                                                             |
-| 0x2C | KRB\_AP\_ERR\_BADKEYVER                | Specified version of key is not available                                   | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ isn't one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned.                                                                                                                                                                                                                                                                                          |
-| 0x2D | KRB\_AP\_ERR\_NOKEY                    | Service key not available                                                   | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket.                                                                                                                                         |
-| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL                | Mutual authentication failed                                                | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x2F | KRB\_AP\_ERR\_BADDIRECTION             | Incorrect message direction                                                 | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x30 | KRB\_AP\_ERR\_METHOD                   | Alternative authentication method required                                  | According to [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| 0x31 | KRB\_AP\_ERR\_BADSEQ                   | Incorrect sequence number in message                                        | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM             | Inappropriate type of checksum in message (checksum may be unsupported)     | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM).                                                                                                                                                                                                                                          |
-| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED           | Desired path is unreachable                                                 | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG           | Too much data                                                               | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails.                                                                                                                                                                                                                                                                                                                                                                                                 |
-| 0x3C | KRB\_ERR\_GENERIC                      | Generic error                                                               | Group membership has overloaded the PAC.<br>Multiple recent password changes haven't propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts.                                                                                                                                                                                                                                                                                                                                                                                             |
-| 0x3D | KRB\_ERR\_FIELD\_TOOLONG               | Field is too long for this implementation                                   | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream.                                                                                 |
-| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED         | The client trust failed or is not implemented                               | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller.                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED            | The KDC server trust failed or could not be verified                        | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details.                                                                                                                                                                                                      |
-| 0x40 | KDC\_ERR\_INVALID\_SIG                 | The signature is invalid                                                    | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG.                                                                                                                                                                                                                                                                                                                                                                                       |
-| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK               | A higher encryption level is needed                                         | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they don't (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK.                                                                                                                                                                                                                                                                    |
-| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required                                      | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED.                                                                                                                                                                                                                               |
-| 0x43 | KRB\_AP\_ERR\_NO\_TGT                  | No TGT was presented or available                                           | In user-to-user authentication if the service doesn't possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 0x44 | KDC\_ERR\_WRONG\_REALM                 | Incorrect domain or principal                                               | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS.                                                                                                                                                                                                                                                                                                                                                                                                                           |
-
--   **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if constrained Kerberos delegation was used. 
-
-> **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-
-## Security Monitoring Recommendations
-
-For 4769(S, F): A Kerberos service ticket was requested.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                       |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Account Information\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the accounts that should never be used.                                                          |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that aren't allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location.                                                             |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Account Information\\Account Name”** that you are concerned about.                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**User ID”** for names that don’t comply with naming conventions.                                                                                                               |
-
--   If you know that **Account Name** should never request any tickets for (that is, never get access to) a particular computer account or service account, monitor for [4769](event-4769.md) events with the corresponding **Account Name** and **Service ID** fields.
-
--   You can track all [4769](event-4769.md) events where the **Client Address** isn't from your internal IP range or not from private IP ranges.
-
--   If you know that **Account Name** should be able to request tickets (should be used) only from a known allow list of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** isn't from your allow list of IP addresses, generate the alert.
-
--   All **Client Address** = `::1` means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have an allow list of accounts allowed to log on to domain controllers, monitor events with **Client Address** = `::1` and any **Account Name** outside the allow list.
-
--   All [4769](event-4769.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.
-
--   Monitor for a **Ticket Encryption Type** of **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2.
-
--   Starting with Windows Vista and Windows Server 2008, monitor for a **Ticket Encryption Type** other than **0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms.
-
--   If you have a list of important **Failure Codes**, monitor for these codes.
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
deleted file mode 100644
index 398468db3c..0000000000
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ /dev/null
@@ -1,182 +0,0 @@
----
-title: 4770(S) A Kerberos service ticket was renewed. 
-description: Describes security event 4770(S) A Kerberos service ticket was renewed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4770(S): A Kerberos service ticket was renewed.
-
-
-<img src="images/event-4770.png" alt="Event 4770 illustration" width="449" height="524" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-
-***Event Description:***
-
-This event generates for every Ticket Granting Service (TGS) ticket renewal.
-
-This event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4770</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14337</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-07T03:26:23.466552900Z" /> 
- <EventRecordID>166481</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1084" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">WIN2008R2$@CONTOSO.LOCAL</Data> 
- <Data Name="TargetDomainName">CONTOSO.LOCAL</Data> 
- <Data Name="ServiceName">krbtgt</Data> 
- <Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data> 
- <Data Name="TicketOptions">0x2</Data> 
- <Data Name="TicketEncryptionType">0x12</Data> 
- <Data Name="IpAddress">::ffff:10.0.0.12</Data> 
- <Data Name="IpPort">49964</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Account Information:**
-
-- **Account Name** \[Type = UnicodeString\]**:** the User Principal Name (UPN) of the account that requested ticket renewal. Computer account name ends with **$** character in UPN. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
-
-  - User account example: dadmin@CONTOSO.LOCAL
-
-  - Computer account example: WIN81$@CONTOSO.LOCAL
-
-    This parameter in this event is optional and can be empty in some cases.
-
-- **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
-
-  -   Domain NETBIOS name example: CONTOSO
-
-  -   Lowercase full domain name: contoso.local
-
-  -   Uppercase full domain name: CONTOSO.LOCAL
-
-      This parameter in this event is optional and can be empty in some cases.
-
-**Service Information:**
-
--   **Service Name** \[Type = UnicodeString\]: the name of the account or computer for which the TGS ticket was renewed.
-
-    -   This parameter in this event is optional and can be empty in some cases.
-
--   **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was renewed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-**Network Information:**
-
--   **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGS renewal request was received. Formats vary, and include the following:
-
-    -   **IPv6** or **IPv4** address.
-
-    -   **::ffff:IPv4\_address**.
-
-    -   **::1** - localhost.
-
--   **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGS renewal request connection).
-
-    -   0 for local (localhost) requests.
-
-**Additional information:**
-
--   **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
-
-    Example:
-
-    -   Ticket Options: 0x40810010
-
-    -   Binary view: 01000000100000010000000000010000
-
-    -   Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
-
-> **Note**&nbsp;&nbsp;In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
-
-The most common values:
-
--   0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
-
--   0x40810000 - Forwardable, Renewable, Canonicalize
-
--   0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
-
-| Bit   | Flag Name                | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | Reserved                 | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 1     | Forwardable              | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 2     | Forwarded                | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 3     | Proxiable                | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 4     | Proxy                    | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 5     | Allow-postdate           | Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 6     | Postdated                | Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 7     | Invalid                  | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 8     | Renewable                | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| 9     | Initial                  | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 10    | Pre-authent              | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 11    | Opt-hardware-auth        | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.                                                                                                                                                                                                                                                                                                                                                    |
-| 12    | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 13    | Ok-as-delegate           | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 14    | Request-anonymous        | KILE not use this flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| 15    | Name-canonicalize        | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 16-25 | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 26    | Disable-transited-check  | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
-| 27    | Renewable-ok             | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.                                                                                                                                                                                                                                                                           |
-| 28    | Enc-tkt-in-skey          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 29    | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 30    | Renew                    | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.                                                                                                                                                                                                                                                  |
-| 31    | Validate                 | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-
--   **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used in renewed TGS.
-
-| Type                     | Type Name               | Description                                                                       |
-|--------------------------|-------------------------|-----------------------------------------------------------------------------------|
-| 0x1                      | DES-CBC-CRC             | Disabled by default starting from Windows 7 and Windows Server 2008 R2.           |
-| 0x3                      | DES-CBC-MD5             | Disabled by default starting from Windows 7 and Windows Server 2008 R2.           |
-| 0x11                     | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista.                    |
-| 0x12                     | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista.                    |
-| 0x17                     | RC4-HMAC                | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
-| 0x18                     | RC4-HMAC-EXP            | Default suite for operating systems before Windows Server 2008 and Windows Vista. |
-| 0xFFFFFFFF or 0xffffffff | -                       | This type shows in Audit Failure events.                                          |
-
-
-## Security Monitoring Recommendations
-
-For 4770(S): A Kerberos service ticket was renewed.
-
--   This event typically has informational only purpose.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
deleted file mode 100644
index cfe1bcfb82..0000000000
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ /dev/null
@@ -1,294 +0,0 @@
----
-title: 4771(F) Kerberos pre-authentication failed. 
-description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.collection: 
-  - highpri
-  - tier3
-ms.topic: reference
----
-
-# 4771(F): Kerberos pre-authentication failed.
-
-
-<img src="images/event-4771.png" alt="Event 4771 illustration" width="496" height="657" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
-
-***Event Description:***
-
-This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided.
-
-This event generates only on domain controllers.
-
-This event is not generated if "Do not require Kerberos preauthentication" option is set for the account.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4771</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14339</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" /> 
- <EventRecordID>166708</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1084" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data> 
- <Data Name="TicketOptions">0x40810010</Data> 
- <Data Name="Status">0x10</Data> 
- <Data Name="PreAuthType">15</Data> 
- <Data Name="IpAddress">::ffff:10.0.0.12</Data> 
- <Data Name="IpPort">49254</Data> 
- <Data Name="CertIssuerName" /> 
- <Data Name="CertSerialNumber" /> 
- <Data Name="CertThumbprint" /> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Account Information:**
-
--   **Security ID** \[Type = SID\]**:** SID of account object for which (TGT) ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-    For example: CONTOSO\\dadmin or CONTOSO\\WIN81$.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name:** \[Type = UnicodeString\]**:** the name of account, for which (TGT) ticket was requested. Computer account name ends with **$** character.
-
-    -   User account example: dadmin
-
-    -   Computer account example: WIN81$
-
-**Service Information:**
-
--   **Service Name** \[Type = UnicodeString\]: the name of the service in the Kerberos Realm to which TGT request was sent. Typically has one of the following formats:
-
-    -   krbtgt/DOMAIN\_NETBIOS\_NAME. Example: krbtgt/CONTOSO
-
-    -   krbtgt/DOMAIN\_FULL\_NAME. Example: krbtgt/CONTOSO.LOCAL
-
-**Network Information:**
-
--   **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Here are some examples of formats:
-
-    -   **IPv6** or **IPv4** address.
-
-    -   **::ffff:IPv4\_address**.
-
-    -   **::1** - localhost.
-
--   **Client Port** \[Type = UnicodeString\]: source port number of client network connection (TGT request connection).
-
-    -   0 for local (localhost) requests.
-
-**Additional Information:**
-
--   **Ticket Options**: \[Type = HexInt32\]: this set of different Ticket Flags is in hexadecimal format.
-
-    Example:
-
-    -   Ticket Options: 0x40810010
-
-    -   Binary view: 01000000100000010000000000010000
-
-    -   Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
-
-> **Note**&nbsp;&nbsp;In the table below **"MSB 0"** bit numbering is used, because RFC documents use this style. In "MSB 0" style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
-
-The most common values:
-
--   0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
-
--   0x40810000 - Forwardable, Renewable, Canonicalize
-
--   0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
-
-| Bit   | Flag Name                | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | Reserved                 | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 1     | Forwardable              | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 2     | Forwarded                | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 3     | Proxiable                | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 4     | Proxy                    | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 5     | Allow-postdate           | Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 6     | Postdated                | Postdated tickets SHOULD NOT be supported in [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 7     | Invalid                  | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 8     | Renewable                | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| 9     | Initial                  | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 10    | Pre-authent              | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 11    | Opt-hardware-auth        | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.                                                                                                                                                                                                                                                                                                                                                    |
-| 12    | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 13    | Ok-as-delegate           | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 14    | Request-anonymous        | KILE does not use this flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| 15    | Name-canonicalize        | To request referrals, the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 16-25 | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 26    | Disable-transited-check  | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
-| 27    | Renewable-ok             | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.                                                                                                                                                                                                                                                                           |
-| 28    | Enc-tkt-in-skey          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 29    | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 30    | Renew                    | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.                                                                                                                                                                                                                                                   |
-| 31    | Validate                 | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-
-> Table 6. Kerberos ticket flags.
-
--   **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
-
-| Code | Code Name                      | Description                                                  | Possible causes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x0         | KDC\_ERR\_NONE                            | No error                                        |
-| 0x1         | KDC\_ERR\_NAME\_EXP                       | Client's entry in database has expired          |
-| 0x2         | KDC\_ERR\_SERVICE\_EXP                    | Server's entry in database has expired          |
-| 0x3         | KDC\_ERR\_BAD\_PVNO                       | Requested protocol version number not supported |
-| 0x4         | KDC\_ERR\_C\_OLD\_MAST\_KVNO              | Client's key encrypted in old master key        |
-| 0x5         | KDC\_ERR\_S\_OLD\_MAST\_KVNO              | Server's key encrypted in old master key        |
-| 0x6         | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN           | Client not found in Kerberos database           |
-| 0x7         | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN           | Server not found in Kerberos database           |
-| 0x8         | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE          | Multiple principal entries in database          |
-| 0x9         | KDC\_ERR\_NULL\_KEY                       | The client or server has a null key             |
-| 0xa         | KDC\_ERR\_CANNOT\_POSTDATE                | Ticket not eligible for postdating              |
-| 0xb         | KDC\_ERR\_NEVER\_VALID                    | Requested starttime is later than end time      |
-| 0xc         | KDC\_ERR\_POLICY                          | KDC policy rejects request                      |
-| 0xd         | KDC\_ERR\_BADOPTION                       | KDC cannot accommodate requested option         |
-| 0xe         | KDC\_ERR\_ETYPE\_NOSUPP                   | KDC has no support for encryption type          |
-| 0xf         | KDC\_ERR\_SUMTYPE\_NOSUPP                 | KDC has no support for checksum type            |
-| 0x10         | KDC\_ERR\_PADATA\_TYPE\_NOSUPP            | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
-| 0x11         | KDC\_ERR\_TRTYPE\_NOSUPP                  | KDC has no support for transited type           |
-| 0x12         | KDC\_ERR\_CLIENT\_REVOKED                 | Clients credentials have been revoked           |
-| 0x13         | KDC\_ERR\_SERVICE\_REVOKED                | Credentials for server have been revoked        |
-| 0x14         | KDC\_ERR\_TGT\_REVOKED                    | TGT has been revoked                            |
-| 0x15         | KDC\_ERR\_CLIENT\_NOTYET                  | Client not yet valid; try again later           |
-| 0x16         | KDC\_ERR\_SERVICE\_NOTYET                 | Server not yet valid; try again later           |
-| 0x17         | KDC\_ERR\_KEY\_EXPIRED                    | Password has expired—change password to reset   |The user's password has expired.
-| 0x18         | KDC\_ERR\_PREAUTH\_FAILED                 | Pre-authentication information was invalid      |The wrong password was provided.
-| 0x19         | KDC\_ERR\_PREAUTH\_REQUIRED               | Additional pre-authentication required          |
-| 0x1a         | KDC\_ERR\_SERVER\_NOMATCH                 | Requested server and ticket don't match         |
-| 0x1b         | KDC\_ERR\_MUST\_USE\_USER2USER            | Server principal valid for user2user only       |
-| 0x1c         | KDC\_ERR\_PATH\_NOT\_ACCEPTED             | KDC Policy rejects transited path               |
-| 0x1d         | KDC\_ERR\_SVC\_UNAVAILABLE                | A service is not available                      |
-| 0x1f         | KRB\_AP\_ERR\_BAD\_INTEGRITY              | Integrity check on decrypted field failed       |
-| 0x20         | KRB\_AP\_ERR\_TKT\_EXPIRED                | Ticket expired                                  |
-| 0x21         | KRB\_AP\_ERR\_TKT\_NYV                    | Ticket not yet valid                            |
-| 0x22         | KRB\_AP\_ERR\_REPEAT                      | Request is a replay                             |
-| 0x23         | KRB\_AP\_ERR\_NOT\_US                     | The ticket isn't for us                         |
-| 0x24         | KRB\_AP\_ERR\_BADMATCH                    | Ticket and authenticator don't match            |
-| 0x25         | KRB\_AP\_ERR\_SKEW                        | Clock skew too great                            |
-| 0x26         | KRB\_AP\_ERR\_BADADDR                     | Incorrect net address                           |
-| 0x27         | KRB\_AP\_ERR\_BADVERSION                  | Protocol version mismatch                       |
-| 0x28         | KRB\_AP\_ERR\_MSG\_TYPE                   | Invalid msg type                                |
-| 0x29         | KRB\_AP\_ERR\_MODIFIED                    | Message stream modified                         |
-| 0x2a         | KRB\_AP\_ERR\_BADORDER                    | Message out of order                            |
-| 0x2c         | KRB\_AP\_ERR\_BADKEYVER                   | Specified version of key is not available       |
-| 0x2d         | KRB\_AP\_ERR\_NOKEY                       | Service key not available                       |
-| 0x2e         | KRB\_AP\_ERR\_MUT\_FAIL                   | Mutual authentication failed                    |
-| 0x2f         | KRB\_AP\_ERR\_BADDIRECTION                | Incorrect message direction                     |
-| 0x30         | KRB\_AP\_ERR\_METHOD                      | Alternative authentication method required      |
-| 0x31         | KRB\_AP\_ERR\_BADSEQ                      | Incorrect sequence number in message            |
-| 0x32         | KRB\_AP\_ERR\_INAPP\_CKSUM                | Inappropriate type of checksum in message       |
-| 0x33         | KRB\_AP\_PATH\_NOT\_ACCEPTED              | Policy rejects transited path                   |
-| 0x34         | KRB\_ERR\_RESPONSE\_TOO\_BIG              | Response too big for UDP; retry with TCP        |
-| 0x3c         | KRB\_ERR\_GENERIC                         | Generic error (description in e-text)           |
-| 0x3d         | KRB\_ERR\_FIELD\_TOOLONG                  | Field is too long for this implementation       |
-| 0x3e         | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED          | Reserved for PKINIT                             |
-| 0x3f         | KDC\_ERROR\_KDC\_NOT\_TRUSTED             | Reserved for PKINIT                             |
-| 0x40         | KDC\_ERROR\_INVALID\_SIG                  | Reserved for PKINIT                             |
-| 0x41         | KDC\_ERR\_KEY\_TOO\_WEAK                  | Reserved for PKINIT                             |
-| 0x42         | KDC\_ERR\_CERTIFICATE\_MISMATCH           | Reserved for PKINIT                             |
-| 0x43         | KRB\_AP\_ERR\_NO\_TGT                     | No TGT available to validate USER-TO-USER       |
-| 0x44         | KDC\_ERR\_WRONG\_REALM                    | Reserved for future use                         |
-| 0x45         | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED    | Ticket must be for USER-TO-USER                 |
-| 0x46         | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE       | Reserved for PKINIT                             |
-| 0x47         | KDC\_ERR\_INVALID\_CERTIFICATE            | Reserved for PKINIT                             |
-| 0x48         | KDC\_ERR\_REVOKED\_CERTIFICATE            | Reserved for PKINIT                             |
-| 0x49         | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN     | Reserved for PKINIT                             |
-| 0x4a         | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT                             |
-| 0x4b         | KDC\_ERR\_CLIENT\_NAME\_MISMATCH          | Reserved for PKINIT                             |
-| 0x4c         | KDC\_ERR\_KDC\_NAME\_MISMATCH             | Reserved for PKINIT                             |                                                                   
-
--   **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
-
-<span id="kerberos-preauthentication-types" />
-## Table 5. Kerberos Pre-Authentication types.
-
-| Type | Type Name              | Description                                                                                                                                                                                                                                                                                                                                                                                                      |
-|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0    | -                      | Logon without Pre-Authentication.                                                                                                                                                                                                                                                                                                                                                                                |
-| 2    | PA-ENC-TIMESTAMP       | This type is normal for standard password authentication.                                                                                                                                                                                                                                                                                                                                                      |
-| 11   | PA-ETYPE-INFO          | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment.  |
-| 15   | PA-PK-AS-REP\_OLD      | Used for Smart Card logon authentication.                                                                                                                                                                                                                                                                                                                                                                        |
-| 16   | PA-PK-AS-REQ           | Request sent to KDC in Smart Card authentication scenarios.|
-| 17   | PA-PK-AS-REP           | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen.                                                                                                                                                                                                                                                                                     |
-| 19   | PA-ETYPE-INFO2         | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
-| 20   | PA-SVR-REFERRAL-INFO   | Used in KDC Referrals tickets.                                                                                                                                                                                                                                                                                                                                                                                   |
-| 138  | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients.                                                                                                                                                                                                                                                                                      |
-| -    |                        | This type shows in Audit Failure events.                                                                                                                                                                                                                                                                                                                                                                         |
-
-**Certificate Information:**
-
-- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
-
-- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate's serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
-
-- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate's thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
-
-## Security Monitoring Recommendations
-
-For 4771(F): Kerberos pre-authentication failed.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                 |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Security ID"** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Security ID"** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **"Security ID"** that corresponds to the accounts that should never be used.                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a "allow list-only" action, review the **"Security ID"** for accounts that are outside the allow list.                                  |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions.                                                                           |
-
--   You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
-
--   If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert.
-
--   All **Client Address** = ::1 means local authentication. If you know the list of accounts that should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
-
--   All [4771](event-4771.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.
-
--   Also monitor the fields shown in the following table, to discover the issues listed:
-
-| **Field**                   | **Issue to discover**                                                                                                                                                                                                        |
-|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                                        |
-| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                      |
-| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).       |
-| **Failure Code**             | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication.                                          |
-| **Failure Code**             | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This issue can indicate a brute-force attack on the account password, especially for highly critical accounts. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
deleted file mode 100644
index 6222ece1bb..0000000000
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: 4772(F) A Kerberos authentication ticket request failed. 
-description: Describes security event 4772(F) A Kerberos authentication ticket request failed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4772(F): A Kerberos authentication ticket request failed.
-
-
-Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead.
-
-***Subcategory:***&nbsp;[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
-
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
deleted file mode 100644
index 3741a22b02..0000000000
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: 4773(F) A Kerberos service ticket request failed. 
-description: Describes security event 4773(F) A Kerberos service ticket request failed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4773(F): A Kerberos service ticket request failed.
-
-
-Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead.
-
-***Subcategory:***&nbsp;[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
deleted file mode 100644
index 25e3fe2dab..0000000000
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: 4774(S, F) An account was mapped for logon. 
-description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4774(S, F): An account was mapped for logon
-
-***Subcategory:***&nbsp;[Audit Credential Validation](audit-credential-validation.md)
-
-***Event Schema:***
-
-*An account was mapped for logon.*
-
-*Authentication Package:* `<Authentication package>`
-
-*Account UPN:* `<Acccount>@<Domain>`
-
-*Mapped Name:* `<Account>`
-
-***Required Server Roles:*** no information.
-
-***Minimum OS Version:*** no information.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-- There is no recommendation for this event in this document.
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
deleted file mode 100644
index 2090c1e52e..0000000000
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: 4775(F) An account could not be mapped for logon. 
-description: Describes security event 4775(F) An account could not be mapped for logon.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4775(F): An account could not be mapped for logon.
-
-
-It appears that this event never occurs.
-
-***Subcategory:***&nbsp;[Audit Credential Validation](audit-credential-validation.md)
-
-***Event Schema:***
-
-*An account could not be mapped for logon.*
-
-*Authentication Package:%1*
-
-*Account Name:%2*
-
-***Required Server Roles:*** no information.
-
-***Minimum OS Version:*** no information.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   <span id="Reccomendations_No_Reccomendations" class="anchor"></span>There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
deleted file mode 100644
index 7911aa31f0..0000000000
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: 4776(S, F) The computer attempted to validate the credentials for an account. 
-description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/13/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.collection: 
-  - highpri
-  - tier3
-ms.topic: reference
----
-
-# 4776(S, F): The computer attempted to validate the credentials for an account.
-
-
-<img src="images/event-4776.png" alt="Event 4776 illustration" width="459" height="336" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Credential Validation](audit-credential-validation.md)
-
-***Event Description:***
-
-This event generates every time that a credential validation occurs using NTLM authentication.
-
-This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
-
-It shows successful and unsuccessful credential validation attempts.
-
-It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you'll see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) isn't presented in this event.
-
-If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to "**0x0**".
-
-The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
-
-For monitoring local account logon attempts, it's better to use event "[4624](event-4624.md): An account was successfully logged on" because it contains more details and is more informative.
-
-This event also generates when a workstation unlock event occurs.
-
-This event does *not* generate when a domain account logs on locally to a domain controller.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4776</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14336</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" /> 
- <EventRecordID>165437</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="532" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="Workstation">WIN81</Data> 
- <Data Name="Status">0xc0000234</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** no specific requirements.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always "**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**" for [4776](event-4776.md) event.
-
-> **Note**&nbsp;&nbsp;**Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
-
--   **Logon Account** \[Type = UnicodeString\]: the name of the account that had its credentials validated by the **Authentication Package**. Can be user name, computer account name or [well-known security principal](/windows/security/identity-protection/access-control/security-identifiers) account name. Examples:
-
-    -   User example: dadmin
-
-    -   Computer account example: WIN81$
-
-    -   Local System account example: Local
-
-    -   Local Service account example: Local Service
-
--   **Source Workstation** \[Type = UnicodeString\]: the name of the computer from which the logon attempt originated.
-
--   **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has "**0x0**" value. The table below contains most common error codes for this event:
-
-| Error Code | Description                                                                                                                                                                                                                                                                               |
-|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0xC0000064 | The username you typed does not exist. Bad username.                                                                                                                                                                                                                                      |
-| 0xC000006A | Account logon with misspelled or bad password.                                                                                                                                                                                                                                            |
-| 0xC000006D | -   Generic logon failure.<br>Some of the potential causes for this:<br>An invalid username and/or password was used<br>[LAN Manager Authentication Level](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852207(v=ws.11)) mismatch between the source and target computers. |
-| 0xC000006F | Account logon outside authorized hours.                                                                                                                                                                                                                                                   |
-| 0xC0000070 | Account logon from unauthorized workstation.                                                                                                                                                                                                                                              |
-| 0xC0000071 | Account logon with expired password.                                                                                                                                                                                                                                                      |
-| 0xC0000072 | Account logon to account disabled by administrator.                                                                                                                                                                                                                                       |
-| 0xC0000193 | Account logon with expired account.                                                                                                                                                                                                                                                       |
-| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged.                                                                                                                                                                                                                               |
-| 0xC0000234 | Account logon with account locked.                                                                                                                                                                                                                                                        |
-| 0xC0000371 | The local account store does not contain secret material for the specified account.                                                                                                                                                                                                       |
-| 0x0        | No errors.                                                                                                                                                                                                                                                                                |
-
-> Table 1. Winlogon Error Codes.
-
-## Security Monitoring Recommendations
-
-For 4776(S, F): The computer attempted to validate the credentials for an account.
-
-| **Type of monitoring required**     | **Recommendation**          |
-|-----------------|---------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Logon Account"** that corresponds to the high-value account or accounts.        |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Logon Account"** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"Logon Account"** that should never be used.   |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.   | If this event corresponds to a "allow list-only" action, review the **"Logon Account"** for accounts that are outside the allow list.     |
-| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on.   | Monitor the target **Source Workstation** for credential validation requests from the **"Logon Account"** that you're concerned about.  |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.  | Monitor "**Logon Account"** for names that don't comply with naming conventions. |
-
--   If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don't forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
-
--   You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don't forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
-
--   If a local account should be used only locally (for example, network logon or terminal services logon isn't allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values.
-
--   Consider tracking the following errors for the reasons listed:
-
-| **Error to track**  | **What the error might indicate**   |
-|----------|----------------|
-| **User logon with misspelled or bad user account**  | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. |
-| **User logon with misspelled or bad password**      | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. |
-| **User logon outside authorized hours**             | Can indicate a compromised account; especially relevant for highly critical accounts.  |
-| **User logon from unauthorized workstation**        | Can indicate a compromised account; especially relevant for highly critical accounts.    |
-| **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts.     |
-| **User logon with expired account**                 | Can indicate an account compromise attempt; especially relevant for highly critical accounts.   |
-| **User logon with account locked**                  | Can indicate a brute-force password attack; especially relevant for highly critical accounts.  |
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
deleted file mode 100644
index a24c5864eb..0000000000
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: 4777(F) The domain controller failed to validate the credentials for an account. 
-description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4777(F): The domain controller failed to validate the credentials for an account.
-
-
-Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead.
-
-***Subcategory:***&nbsp;[Audit Credential Validation](audit-credential-validation.md)
-
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
deleted file mode 100644
index 0399f1f5c4..0000000000
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ /dev/null
@@ -1,137 +0,0 @@
----
-title: 4778(S) A session was reconnected to a Window Station. 
-description: Describes security event 4778(S) A session was reconnected to a Window Station.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4778(S): A session was reconnected to a Window Station.
-
-
-<img src="images/event-4778.png" alt="Event 4778 illustration" width="449" height="491" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](/windows-hardware/drivers/display/fast-user-switching).
-
-This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4778</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-10T23:05:29.743867200Z" /> 
- <EventRecordID>237651</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="2212" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="AccountName">ladmin</Data> 
- <Data Name="AccountDomain">CONTOSO</Data> 
- <Data Name="LogonID">0x1e01f6</Data> 
- <Data Name="SessionName">RDP-Tcp\#6</Data> 
- <Data Name="ClientName">WIN81</Data> 
- <Data Name="ClientAddress">10.0.0.100</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the session was reconnected.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Session:**
-
--   **Session Name** \[Type = UnicodeString\]**:** the name of the session to which the user was reconnected. Examples:
-
-    -   **RDP-Rcp\#N**, where N is a number of session – typical RDP session name.
-
-    -   **Console** – console session, typical for Fast User Switching.
-
-    -   **31C5CE94259D4006A9E4\#3** – example of “Hyper-V Enhanced Session” session name.
-
-        You can see the list of current session’s using “**query session”** command in command prompt. Example of output (see **SESSIONNAME** column):
-
-<img src="images/query-session.png" alt="Query session illustration" width="738" height="125" />
-
-**Additional Information:**
-
--   **Client Name** \[Type = UnicodeString\]: computer name from which the user was reconnected. Has “**Unknown”** value for console session.
-
--   **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the user was reconnected.
-
-    -   IPv6 address or ::ffff:IPv4 address of a client.
-
-    -   ::1 or 127.0.0.1 means localhost.
-
-    -   Has “**LOCAL**” value for console session.
-
-## Security Monitoring Recommendations
-
-For 4778(S): A session was reconnected to a Window Station.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                           |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list.                                  |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                               |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                     |
-
--   If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console.
-
--   If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring).
-
--   If a specific computer or device (**Client Name** or **Client Address**) should never connect to this computer (**Computer**), monitor for any event with that **Client Name** or **Client Address**.
-
--   Check that **Additional Information\\Client Address** is from internal IP addresses list.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
deleted file mode 100644
index 5852da5e2a..0000000000
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-title: 4779(S) A session was disconnected from a Window Station. 
-description: Describes security event 4779(S) A session was disconnected from a Window Station.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4779(S): A session was disconnected from a Window Station.
-
-
-<img src="images/event-4779.png" alt="Event 4779 illustration" width="449" height="504" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](/windows-hardware/drivers/display/fast-user-switching).
-
-This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4779</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-10T23:04:41.044489800Z" /> 
- <EventRecordID>237646</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="AccountName">ladmin</Data> 
- <Data Name="AccountDomain">CONTOSO</Data> 
- <Data Name="LogonID">0x1e01f6</Data> 
- <Data Name="SessionName">RDP-Tcp\#3</Data> 
- <Data Name="ClientName">WIN81</Data> 
- <Data Name="ClientAddress">10.0.0.100</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the session was disconnected.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Session:**
-
--   **Session Name** \[Type = UnicodeString\]**:** the name of disconnected session. Examples:
-
-    -   **RDP-Rcp\#N**, where N is a number of session – typical RDP session name.
-
-    -   **Console** – console session, typical for Fast User Switching.
-
-    -   **31C5CE94259D4006A9E4\#3** – example of “Hyper-V Enhanced Session” session name.
-
-        You can see the list of current session’s using “**query session”** command in command prompt. Example of output (see **SESSIONNAME** column):
-
-<img src="images/query-session.png" alt="Query session illustration" width="738" height="125" />
-
-**Additional Information:**
-
--   **Client Name** \[Type = UnicodeString\]: machine name from which the session was disconnected. Has “**Unknown”** value for console session.
-
-<!-- -->
-
--   **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the session was disconnected.
-
-    -   IPv6 address or ::ffff:IPv4 address of a client.
-
-    -   ::1 or 127.0.0.1 means localhost.
-
-    <!-- -->
-
-    -   Has “**LOCAL**” value for console session.
-
-## Security Monitoring Recommendations
-
-For 4779(S): A session was disconnected from a Window Station.
-
-| **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                                                                                                                                                                                                                                |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts.                                                                                                                                                                                                                                                                   |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used.                                                                                                                                                                                                      |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used.                                                                                                                                                                                                                                                               |
-| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allowlist.                                                                                                                                                                                                                                       |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected.                                                                                                                                                                                                      |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                                                                                                                                                                                                                                    |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.<br>For example, you might have computers to which connections should not be made from certain accounts or addresses.           | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.<br>If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                                                                                                                                                                                                                          |
-
--   If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console.
-
--   If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring).
-
--   To ensure that connections are made only from your internal IP address list, monitor the **Additional Information\\Client Address** in this event.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
deleted file mode 100644
index e7c43cf82e..0000000000
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: 4780(S) The ACL was set on accounts which are members of administrators groups. 
-description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4780(S): The ACL was set on accounts which are members of administrators groups.
-
-
-Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
-
-For some reason, this event doesn’t generate on some OS versions.
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Schema:***
-
-*The ACL was set on accounts which are members of administrators groups.*
-
-*Subject:*
-
-> *Security ID:%4*
->
-> *Account Name:%5*
->
-> *Account Domain:%6*
->
-> *Logon ID:%7*
-
-*Target Account:*
-
-> *Security ID:%3*
->
-> *Account Name:%1*
->
-> *Account Domain:%2*
-
-*Additional Information:*
-
-> *Privileges:%8*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Monitor for this event and investigate why the object’s ACL was changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
deleted file mode 100644
index 96fd56086f..0000000000
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ /dev/null
@@ -1,128 +0,0 @@
----
-title: 4781(S) The name of an account was changed. 
-description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4781(S): The name of an account was changed.
-
-
-<img src="images/event-4781.png" alt="Event 4781 illustration" width="449" height="474" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time a user or computer account name (**sAMAccountName** attribute) is changed.
-
-For user accounts, this event generates on domain controllers, member servers, and workstations.
-
-For computer accounts, this event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4781</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-22T02:41:09.737420900Z" /> 
- <EventRecordID>175754</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1112" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="OldTargetUserName">Admin</Data> 
- <Data Name="NewTargetUserName">MainAdmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6117</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d5f</Data> 
- <Data Name="PrivilegeList">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that performed the “change account name” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the “change account name” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account on which the name was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Domain** \[Type = UnicodeString\]**:** target account’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Old Account Name** \[Type = UnicodeString\]**:** old name of target account.
-
--   **New Account Name** \[Type = UnicodeString\]**:** new name of target account.
-
-**Additional Information:**
-
--   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
-
-## Security Monitoring Recommendations
-
-For 4781(S): The name of an account was changed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have high-value user or computer accounts (or local user accounts) for which you need to monitor each change to the accounts, monitor this event with the **“Target Account\\Security ID”** that corresponds to the high-value accounts.
-
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
deleted file mode 100644
index 4f20ae39d6..0000000000
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: 4782(S) The password hash of an account was accessed. 
-description: Describes security event 4782(S) The password hash of an account was accessed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4782(S): The password hash of an account was accessed.
-
-
-<img src="images/event-4782.png" alt="Event 4782 illustration" width="449" height="407" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Account Management Events](audit-other-account-management-events.md)
-
-***Event Description:***
-
-This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974332(v=ws.10)).
-
-Typically **“Subject\\Security ID”** is the SYSTEM account.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4782</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13829</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-18T21:23:46.435367800Z" /> 
- <EventRecordID>174829</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="512" ThreadID="1232" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">Andrei</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested hash migration operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested hash migration operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For ANONYMOUS LOGON you will see **NT AUTHORITY** value for this field.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Target Account:**
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which the password hash was migrated. For example: ServiceDesk
-
-    -   User account example: Andrei
-
-    -   Computer account example: DC01$
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain name of the account for which the password hash was migrated. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: FABRIKAM
-
-    -   Lowercase full domain name: fabrikam.local
-
-    -   Uppercase full domain name: FABRIKAM.LOCAL
-
-## Security Monitoring Recommendations
-
-For 4782(S): The password hash of an account was accessed.
-
--   Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
deleted file mode 100644
index 713ca3f5de..0000000000
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: 4793(S) The Password Policy Checking API was called. 
-description: Describes security event 4793(S) The Password Policy Checking API was called.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4793(S): The Password Policy Checking API was called.
-
-
-<img src="images/event-4793.png" alt="Event 4793 illustration" width="449" height="419" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Account Management Events](audit-other-account-management-events.md)
-
-***Event Description:***
-
-This event generates each time the [Password Policy Checking API](/windows/win32/api/lmaccess/nf-lmaccess-netvalidatepasswordpolicy) is called.
-
-The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
-
-This event, for example, generates during Directory Services Restore Mode ([DSRM](/archive/blogs/askds/ds-restore-mode-password-maintenance)) account password reset procedure to check new DSRM password.
-
-This event generates on the computer where Password Policy Checking API was called.
-
-Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many 4793 events on a SQL Server.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4793</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13829</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-18T02:37:46.322424300Z" /> 
- <EventRecordID>172342</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="2964" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x36f67</Data> 
- <Data Name="Workstation">DC01</Data> 
- <Data Name="TargetUserName">-</Data> 
- <Data Name="Status">0x0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested Password Policy Checking API operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested Password Policy Checking API operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Additional Information:**
-
--   **Caller Workstation** \[Type = UnicodeString\]**:** name of the computer from which the Password Policy Checking API was called. Typically, this is the same computer where this event was generated, for example, DC01. Computer name here does not contain **$** symbol at the end. It also can be an IP address or the DNS name of the computer.
-
--   **Provided Account Name (unauthenticated)** \[Type = UnicodeString\]**:** the name of account, which password was provided/requested for validation. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **Status Code** \[Type = HexInt32\]**:** typically has “**0x0**” value. Status code is “**0x0**”, no matter meets password domain Password Policy or not.
-
-## Security Monitoring Recommendations
-
-For 4793(S): The Password Policy Checking API was called.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically this is an informational event, and can give you information about when Password Policy Checking APIs were invoked, and who invoked them. The **Provided Account Name** does not always have a value—sometimes it’s not really possible to determine for which account the password policy check was performed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
deleted file mode 100644
index 29e851f761..0000000000
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. 
-description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
-
-
-<img src="images/event-4794.png" alt="Event 4794 illustration" width="449" height="418" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.
-
-This event generates only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4794</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" /> 
- <EventRecordID>172348</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="2964" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x36f67</Data> 
- <Data Name="Workstation">DC01</Data> 
- <Data Name="Status">0x0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to set Directory Services Restore Mode administrator password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to set Directory Services Restore Mode administrator password.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Additional Information:**
-
--   **Caller Workstation** \[Type = UnicodeString\]**:** the name of computer account from which Directory Services Restore Mode (DSRM) administrator password change request was received. For example: “**DC01**”. If the change request was sent locally (from the same server) this field will have the same name as the computer account.
-
--   **Status Code** \[Type = HexInt32\]**:** for Success events it has “**0x0**” value.
-
-## Security Monitoring Recommendations
-
-For 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
-
--   Always monitor 4794 events and trigger alerts when they occur.
-
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
deleted file mode 100644
index 7a66f7461c..0000000000
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-title: 4798(S) A user's local group membership was enumerated. 
-description: Describes security event 4798(S) A user's local group membership was enumerated.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4798(S): A user's local group membership was enumerated.
-
-
-<img src="images/event-4798.png" alt="Event 4798 illustration" width="438" height="402" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates when a process enumerates a user's security-enabled local groups on a computer or device.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4798</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-12T04:14:17.436787700Z" /> 
- <EventRecordID>691</EventRecordID> 
- <Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" /> 
- <Execution ProcessID="744" ThreadID="3928" /> 
- <Channel>Security</Channel> 
- <Computer>WIN10-1.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">Administrator</Data> 
- <Data Name="TargetDomainName">WIN10-1</Data> 
- <Data Name="TargetSid">S-1-5-21-1694160624-234216347-2203645164-500</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x72d9d</Data> 
- <Data Name="CallerProcessId">0xc80</Data> 
- <Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** none.
-
-***Minimum OS Version:*** Windows Server 2016, Windows 10.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “enumerate user's security-enabled local groups” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enumerate user's security-enabled local groups” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**User:**
-
--   **Security ID** \[Type = SID\]: SID of the account whose groups were enumerated. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]: the name of the account whose groups were enumerated.
-
--   **Account Domain** \[Type = UnicodeString\]: group’s domain or computer name. Formats vary, and include the following:
-
-    -   For a local group, this field will contain the name of the computer to which this group belongs, for example: “Win81”.
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-## Security Monitoring Recommendations
-
-For 4798(S): A user's local group membership was enumerated.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have high value domain or local accounts for which you need to monitor each enumeration of their group membership, or any access attempt, monitor events with the **“Subject\\Security ID”** that corresponds to the high value account or accounts.
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
deleted file mode 100644
index 7b4aead71c..0000000000
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-title: 4799(S) A security-enabled local group membership was enumerated. 
-description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4799(S): A security-enabled local group membership was enumerated.
-
-
-<img src="images/event-4799.png" alt="Event 4799 illustration" width="438" height="402" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Security Group Management](audit-security-group-management.md)
-
-***Event Description:***
-
-This event generates when a process enumerates the members of a security-enabled local group on the computer or device.
-
-This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4799</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13826</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-12T03:50:23.625407600Z" /> 
- <EventRecordID>685</EventRecordID> 
- <Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" /> 
- <Execution ProcessID="744" ThreadID="188" /> 
- <Channel>Security</Channel> 
- <Computer>WIN10-1.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserName">Administrators</Data> 
- <Data Name="TargetDomainName">Builtin</Data> 
- <Data Name="TargetSid">S-1-5-32-544</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x72d9d</Data> 
- <Data Name="CallerProcessId">0xc80</Data> 
- <Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** none.
-
-***Minimum OS Version:*** Windows Server 2016, Windows 10.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “enumerate security-enabled local group members” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enumerate security-enabled local group members” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Group:**
-
--   **Security ID \[Type = SID\]:** SID of the group which members were enumerated. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Group Name \[Type = UnicodeString\]:** the name of the group which members were enumerated.
-
--   **Group Domain \[Type = UnicodeString\]: group’s domain or computer name. Formats vary, and include the following:**
-
-    -   For Builtin groups this field has “Builtin” value.
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For a local group, this field will contain the name of the computer to which this group belongs, for example: “Win81”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-## Security Monitoring Recommendations
-
-For 4799(S): A security-enabled local group membership was enumerated.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a list of critical local security groups in the organization, and need to specifically monitor these groups for any access (in this case, enumeration of group membership), monitor events with the “**Group\\Group Name”** values that correspond to the critical local security groups. Examples of critical local groups are built-in local administrators, built-in backup operators, and so on.
-
--   If you need to monitor each time the membership is enumerated for a local or domain security group, to see who enumerated the membership and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
deleted file mode 100644
index 35f11545c6..0000000000
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: 4800(S) The workstation was locked. 
-description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4800(S): The workstation was locked.
-
-
-<img src="images/event-4800.png" alt="Event 4800 illustration" width="449" height="364" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event is generated when a workstation was locked.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4800</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-10T23:47:02.430644500Z" /> 
- <EventRecordID>237655</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="2568" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x759a9</Data> 
- <Data Name="SessionId">3</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “lock workstation” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “lock workstation” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
--   **Session ID** \[Type = UInt32\]: unique ID of locked session. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see **ID** column):
-
-<img src="images/query-session.png" alt="Query session illustration" width="738" height="125" />
-
-## Security Monitoring Recommendations
-
-For 4800(S): The workstation was locked.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically this is an informational event, and can give you information about when a machine was locked, and which account was used to lock it.
-
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
deleted file mode 100644
index 348ba5fce6..0000000000
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: 4801(S) The workstation was unlocked. 
-description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4801(S): The workstation was unlocked.
-
-
-<img src="images/event-4801.png" alt="Event 4801 illustration" width="449" height="364" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event is generated when workstation was unlocked.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4801</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-10T23:47:05.886096400Z" /> 
- <EventRecordID>237657</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="4540" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x759a9</Data> 
- <Data Name="SessionId">3</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “unlock workstation” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “unlock workstation” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
--   **Session ID** \[Type = UInt32\]: unique ID of unlocked session. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see ID column):
-
-<img src="images/query-session.png" alt="Query session illustration" width="738" height="125" />
-
-## Security Monitoring Recommendations
-
-For 4801(S): The workstation was unlocked.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically this is an informational event, and can give you information about when a machine was unlocked, and which account was used to unlock it.
-
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
deleted file mode 100644
index 9884000aae..0000000000
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: 4802(S) The screen saver was invoked. 
-description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4802(S): The screen saver was invoked.
-
-
-<img src="images/event-4802.png" alt="Event 4802 illustration" width="449" height="363" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event is generated when screen saver was invoked.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4802</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-11T00:16:32.377883700Z" /> 
- <EventRecordID>237662</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="1676" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x759a9</Data> 
- <Data Name="SessionId">3</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “invoke screensaver” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “invoke screensaver” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
--   **Session ID** \[Type = UInt32\]: unique ID of a session for which screen saver was invoked. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see ID column):
-
-<img src="images/query-session.png" alt="Query session illustration" width="738" height="125" />
-
-## Security Monitoring Recommendations
-
-For 4802(S): The screen saver was invoked.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically this is an informational event, and can give you information about when a screen saver was invoked on a machine, and which account invoked it.
-
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
deleted file mode 100644
index 8fae699b17..0000000000
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: 4803(S) The screen saver was dismissed. 
-description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4803(S): The screen saver was dismissed.
-
-
-<img src="images/event-4803.png" alt="Event 4803 illustration" width="449" height="363" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event is generated when screen saver was dismissed.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4803</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-11T00:19:09.576094500Z" /> 
- <EventRecordID>237663</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="TargetUserName">dadmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x759a9</Data> 
- <Data Name="SessionId">3</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “dismiss screensaver” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “dismiss screensaver” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
--   **Session ID** \[Type = UInt32\]: unique ID of a session for which screen saver was dismissed. You can see the list of current session IDs using “**query session”** command in command prompt. Example of output (see ID column):
-
-<img src="images/query-session.png" alt="Query session illustration" width="738" height="125" />
-
-## Security Monitoring Recommendations
-
-For 4803(S): The screen saver was dismissed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Typically this is an informational event, and can give you information about when a screen saver was dismissed on a machine, and which account dismissed it.
-
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
deleted file mode 100644
index 3cfcc91bde..0000000000
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. 
-description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
-
-
-This message generates if RPC detected an integrity violation while decrypting an incoming message.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*RPC detected an integrity violation while decrypting an incoming message.*
-
-*Peer Name: %1*
-
-*Protocol Sequence: %2*
-
-*Security Error: %3*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
-
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
deleted file mode 100644
index 685c9a0c84..0000000000
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ /dev/null
@@ -1,245 +0,0 @@
----
-title: 4817(S) Auditing settings on object were changed. 
-description: Describes security event 4817(S) Auditing settings on object were changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4817(S): Auditing settings on object were changed.
-
-
-<img src="images/event-4817.png" alt="Event 4817 illustration" width="616" height="480" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates when the [Global Object Access Auditing](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772630(v=ws.10)) policy is changed on a computer.
-
-Separate events will be generated for “Registry” and “File system” policy changes.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4817</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-10T01:26:33.191368500Z" /> 
- <EventRecordID>1192270</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="3048" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="ObjectServer">LSA</Data> 
- <Data Name="ObjectType">Global SACL</Data> 
- <Data Name="ObjectName">Key</Data> 
- <Data Name="OldSd" /> 
- <Data Name="NewSd">S:(AU;SA;RC;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to Global Object Access Auditing policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to Global Object Access Auditing policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object:**
-
--   **Object Server** \[Type = UnicodeString\]: has “**LSA**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object to which this event applies. Always “**Global SACL**” for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device                  |
-|-------------------------|--------------|----------------------|-------------------------|
-| Mutant                  | Type         | File                 | Token                   |
-| Thread                  | Section      | WindowStation        | DebugObject             |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion            |
-| Controller              | SymbolicLink | WmiGuid              | Process                 |
-| Profile                 | Desktop      | KeyedEvent           | Central Access Policies |
-| Key                     | WaitablePort | Callback             | Global SACL             |
-| Job                     | Port         | FilterConnectionPort |                         |
-| ALPC Port               | Semaphore    | Adapter              |                         |
-
--   **Object Name:**
-
-    -   Key – if “Registry” Global Object Access Auditing policy was changed.
-
-    -   File – if “File system” Global Object Access Auditing policy was changed.
-
-**Auditing Settings:**
-
--   **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy. Empty if Global Object Access Auditing policy SACL was not set.
-
--   **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
-
-> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
-> Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
-> See the list of possible values in the table below:
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous logon                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network logon user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service logon user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         | "RP"                            | Read All Properties  |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights | "SW"                            | All Validated Writes |
-| "KA"                       | "LO"                            | "LO"                 | List Object              |
-| "K"                        | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
-
-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
-
-## Security Monitoring Recommendations
-
-For 4817(S): Auditing settings on object were changed.
-
--   If you use Global Object Access Auditing policies, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
-
--   If you don’t use Global Object Access Auditing policies, then this event should be always monitored because it indicates use of Global Object Access Auditing policies outside of your standard procedures.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
deleted file mode 100644
index b502dcb97b..0000000000
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ /dev/null
@@ -1,211 +0,0 @@
----
-title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. 
-description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-
-
-<img src="images/event-4818.png" alt="Event 4818 illustration" width="727" height="725" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Central Policy Staging](audit-central-access-policy-staging.md)
-
-***Event Description:***
-
-This event generates when Dynamic Access Control Proposed [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) is enabled and access was not granted by Proposed Central Access Policy.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4818</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12813</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-30T16:37:29.473472100Z" /> 
- <EventRecordID>1049324</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="SubjectUserName">Auditor</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x1e5f21</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="ObjectName">C:\\Finance Documents\\desktop.ini</Data> 
- <Data Name="HandleId">0xc64</Data> 
- <Data Name="ProcessId">0x4</Data> 
- <Data Name="ProcessName" /> 
- <Data Name="AccessReason">%%1538: %%1801 D:(A;ID;0x1200a9;;;BU) %%1541: %%1801 D:(A;ID;0x1200a9;;;BU) %%4416: %%1801 D:(A;ID;0x1200a9;;;BU) %%4419: %%1801 D:(A;ID;0x1200a9;;;BU) %%4423: %%1801 D:(A;ID;0x1200a9;;;BU)</Data> 
- <Data Name="StagingReason">%%1538: %%1814Finance Documents Rule %%1541: %%1814Finance Documents Rule %%4416: %%1814Finance Documents Rule %%4419: %%1814Finance Documents Rule %%4423: %%1814Finance Documents Rule</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an access request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an access request.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always “**File**” for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Object Name** \[Type = UnicodeString\]: full path and name of the file or folder for which access was requested.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Current Central Access Policy results:**
-
--   **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:<br><br>
-REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS.
-
-The possible REQUESTED\_ACCESS values are listed in the table below.
-
-## Table of file access codes
-
-| Access                                                | Hexadecimal Value  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| ReadData (or ListDirectory)                           | 0x1                | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| WriteData (or AddFile)                                | 0x2                | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4                | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe.                                                                                                                                                                                                                                                              |
-| ReadEA                                                | 0x8                | The right to read extended file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| WriteEA                                               | 0x10               | The right to write extended file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| Execute/Traverse                                      | 0x20               | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
-| DeleteChild                                           | 0x40               | For a directory, the right to delete a directory and all the files it contains, including read-only files.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| ReadAttributes                                        | 0x80               | The right to read file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| WriteAttributes                                       | 0x100              | The right to write file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| DELETE                                                | 0x10000            | The right to delete the object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| READ\_CONTROL                                         | 0x20000            | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| WRITE\_DAC                                            | 0x40000            | The right to modify the discretionary access control list (DACL) in the object's security descriptor.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| WRITE\_OWNER                                          | 0x80000            | The right to change the owner in the object's security descriptor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SYNCHRONIZE                                           | 0x100000<br> | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| ACCESS\_SYS\_SEC                                      | 0x1000000          | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-
--   RESULT:
-
-    -   Granted by
-
-    -   Denied by
-
-    -   Granted by ACE on parent folder
-
-    -   Not granted due to missing – after this sentence you will typically see missing user rights, for example SeSecurityPrivilege.
-
-    -   Unknown or unchecked
-
--   ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS:
-
-    -   Ownership – if access was granted because of ownership of an object.
-
-    -   User Right name, for example SeSecurityPrivilege.
-
-    -   The [Security Descriptor Definition Language](event-5145.md#sddl-values-for-access-control-entry) (SDDL) value for the Access Control Entry (ACE) that granted or denied access.
-
-**Proposed Central Access Policy results that differ from the current Central Access Policy results:**
-
--   **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:<br><br>
-
-REQUESTED\_ACCESS: NOT Granted by RULE\_NAME Rule.
-
-The possible REQUESTED\_ACCESS values are listed in the table below:
-
-| Access                                                | Hexadecimal Value  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| ReadData (or ListDirectory)                           | 0x1                | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| WriteData (or AddFile)                                | 0x2                | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4                | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe.                                                                                                                                                                                                                                                              |
-| ReadEA                                                | 0x8                | The right to read extended file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| WriteEA                                               | 0x10               | The right to write extended file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| Execute/Traverse                                      | 0x20               | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
-| DeleteChild                                           | 0x40               | For a directory, the right to delete a directory and all the files it contains, including read-only files.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
-| ReadAttributes                                        | 0x80               | The right to read file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| WriteAttributes                                       | 0x100              | The right to write file attributes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| DELETE                                                | 0x10000            | The right to delete the object.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| READ\_CONTROL                                         | 0x20000            | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| WRITE\_DAC                                            | 0x40000            | The right to modify the discretionary access control list (DACL) in the object's security descriptor.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| WRITE\_OWNER                                          | 0x80000            | The right to change the owner in the object's security descriptor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| SYNCHRONIZE                                           | 0x100000<br> | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| ACCESS\_SYS\_SEC                                      | 0x1000000          | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-
--   RULE\_NAME: the name of Central Access Rule which denied the access.
-
-## Security Monitoring Recommendations
-
-For 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-
--   This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic Access Control.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
deleted file mode 100644
index b1b3d80845..0000000000
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: 4819(S) Central Access Policies on the machine have been changed. 
-description: Describes security event 4819(S) Central Access Policies on the machine have been changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4819(S): Central Access Policies on the machine have been changed.
-
-
-<img src="images/event-4819.png" alt="Event 4819 illustration" width="449" height="540" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Description:***
-
-This event generates when [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on the machine have been changed.
-
-For example, it generates when a new [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) was applied to the machine via Group Policy.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4819</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13573</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-10T01:00:34.352877700Z" /> 
- <EventRecordID>1187659</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="3500" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="ObjectServer">LSA</Data> 
- <Data Name="ObjectType">Central Access Policies</Data> 
- <Data Name="AddedCAPs">Main POlicy</Data> 
- <Data Name="DeletedCAPs" /> 
- <Data Name="ModifiedCAPs" /> 
- <Data Name="AsIsCAPs" /> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policies on the machine. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policies on the machine.
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**LSA**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object to which this event applies. Always “**Central Access Policies**” for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device                  |
-|-------------------------|--------------|----------------------|-------------------------|
-| Mutant                  | Type         | File                 | Token                   |
-| Thread                  | Section      | WindowStation        | DebugObject             |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion            |
-| Controller              | SymbolicLink | WmiGuid              | Process                 |
-| Profile                 | Desktop      | KeyedEvent           | Central Access Policies |
-| Key                     | WaitablePort | Callback             |                         |
-| Job                     | Port         | FilterConnectionPort |                         |
-| ALPC Port               | Semaphore    | Adapter              |                         |
-
-**CAPs Added** \[Type = UnicodeString\]: the list of added Central Access Policies. Empty if no Central Access Policies were added.
-
-**CAPs Deleted** \[Type = UnicodeString\]: the list of deleted Central Access Policies. Empty if no Central Access Policies were deleted.
-
-**CAPs Modified** \[Type = UnicodeString\]: the list of modified Central Access Policies. Empty if no Central Access Policies were modified.
-
-**CAPs As-Is** \[Type = UnicodeString\]: the list of non-modified Central Access Policies.
-
-## Security Monitoring Recommendations
-
-For 4819(S): Central Access Policies on the machine have been changed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   This event can help you to track modifications, additions and deletions of Central Access Policies if it is required by your security monitoring policy.
-
--
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
deleted file mode 100644
index d776cba974..0000000000
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ /dev/null
@@ -1,134 +0,0 @@
----
-title: 4826(S) Boot Configuration Data loaded. 
-description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4826(S): Boot Configuration Data loaded.
-
-
-<img src="images/event-4826.png" alt="Event 4826 illustration" width="438" height="494" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Description:***
-
-This event generates every time system starts and load current [Boot Configuration Data](/previous-versions/windows/hardware/design/dn653287(v=vs.85)) (BCD) settings.
-
-This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4826</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13573</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-13T00:59:57.553201100Z" /> 
- <EventRecordID>751</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="164" /> 
- <Channel>Security</Channel> 
- <Computer>WIN10-1</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">-</Data> 
- <Data Name="SubjectDomainName">-</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="LoadOptions">-</Data> 
- <Data Name="AdvancedOptions">%%1843</Data> 
- <Data Name="ConfigAccessPolicy">%%1846</Data> 
- <Data Name="RemoteEventLogging">%%1843</Data> 
- <Data Name="KernelDebug">%%1843</Data> 
- <Data Name="VsmLaunchType">%%1848</Data> 
- <Data Name="TestSigning">%%1843</Data> 
- <Data Name="FlightSigning">%%1843</Data> 
- <Data Name="DisableIntegrityChecks">%%1843</Data> 
- <Data Name="HypervisorLoadOptions">-</Data> 
- <Data Name="HypervisorLaunchType">%%1848</Data> 
- <Data Name="HypervisorDebug">%%1843</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that reported this event. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. Always “S-1-5-18” for this event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported this event. Always “-“ for this event.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Always “-“ for this event.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**General Settings:**
-
--   **Load Options** \[Type = UnicodeString\]**:** there is no information about this field in this document.
-
--   **Advanced Options** \[Type = UnicodeString\]**:** shows whether Windows is configured for system boot to the legacy menu (F8 menu) on the next boot (**Yes** or **No**). You can enable advanced boot using “bcdedit /set onetimeadvancedoptions yes” command.
-
--   **Configuration Access Policy** \[Type = UnicodeString\]**:** there is no information about this field in this document.
-
--   **System Event Logging** \[Type = UnicodeString\]**:** there is no information about this field in this document.
-
--   **Kernel Debugging** \[Type = UnicodeString\]**:** shows whether Windows [kernel debugging](/windows-hardware/drivers/devtest/bcdedit--debug) is enabled or not (**Yes** or **No**). You can enable kernel debugging using “bcdedit /debug on” command.
-
--   **VSM Launch Type** \[Type = UnicodeString\]**:** there is no information about this field in this document.
-
-**Signature Settings:**
-
--   **Test Signing** \[Type = UnicodeString\]**:** shows whether Windows [test signing](/previous-versions/windows/hardware/design/dn653559(v=vs.85)) is enabled or not (**Yes** or **No**). You can disable test signing using “bcdedit /set testsigning off” command.
-
-> **Note**&nbsp;&nbsp;This parameter controls whether Windows 8.1, Windows 8, Windows 7, Windows Server 2008, or Windows Vista will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers on 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Server 2008, and Windows Vista will not load by default. After you run the BCDEdit command, restart the computer so that the change takes effect. For more information, see [Introduction to Test-Signing](/windows-hardware/drivers/install/introduction-to-test-signing).
-
--   **Flight Signing** \[Type = UnicodeString\]**:** shows whether Windows flight signing (which allows flight-signed code signing certificates) is enabled or not (**Yes** or **No**). You can disable flight signing using “bcdedit /set flightsigning off” command.
-
--   **Disable Integrity Checks** \[Type = UnicodeString\]**:** shows whether Windows integrity check is disabled or not (**Yes** or **No**). You can disable integrity checks using “bcdedit /set nointegritychecks on” command.
-
-**HyperVisor Settings:**
-
--   **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here: <https://msdn.microsoft.com/library/windows/hardware/ff542202(v=vs.85).aspx>.
-
--   **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host). Information about [Hyper-V](/windows/deployment/deploy-whats-new) technology is available on Microsoft TechNet web site.
-
--   **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host).
-
-## Security Monitoring Recommendations
-
-For 4826(S): Boot Configuration Data loaded.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   If you have a standard or baseline for Boot Configuration Data settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
deleted file mode 100644
index 3d52b57ab7..0000000000
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: 4864(S) A namespace collision was detected. 
-description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4864(S): A namespace collision was detected.
-
-
-This event is generated when a namespace collision was detected.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Schema:***
-
-*A namespace collision was detected.*
-
-*Target Type:%1*
-
-*Target Name:%2*
-
-*Forest Root:%3*
-
-*Top Level Name:%4*
-
-*DNS Name:%5*
-
-*NetBIOS Name:%6*
-
-*Security ID:%7*
-
-*New Flags:%8*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
deleted file mode 100644
index f98be7ebdc..0000000000
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-title: 4865(S) A trusted forest information entry was added. 
-description: Describes security event 4865(S) A trusted forest information entry was added.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4865(S): A trusted forest information entry was added.
-
-
-<img src="images/event-4865.png" alt="Event 4865 illustration" width="449" height="502" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when new trusted forest information entry was added.
-
-This event is generated only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4865</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T03:11:33.397715700Z" /> 
- <EventRecordID>1049810</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4808" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ForestRoot">Fabrikam.local</Data> 
- <Data Name="ForestRootSid">S-1-5-21-2703072690-1374247579-2643703677</Data> 
- <Data Name="OperationId">0x648620</Data> 
- <Data Name="EntryType">2</Data> 
- <Data Name="Flags">0</Data> 
- <Data Name="TopLevelName">-</Data> 
- <Data Name="DnsName">Fabrikam.local</Data> 
- <Data Name="NetbiosName">FABRIKAM</Data> 
- <Data Name="DomainSid">S-1-5-21-2703072690-1374247579-2643703677</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x138eb0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “add a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add a trusted forest information entry” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Trust Information:**
-
--   **Forest Root** \[Type = UnicodeString\]: the name of the Active Directory forest for which trusted forest information entry was added.
-
-<!-- -->
-
--   **Forest Root SID** \[Type = SID\]: the SID of the Active Directory forest for which trusted forest information entry was added. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-<!-- -->
-
--   **Operation ID** \[Type = HexInt64\]: unique hexadecimal identifier of the operation. You can correlate this event with other events ([4866](event-4866.md)(S): A trusted forest information entry was removed, [4867](event-4867.md)(S): A trusted forest information entry was modified.) using this field.
-
-<!-- -->
-
--   **Entry Type** \[Type = UInt32\]: the type of added entry:
-
-| Value | Type Name                 | Description                                                                                                                                                                                                                                                                                                                                                                     |
-|-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | ForestTrustTopLevelName   | The [DNS name](/openspecs/windows_protocols/ms-lsad/31ca2a31-0be4-4773-bcef-05ad6cd3ccfb#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](/openspecs/windows_protocols/ms-lsad/31ca2a31-0be4-4773-bcef-05ad6cd3ccfb#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](/openspecs/windows_protocols/ms-lsad/4b35e17e-405c-4e99-8ebe-8b28f047156f) |
-| 1     | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](/openspecs/windows_protocols/ms-lsad/4b35e17e-405c-4e99-8ebe-8b28f047156f).                                                                                                                                                                                    |
-| 2     | ForestTrustDomainInfo     | This field specifies a record containing identification and name information                                                                                                                                                                                                                                                                                                    |
-
--   **Flags** \[Type = UInt32\]: The following table specifies the possible flags.
-
-    Some flag values are reused for different forest record types. See the “Meaning” column for more information.
-
-| Value | Trust Type                                                 | Meaning                                                                      |
-|-------|------------------------------------------------------------|------------------------------------------------------------------------------|
-| 0     | -                                                          | No flags were set.                                                           |
-| 1     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation.         |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled by the domain administrator. |
-| 2     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator.     |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled due to a conflict.           |
-| 4     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict.               |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled by the domain administrator. |
-| 8     | ForestTrustDomainInfo                                      | The domain information trust record is disabled due to a conflict.           |
-
--   **Top Level Name** \[Type = UnicodeString\]: the name of the new trusted forest information entry.
-
--   **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”.
-
-## Security Monitoring Recommendations
-
-For 4865(S): A trusted forest information entry was added.
-
--   Any changes related to Active Directory forest trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
deleted file mode 100644
index f138df2d0a..0000000000
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-title: 4866(S) A trusted forest information entry was removed. 
-description: Describes security event 4866(S) A trusted forest information entry was removed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4866(S): A trusted forest information entry was removed.
-
-
-<img src="images/event-4866.png" alt="Event 4866 illustration" width="449" height="502" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when the trusted forest information entry was removed.
-
-This event is generated only on domain controllers.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4865</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T03:11:33.397715700Z" /> 
- <EventRecordID>1049810</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4808" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ForestRoot">Fabrikam.local</Data> 
- <Data Name="ForestRootSid">S-1-5-21-2703072690-1374247579-2643703677</Data> 
- <Data Name="OperationId">0x648620</Data> 
- <Data Name="EntryType">2</Data> 
- <Data Name="Flags">0</Data> 
- <Data Name="TopLevelName">-</Data> 
- <Data Name="DnsName">Fabrikam.local</Data> 
- <Data Name="NetbiosName">FABRIKAM</Data> 
- <Data Name="DomainSid">S-1-5-21-2703072690-1374247579-2643703677</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x138eb0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “remove a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove a trusted forest information entry” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Trust Information:**
-
--   **Forest Root** \[Type = UnicodeString\]: the name of the Active Directory forest for which trusted forest information entry was removed.
-
-<!-- -->
-
--   **Forest Root SID** \[Type = SID\]: the SID of the Active Directory forest for which trusted forest information entry was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-<!-- -->
-
--   **Operation ID** \[Type = HexInt64\]: unique hexadecimal identifier of the operation. You can correlate this event with other events ([4865](event-4865.md)(S): A trusted forest information entry was added, [4867](event-4867.md)(S): A trusted forest information entry was modified.) using this field.
-
-<!-- -->
-
--   **Entry Type** \[Type = UInt32\]: the type of removed entry:
-
-| Value | Type Name                 | Description                                                                                                                                                                                                                                                                                                                                                                     |
-|-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | ForestTrustTopLevelName   | The [DNS name](/openspecs/windows_protocols/ms-lsad/31ca2a31-0be4-4773-bcef-05ad6cd3ccfb#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](/openspecs/windows_protocols/ms-lsad/31ca2a31-0be4-4773-bcef-05ad6cd3ccfb#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](/openspecs/windows_protocols/ms-lsad/4b35e17e-405c-4e99-8ebe-8b28f047156f) |
-| 1     | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](/openspecs/windows_protocols/ms-lsad/4b35e17e-405c-4e99-8ebe-8b28f047156f).                                                                                                                                                                                    |
-| 2     | ForestTrustDomainInfo     | This field specifies a record containing identification and name information                                                                                                                                                                                                                                                                                                    |
-
--   **Flags** \[Type = UInt32\]: The following table specifies the possible flags.
-
-    Some flag values are reused for different forest record types. See the “Meaning” column for more information.
-
-| Value | Trust Type                                                 | Meaning                                                                      |
-|-------|------------------------------------------------------------|------------------------------------------------------------------------------|
-| 0     | -                                                          | No flags were set.                                                           |
-| 1     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation.         |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled by the domain administrator. |
-| 2     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator.     |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled due to a conflict.           |
-| 4     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict.               |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled by the domain administrator. |
-| 8     | ForestTrustDomainInfo                                      | The domain information trust record is disabled due to a conflict.           |
-
--   **Top Level Name** \[Type = UnicodeString\]: the name of the removed trusted forest information entry.
-
--   **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”.
-
-## Security Monitoring Recommendations
-
-For 4866(S): A trusted forest information entry was removed.
-
--   Any changes related to Active Directory forest trusts (especially trust removal) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
deleted file mode 100644
index e86b7b7afe..0000000000
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: 4867(S) A trusted forest information entry was modified. 
-description: Describes security event 4867(S) A trusted forest information entry was modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4867(S): A trusted forest information entry was modified.
-
-
-<img src="images/event-4867.png" alt="Event 4867 illustration" width="449" height="502" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates the trusted forest information entry was modified.
-
-This event is generated only on domain controllers.
-
-This event contains new values only, it doesn’t contains old values and it doesn’t show you which trust attributes were modified.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4865</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13569</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T03:11:33.397715700Z" /> 
- <EventRecordID>1049810</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4808" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ForestRoot">Fabrikam.local</Data> 
- <Data Name="ForestRootSid">S-1-5-21-2703072690-1374247579-2643703677</Data> 
- <Data Name="OperationId">0x648620</Data> 
- <Data Name="EntryType">2</Data> 
- <Data Name="Flags">0</Data> 
- <Data Name="TopLevelName">-</Data> 
- <Data Name="DnsName">Fabrikam.local</Data> 
- <Data Name="NetbiosName">FABRIKAM</Data> 
- <Data Name="DomainSid">S-1-5-21-2703072690-1374247579-2643703677</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x138eb0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “modify/change a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify/change a trusted forest information entry” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Trust Information:**
-
--   **Forest Root** \[Type = UnicodeString\]: the name of the Active Directory forest for which trusted forest information entry was modified.
-
-<!-- -->
-
--   **Forest Root SID** \[Type = SID\]: the SID of the Active Directory forest for which trusted forest information entry was modified. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-<!-- -->
-
--   **Operation ID** \[Type = HexInt64\]: unique hexadecimal identifier of the operation. You can correlate this event with other events ([4865](event-4865.md)(S): A trusted forest information entry was added, [4866](event-4866.md)(S): A trusted forest information entry was removed) using this field.
-
-<!-- -->
-
--   **Entry Type** \[Type = UInt32\]: the type of modified entry:
-
-| Value | Type Name                 | Description                                                                                                                                                                                                                                                                                                                                                                     |
-|-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | ForestTrustTopLevelName   | The [DNS name](/openspecs/windows_protocols/ms-lsad/31ca2a31-0be4-4773-bcef-05ad6cd3ccfb#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](/openspecs/windows_protocols/ms-lsad/31ca2a31-0be4-4773-bcef-05ad6cd3ccfb#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](/openspecs/windows_protocols/ms-lsad/4b35e17e-405c-4e99-8ebe-8b28f047156f) |
-| 1     | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](/openspecs/windows_protocols/ms-lsad/4b35e17e-405c-4e99-8ebe-8b28f047156f).                                                                                                                                                                                    |
-| 2     | ForestTrustDomainInfo     | This field specifies a record containing identification and name information                                                                                                                                                                                                                                                                                                    |
-
--   **Flags** \[Type = UInt32\]: The following table specifies the possible flags.
-
-    Some flag values are reused for different forest record types. See the “Meaning” column for more information.
-
-| Value | Trust Type                                                 | Meaning                                                                      |
-|-------|------------------------------------------------------------|------------------------------------------------------------------------------|
-| 0     | -                                                          | No flags were set.                                                           |
-| 1     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation.         |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled by the domain administrator. |
-| 2     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator.     |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled due to a conflict.           |
-| 4     | ForestTrustTopLevelNameEx<br>ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict.               |
-|       | ForestTrustDomainInfo                                      | The domain information trust record is disabled by the domain administrator. |
-| 8     | ForestTrustDomainInfo                                      | The domain information trust record is disabled due to a conflict.           |
-
--   **Top Level Name** \[Type = UnicodeString\]: the name of the modified trusted forest information entry.
-
--   **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”.
-
--   **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”.
-
-## Security Monitoring Recommendations
-
-For 4867(S): A trusted forest information entry was modified.
-
--   Any changes in Active Directory forest trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
deleted file mode 100644
index 0cd35ad40a..0000000000
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: 4902(S) The Per-user audit policy table was created. 
-description: Describes security event 4902(S) The Per-user audit policy table was created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4902(S): The Per-user audit policy table was created.
-
-
-<img src="images/event-4902.png" alt="Event 4902 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates during system startup if Per-user audit policy is defined on the computer.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4902</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T00:05:25.814466500Z" /> 
- <EventRecordID>1049490</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="556" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="PuaCount">1</Data> 
- <Data Name="PuaPolicyId">0x703e</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Number of Elements** \[Type = UInt32\]: number of users for which Per-user policies were defined (number of unique users). You can get the list of users for which Per-user policies are defined using “auditpol /list /user” command:
-
-<img src="images/auditpol-list-user.png" alt="Auditpol list user illustration" width="775" height="218" />
-
-**Policy ID** \[Type = HexInt64\]: unique per-User Audit Policy hexadecimal identifier.
-
-## Security Monitoring Recommendations
-
-For 4902(S): The Per-user audit policy table was created.
-
--   If you don’t expect to see any per-User Audit Policies enabled on specific computers (**Computer**), monitor for these events.
-
--   If you don’t use per-User Audit Policies in your network, monitor for these events.
-
--   Typically this is an informational event and has little to no security relevance.
-
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
deleted file mode 100644
index 0da52bcaf6..0000000000
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ /dev/null
@@ -1,132 +0,0 @@
----
-title: 4904(S) An attempt was made to register a security event source. 
-description: Describes security event 4904(S) An attempt was made to register a security event source.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4904(S): An attempt was made to register a security event source.
-
-
-<img src="images/event-4904.png" alt="Event 4904 illustration" width="449" height="462" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates every time a new [security event source](/windows/win32/eventlog/event-sources) is registered.
-
-You can typically see this event during system startup, if specific roles (Internet Information Services, for example) are installed in the system.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4904</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T00:53:01.030688000Z" /> 
- <EventRecordID>1049538</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="548" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="AuditSourceName">FSRM Audit</Data> 
- <Data Name="EventSourceId">0x1cc4e</Data> 
- <Data Name="ProcessId">0x688</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to register a security event source. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to register a security event source.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Process:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to register the security event source. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Event Source:**
-
--   **Source Name** \[Type = UnicodeString\]: the name of registered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
-
-    <img src="images/subkeys-under-security-key.png" alt="Subkeys under Security key illustration" width="236" height="246" />
-
--   **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of registered security event source.
-
-## Security Monitoring Recommendations
-
-For 4904(S): An attempt was made to register a security event source.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   If you have a pre-defined list of allowed security event sources for specific computers or computer types, then you can use this event and check whether “**Event Source\\Source Name**”is in your defined list.
-
--   Typically this event has an informational purpose.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
deleted file mode 100644
index bda5be072e..0000000000
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ /dev/null
@@ -1,132 +0,0 @@
----
-title: 4905(S) An attempt was made to unregister a security event source. 
-description: Describes security event 4905(S) An attempt was made to unregister a security event source.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4905(S): An attempt was made to unregister a security event source.
-
-
-<img src="images/event-4905.png" alt="Event 4905 illustration" width="449" height="458" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates every time a [security event source](/windows/win32/eventlog/event-sources) is unregistered.
-
-You typically see this event if specific roles were removed, for example, Internet Information Services.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4905</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T17:39:12.039825000Z" /> 
- <EventRecordID>1049718</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="1888" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="AuditSourceName">IIS-METABASE</Data> 
- <Data Name="EventSourceId">0x20c15f</Data> 
- <Data Name="ProcessId">0xd90</Data> 
- <Data Name="ProcessName">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made an attempt to unregister a security event source. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to unregister a security event source.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to unregister the security event source. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Event Source:**
-
--   **Source Name** \[Type = UnicodeString\]: the name of unregistered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
-
-    <img src="images/subkeys-under-security-key.png" alt="Subkeys under Security key illustration" width="236" height="246" />
-
--   **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of unregistered security event source.
-
-## Security Monitoring Recommendations
-
-For 4905(S): An attempt was made to unregister a security event source.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   If you have a list of critical security event sources which should never have been unregistered, then you can use this event and check the “**Event Source\\Source Name**.”
-
--   Typically this event has an informational purpose.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
deleted file mode 100644
index ba0d53e713..0000000000
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: 4906(S) The CrashOnAuditFail value has changed. 
-description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4906(S): The CrashOnAuditFail value has changed.
-
-
-<img src="images/event-4906.png" alt="Event 4906 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates every time **CrashOnAuditFail** audit flag value was modified.
-
-This event is always logged regardless of the "Audit Policy Change" sub-category setting.
-
-More information about **CrashOnAuditFail** flag can be found [here](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)).
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4906</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T00:45:07.048458800Z" /> 
- <EventRecordID>1049529</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="532" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="CrashOnAuditFailValue">1</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**New Value of CrashOnAuditFail** \[Type = UInt32\]**:** contains new value of **CrashOnAuditFail** flag. Possible values are:
-
--   0 - The feature is off. The system does not halt, even when it cannot record events in the Security Log.
-
--   1 - The feature is on. The system halts when it cannot record an event in the Security Log.
-
--   2 - The feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the Administrators group can log on.
-
-## Security Monitoring Recommendations
-
-For 4906(S): The CrashOnAuditFail value has changed.
-
--   Any changes of **CrashOnAuditFail** audit flag that are reported by this event must be monitored, and an alert should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
deleted file mode 100644
index 413c994ac3..0000000000
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ /dev/null
@@ -1,284 +0,0 @@
----
-title: 4907(S) Auditing settings on object were changed. 
-description: Describes security event 4907(S) Auditing settings on object were changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4907(S): Auditing settings on object were changed.
-
-
-<img src="images/event-4907.png" alt="Event 4907 illustration" width="643" height="542" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates when the [SACL](/windows/win32/secauthz/access-control-lists) of an object (for example, a registry key or file) was changed.
-
-This event doesn't generate for Active Directory objects.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4907</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T18:18:19.458828800Z" /> 
- <EventRecordID>1049732</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="508" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x138eb0</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="ObjectType">Key</Data> 
- <Data Name="ObjectName">\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\EventLog\\Internet Explorer</Data> 
- <Data Name="HandleId">0x2f8</Data> 
- <Data Name="OldSd">S:AI</Data> 
- <Data Name="NewSd">S:ARAI(AU;CISA;KA;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data> 
- <Data Name="ProcessId">0x120c</Data> 
- <Data Name="ProcessName">C:\\Windows\\regedit.exe</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to object’s auditing settings. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to object’s auditing settings.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device             |
-|-------------------------|--------------|----------------------|--------------------|
-| Mutant                  | Type         | File                 | Token              |
-| Thread                  | Section      | WindowStation        | DebugObject        |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion       |
-| Controller              | SymbolicLink | WmiGuid              | Process            |
-| Profile                 | Desktop      | KeyedEvent           | SC\_MANAGER OBJECT |
-| Key                     | WaitablePort | Callback             |                    |
-| Job                     | Port         | FilterConnectionPort |                    |
-| ALPC Port               | Semaphore    | Adapter              |                    |
-
--   **Object Name** \[Type = UnicodeString\]: full path and name of the object for which the [SACL](/windows/win32/secauthz/access-control-lists) was modified. Depends on **Object Type**. Here are some examples:
-
-    -   The format for **Object Type** = “Key” is: \\REGISTRY\\HIVE\\PATH where:
-
-        -   HIVE:
-
-            -   HKEY\_LOCAL\_MACHINE = \\REGISTRY\\MACHINE
-
-            -   HKEY\_CURRENT\_USER = \\REGISTRY\\USER\\\[USER\_SID\], where \[USER\_SID\] is the SID of current user.
-
-            -   HKEY\_CLASSES\_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes
-
-            -   HKEY\_USERS = \\REGISTRY\\USER
-
-            -   HKEY\_CURRENT\_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current
-
-        -   PATH – path to the registry key.
-
-    -   The format for **Object Type** = “File” is: full path and name of the file or folder for which [SACL](/windows/win32/secauthz/access-control-lists) was modified.
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4656](event-4656.md): A handle to an object was requested.” Event for registry keys or with **Handle ID** field in “[4656](event-4656.md)(S, F): A handle to an object was requested.” Event for file system objects. This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the object’s [SACL](/windows/win32/secauthz/access-control-lists) was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Auditing Settings:**
-
--   **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
-
--   **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
-
-> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
-> Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
-> See the list of possible values in the table below:
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous logon                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network logon user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service logon user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         | "RP"                            | Read All Properties  |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights | "SW"                            | All Validated Writes |
-| "KA"                       | "LO"                            | "LO"                 | List Object              |
-| "K"                        | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
-
-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
-
-## Security Monitoring Recommendations
-
-For 4907(S): Auditing settings on object were changed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
-
--   If you need to monitor all SACL changes for specific files, folders, registry keys, or other object types, monitor for “**Object Name**” field value which has specific object name.
-
-<!-- -->
-
-- If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
-
-- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers<b>.</b>
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
deleted file mode 100644
index 3f6c135f60..0000000000
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: 4908(S) Special Groups Logon table modified. 
-description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4908(S): Special Groups Logon table modified.
-
-:::image type="content" source="images/event-4908.png" alt-text="Event 4908 illustration":::
-
-***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates every time Special Groups logon table was modified.
-
-This event also generates during system startup.
-
-This event is always logged regardless of the "Audit Policy Change" sub-category setting.
-
-For more information about Special Groups auditing, see [4908(S): Special Groups Logon table modified](/windows/security/threat-protection/auditing/event-4908).
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4908</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-01T00:20:40.210246600Z" /> 
- <EventRecordID>1049511</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="532" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Special Groups** \[Type = UnicodeString\]**:** contains current list of SIDs (groups or accounts) which are members of Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> [!NOTE]
-> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-“HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Audit\\SpecialGroups” registry value contains current list of SIDs which are included in Special Groups:
-
-:::image type="content" source="images/registry-editor-audit.png" alt-text="Registry Editor Audit key illustration":::
-
-## Security Monitoring Recommendations
-
-For 4908(S): Special Groups Logon table modified.
-
--   If you use the Special Groups feature, then this event should be always monitored, especially on high value assets or computers. If this change wasn't planned, investigate the reason for the change.
-
--   If you don’t use the Special Groups feature, then this event should be always monitored because it indicates use of the Special Groups feature outside of your standard procedures.
-
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
deleted file mode 100644
index d1a8711011..0000000000
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: 4909(-) The local policy settings for the TBS were changed. 
-description: Describes security event 4909(-) The local policy settings for the TBS were changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4909(-): The local policy settings for the TBS were changed.
-
-
-Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
deleted file mode 100644
index 37f4293a84..0000000000
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-title: 4910(-) The group policy settings for the TBS were changed. 
-description: Describes security event 4910(-) The group policy settings for the TBS were changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4910(-): The group policy settings for the TBS were changed.
-
-
-Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
deleted file mode 100644
index ea45660bc8..0000000000
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ /dev/null
@@ -1,282 +0,0 @@
----
-title: 4911(S) Resource attributes of the object were changed. 
-description: Describes security event 4911(S) Resource attributes of the object were changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4911(S): Resource attributes of the object were changed.
-
-
-<img src="images/event-4911.png" alt="Event 4911 illustration" width="545" height="541" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates when [resource attributes](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview) of the file system object were changed.
-
-Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties-&gt;Classification tab).
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4911</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13570</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-09T23:43:04.009319300Z" /> 
- <EventRecordID>1183714</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x37925</Data> 
- <Data Name="ObjectServer">Security</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data> 
- <Data Name="HandleId">0x49c</Data> 
- <Data Name="OldSd">S:AI</Data> 
- <Data Name="NewSd">S:ARAI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data> 
- <Data Name="ProcessId">0x67c</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
- </EventData>
-</Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that changed the resource attributes of the file system object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the resource attributes of the file system object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **“File”** for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Object Name** \[Type = UnicodeString\]: full path and/or name of the object for which resource attributes were changed.
-
-<!-- -->
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the resource attributes of the file system object were changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Resource Attributes:**
-
--   **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old resource attributes.
-
-    For example: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
-
-    -   Impact\_MS: Resource Property ***ID***.
-
-    -   3000: Recourse Property ***Value***.
-
-<img src="images/impact-property.png" alt="Impact property illustration" width="886" height="592" />
-
-> If no resource attributes were set to the object, then SDDL will not contain any attributes, for example “**S:AI**”.
-
--   **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
-
-> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
-> Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
-> See the list of possible values in the table below:
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous logon                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network logon user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service logon user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         | "RP"                            | Read All Properties  |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights | "SW"                            | All Validated Writes |
-| "KA"                       | "LO"                            | "LO"                 | List Object              |
-| "K"                        | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
-
-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
-
-## Security Monitoring Recommendations
-
-For 4911(S): Resource attributes of the object were changed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
-
--   If you need to monitor all changes to specific files or folders (in this case, changes to resource attributes), monitor for the “**Object Name**” that corresponds to the file or folder.
-
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-<!-- -->
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
--   You can track changes when, for example, a file was marked as High Impact, or was changed from High Impact to Medium Impact, or a resource was marked as a data type for a specific department and so on. This event can help track changes and resource attribute assignments, which you can see in “**Original Security Descriptor”** and “**New Security Descriptor”** fields.
-
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
deleted file mode 100644
index 8670490796..0000000000
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ /dev/null
@@ -1,180 +0,0 @@
----
-title: 4912(S) Per User Audit Policy was changed. 
-description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4912(S): Per User Audit Policy was changed.
-
-
-<img src="images/event-4912.png" alt="Event 4912 illustration" width="471" height="478" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates every time [Per User Audit Policy](http://windowsitpro.com/systems-management/user-auditing-28-jun-2005) was changed.
-
-This event is always logged regardless of the "Audit Policy Change" sub-category setting.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4912</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13568</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-30T23:43:07.363195100Z" /> 
- <EventRecordID>1049452</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="1660" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x11ae30</Data> 
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
- <Data Name="CategoryId">%%8276</Data> 
- <Data Name="SubcategoryId">%%13312</Data> 
- <Data Name="SubcategoryGuid">{0CCE922B-69AE-11D9-BED3-505054503030}</Data> 
- <Data Name="AuditPolicyChanges">%%8452</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made a change to per-user audit policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to per-user audit policy.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Policy For Account:**
-
--   **Security ID** \[Type = SID\]**:** SID of account for which the Per User Audit Policy was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-**Policy Change Details:**
-
--   **Category** \[Type = UnicodeString\]**:** the name of auditing category which subcategory state was changed. Possible values are:
-
-    -   Account Logon
-
-    -   Account Management
-
-    -   Detailed Tracking
-
-    -   DS Access
-
-    -   Logon/Logoff
-
-    -   Object Access
-
-    -   Policy Change
-
-    -   Privilege Use
-
-    -   System
-
--   **Subcategory** \[Type = UnicodeString\]**:** the name of auditing subcategory which state was changed. Possible values:
-
-| Value              | Value                    | Value      |
-|------------------------------------------|----------------------------------------------|--------------------------------------|
-| Audit Credential Validation              | Audit Process Termination                    | Audit Other Logon/Logoff Events      |
-| Audit Kerberos Authentication Service    | Audit RPC Events                             | Audit Special Logon                  |
-| Audit Kerberos Service Ticket Operations | Audit Detailed Directory Service Replication | Audit Application Generated          |
-| Audit Other Logon/Logoff Events          | Audit Directory Service Access               | Audit Certification Services         |
-| Audit Application Group Management       | Audit Directory Service Changes              | Audit Detailed File Share            |
-| Audit Computer Account Management        | Audit Directory Service Replication          | Audit File Share                     |
-| Audit Distribution Group Management      | Audit Account Lockout                        | Audit File System                    |
-| Audit Other Account Management Events    | Audit IPsec Extended Mode                    | Audit Filtering Platform Connection  |
-| Audit Security Group Management          | Audit IPsec Main Mode                        | Audit Filtering Platform Packet Drop |
-| Audit User Account Management            | Audit IPsec Quick Mode                       | Audit Handle Manipulation            |
-| Audit DPAPI Activity                     | Audit Logoff                                 | Audit Kernel Object                  |
-| Audit Process Creation                   | Audit Logon                                  | Audit IPsec Driver                   |
-| Audit Other Object Access Events         | Audit Filtering Platform Policy Change       | Audit Other System Events            |
-| Audit Registry                           | Audit MPSSVC Rule-Level Policy Change        | Audit Security State Change          |
-| Audit SAM                                | Audit Other Policy Change Events             | Audit Security System Extension      |
-| Audit Policy Change                      | Audit Non-Sensitive Privilege Use            | Audit System Integrity               |
-| Audit Authentication Policy Change       | Audit Sensitive Privilege Use                | Audit PNP Activity                   |
-| Audit Authorization Policy Change        | Audit Other Privilege Use Events             |                                      |
-| Audit Group Membership                         | Audit Network Policy Server                  |                                      |
-
--   **Subcategory GUID** \[Type = GUID\]**:** the unique GUID of changed subcategory.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-To see subcategory GUID you can use the following command: “**auditpol /list /subcategory:\* /v”**:
-
-<img src="images/auditpol-list-subcategory.png" alt="Auditpol list GUIDs illustration" width="951" height="506" />
-
--   **Changes** \[Type = UnicodeString\]**:** changes which were made for the subcategory. Possible values are:
-
-    -   Success include removed
-
-    -   Success include added
-
-    -   Failure include removed
-
-    -   Failure include added
-
-    -   Success exclude removed
-
-    -   Success exclude added
-
-    -   Failure exclude removed
-
-    -   Failure exclude added
-
-## Security Monitoring Recommendations
-
-For 4912(S): Per User Audit Policy was changed.
-
--   If you use the Per-user audit feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
-
--   If you don’t use the Per-user audit feature, then this event should be always monitored because it indicates use of the Per-user audit feature outside of your standard procedures.
-
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
deleted file mode 100644
index 41c8fe6d12..0000000000
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ /dev/null
@@ -1,288 +0,0 @@
----
-title: 4913(S) Central Access Policy on the object was changed
-description: Describes security event 4913(S) Central Access Policy on the object was changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4913(S): Central Access Policy on the object was changed
-
-<img src="images/event-4913.png" alt="Event 4913 illustration" width="648" height="557" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates when a [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on a file system object is changed.
-
-This event always generates, regardless of the object's [SACL](/windows/win32/secauthz/access-control-lists) settings.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
-***Event XML:***
-
-```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
- <EventID>4913</EventID>
- <Version>0</Version>
- <Level>0</Level>
- <Task>13570</Task>
- <Opcode>0</Opcode>
- <Keywords>0x8020000000000000</Keywords>
- <TimeCreated SystemTime="2015-11-09T23:40:43.118758100Z" />
- <EventRecordID>1183666</EventRecordID>
- <Correlation />
- <Execution ProcessID="516" ThreadID="524" />
- <Channel>Security</Channel>
- <Computer>DC01.contoso.local</Computer>
- <Security />
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
- <Data Name="SubjectUserName">dadmin</Data>
- <Data Name="SubjectDomainName">CONTOSO</Data>
- <Data Name="SubjectLogonId">0x37901</Data>
- <Data Name="ObjectServer">Security</Data>
- <Data Name="ObjectType">File</Data>
- <Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
- <Data Name="HandleId">0x3d4</Data>
- <Data Name="OldSd">S:AI</Data>
- <Data Name="NewSd">S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)</Data>
- <Data Name="ProcessId">0x884</Data>
- <Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows-server/identity/ad-ds/manage/understand-security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
-
-**Object**:
-
--   **Object Server** \[Type = UnicodeString\]: has "**Security**" value for this event.
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **"File"** for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Object Name** \[Type = UnicodeString\]: full path and/or name of the object on which the Central Access Policy was changed.
-
-<!-- -->
-
--   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "[4663](event-4663.md)(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0".
-
-**Process:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process using which Central Access Policy was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID** field.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Central Policy ID:**
-
--   **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
-
-    SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is "**S-1-17-1442530252-1178042555-1247349694-2318402534**". To resolve this SID to the real Central Access Policy name, you need to do the following steps:
-
-1.  Find Central Access Policy Active Directory object in: "CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX" Active Directory container.
-
-2.  Open object's "**Properties**".
-
-3.  Find "**msAuthz-CentralAccessPolicyID**" attribute.
-
-4.  Convert hexadecimal value to SID (string).
-
-<img src="images/adsi-edit.png" alt="ADSI Edit illustration" width="763" height="454" hspace=10" align="left" />
-
-> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example "**S:AI**".
-
--   **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
-
-> [!NOTE]
-> The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
->
-> Example:
->
-> `*O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)`
->
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
-> See the list of possible values in the table below:
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous sign in                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network sign-in user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service sign-in user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-"D" - DACL
-
-"S" - SACL
-
-- inheritance\_flags:
-
-"P" - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn't apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         | "RP"                            | Read All Properties  |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights | "SW"                            | All Validated Writes |
-| "KA"                       | "LO"                            | "LO"                 | List Object              |
-| "K"                        | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
-
-For more information about SDDL syntax, see these articles:
-
-- [2.5.1.1 Syntax](/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070)
-- [ACCESS_MASK](/windows/win32/secauthz/access-mask)
-
-## Security Monitoring Recommendations
-
-For 4913(S): Central Access Policy on the object was changed.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor events related to specific Windows object types ("**Object Type**"), for example **File** or **Key**, monitor this event for the corresponding "**Object Type**."
-
--   If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the "**Object Name**" that corresponds to the file or folder.
-
--   If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
-
--   You can monitor to see if "**Process Name**" isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
-
--   If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in "**New Security Descriptor**" to see if it matches the expected policy.
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
deleted file mode 100644
index 370b7401c1..0000000000
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: 4928(S, F) An Active Directory replica source naming context was established. 
-description: Describes security event 4928(S, F) An Active Directory replica source naming context was established.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4928(S, F): An Active Directory replica source naming context was established.
-
-
-<img src="images/event-4928.png" alt="Event 4928 illustration" width="449" height="419" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Description:***
-
-This event generates every time a new Active Directory replica source naming context is established.
-
-Failure event generates if an error occurs (**Status Code** != 0).
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4928</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14083</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-27T19:15:30.067319300Z" /> 
- <EventRecordID>227065</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="1236" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="SourceAddr">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data> 
- <Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data> 
- <Data Name="Options">368</Data> 
- <Data Name="StatusCode">0</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
-
--   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Source Address** \[Type = UnicodeString\]: DNS record of the server from which information or an update was received.
-
--   **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
-
-> **Note**&nbsp;&nbsp;The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-
--   **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
-
-    <img src="images/ad-sites-and-services.png" alt="Directory Replication Service options in AD Sites and Services" width="890" height="529" />
-
--   **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>
-
-## Security Monitoring Recommendations
-
-For 4928(S, F): An Active Directory replica source naming context was established.
-
--   Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA, you should trigger an event.
-
--   This event is typically used for Active Directory replication troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
deleted file mode 100644
index 76891ca2a8..0000000000
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: 4929(S, F) An Active Directory replica source naming context was removed. 
-description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4929(S, F): An Active Directory replica source naming context was removed.
-
-
-<img src="images/event-4929.png" alt="Event 4929 illustration" width="500" height="374" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Description:***
-
-This event generates every time Active Directory replica source naming context was removed.
-
-Failure event generates if an error occurs (**Status Code** != 0).
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4929</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14083</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-27T18:54:50.446211200Z" /> 
- <EventRecordID>227013</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="2636" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="SourceDRA">-</Data> 
- <Data Name="SourceAddr">2d361dd6-fc22-4d9d-b876-ec582b836458.\_msdcs.contoso.local</Data> 
- <Data Name="NamingContext">DC=contoso,DC=local</Data> 
- <Data Name="Options">16640</Data> 
- <Data Name="StatusCode">0</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
-
--   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Source Address** \[Type = UnicodeString\]: DNS record of the server from which the “remove” request was received.
-
--   **Naming Context** \[Type = UnicodeString\]**:** naming context that was removed.
-
-> **Note**&nbsp;&nbsp;The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-
--   **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
-
--   **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>
-
-## Security Monitoring Recommendations
-
-For 4929(S, F): An Active Directory replica source naming context was removed.
-
--   Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event.
-
--   This event is typically used for Active Directory replication troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
deleted file mode 100644
index 5b50e911b7..0000000000
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: 4930(S, F) An Active Directory replica source naming context was modified. 
-description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4930(S, F): An Active Directory replica source naming context was modified.
-
-
-<img src="images/event-4930.png" alt="Event 4930 illustration" width="448" height="333" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Description:***
-
-This event generates every time Active Directory replica source naming context was modified.
-
-Failure event generates if an error occurs (**Status Code** != 0).
-
-It isn't possible to understand what exactly was modified from this event.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4930</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14083</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-27T18:56:51.474057400Z" /> 
- <EventRecordID>1564</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="1280" /> 
- <Channel>Security</Channel> 
- <Computer>Win2012r2.corp.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DestinationDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="SourceDRA">-</Data> 
- <Data Name="SourceAddr">edf0bef9-1f73-4df3-8991-f6ec2d4ef3ae</Data> 
- <Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="Options">0</Data> 
- <Data Name="StatusCode">0</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
-
--   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name. Typically equals “**-**“ for this event.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Source Address** \[Type = UnicodeString\]: DNS record of computer from which the modification request was received.
-
--   **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified.
-
-> **Note**&nbsp;&nbsp;The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-
--   **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
-
--   **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>
-
-## Security Monitoring Recommendations
-
-For 4930(S, F): An Active Directory replica source naming context was modified.
-
--   Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event.
-
--   This event is typically used for Active Directory replication troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
deleted file mode 100644
index 253625ddd5..0000000000
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: 4931(S, F) An Active Directory replica destination naming context was modified. 
-description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4931(S, F): An Active Directory replica destination naming context was modified.
-
-
-<img src="images/event-4931.png" alt="Event 4931 illustration" width="500" height="374" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Description:***
-
-This event generates every time Active Directory replica destination naming context was modified.
-
-Failure event generates if an error occurs (**Status Code** != 0).
-
-It isn't possible to understand what exactly was modified from this event.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4931</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14083</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-27T19:02:41.563619400Z" /> 
- <EventRecordID>227058</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="2936" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DestinationDRA">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data> 
- <Data Name="SourceDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="SourceAddr">-</Data> 
- <Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data> 
- <Data Name="Options">23</Data> 
- <Data Name="StatusCode">0</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
-
--   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Destination Address** \[Type = UnicodeString\]: DNS record of computer to which the modification request was sent.
-
--   **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified.
-
-> **Note**&nbsp;&nbsp;The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-
--   **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
-
--   **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>
-
-## Security Monitoring Recommendations
-
-For 4931(S, F): An Active Directory replica destination naming context was modified.
-
--   This event is typically used for Active Directory replication troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
deleted file mode 100644
index 94321a4fc3..0000000000
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. 
-description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
-
-
-<img src="images/event-4932.png" alt="Event 4932 illustration" width="774" height="363" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Replication](audit-directory-service-replication.md)
-
-***Event Description:***
-
-This event generates every time synchronization of a replica of an Active Directory naming context has begun.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4932</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14082</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-02T02:06:03.814642100Z" /> 
- <EventRecordID>413689</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="276" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="Options">2147483733</Data> 
- <Data Name="SessionID">48</Data> 
- <Data Name="StartUSN">20869</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
-
--   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
-
-> **Note**&nbsp;&nbsp;The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-
--   **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
-
--   **Session ID** \[Type = UInt32\]**:** unique identifier of replication session. Using this field you can find “[4932](event-4932.md): Synchronization of a replica of an Active Directory naming context has begun.” and “[4933](event-4933.md): Synchronization of a replica of an Active Directory naming context has ended.” events for the same session.
-
--   **Start USN** \[Type = UnicodeString\]**: Naming Context’s** USN number before replication begins.
-
-> **Note**&nbsp;&nbsp;Active Directory replication does not depend on time to determine what changes need to be propagated. It relies instead on the use of **update sequence numbers (USNs)** that are assigned by a counter that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication system is designed with this restriction in mind.
-
-## Security Monitoring Recommendations
-
-For 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
-
--   Monitor for **Source Address** field, because the source of replication (DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
-
--   This event is typically used for Active Directory replication troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
deleted file mode 100644
index 7747d4c6e7..0000000000
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. 
-description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
-
-
-<img src="images/event-4933.png" alt="Event 4933 illustration" width="773" height="377" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Replication](audit-directory-service-replication.md)
-
-***Event Description:***
-
-This event generates every time synchronization of a replica of an Active Directory naming context has ended.
-
-Failure event occurs when synchronization of a replica of an Active Directory naming context failed.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4933</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14082</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-01T20:58:28.854735700Z" /> 
- <EventRecordID>413644</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="2288" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data> 
- <Data Name="Options">2147483733</Data> 
- <Data Name="SessionID">40</Data> 
- <Data Name="EndUSN">20869</Data> 
- <Data Name="StatusCode">1722</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Destination DRA** \[Type = UnicodeString\]: destination directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The **Directory Replication Agent (DRA)** handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory.
-
--   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
-
-> **Note**&nbsp;&nbsp;The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-
--   **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
-
--   **Session ID** \[Type = UInt32\]**:** unique identifier of replication session. Using this field you can find “[4932](event-4932.md): Synchronization of a replica of an Active Directory naming context has begun.” and “[4933](event-4933.md): Synchronization of a replica of an Active Directory naming context has ended.” events for the same session.
-
--   **End USN** \[Type = UInt32\]**: Naming Context’s** USN number after replication ends.
-
-> **Note**&nbsp;&nbsp;Active Directory replication does not depend on time to determine what changes need to be propagated. It relies instead on the use of **update sequence numbers (USNs)** that are assigned by a counter that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication system is designed with this restriction in mind.
-
--   **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be “**0**”. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>
-
-## Security Monitoring Recommendations
-
-For 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
-
--   Monitor for **Source Address** field, because the source of replication (DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
-
--   This event is typically used for Active Directory replication troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
deleted file mode 100644
index 52cfbf71f4..0000000000
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: 4934(S) Attributes of an Active Directory object were replicated. 
-description: Describes security event 4934(S) Attributes of an Active Directory object were replicated.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4934(S): Attributes of an Active Directory object were replicated.
-
-
-This event generates when attributes of an Active Directory object were replicated.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Schema:***
-
-*Attributes of an Active Directory object were replicated.*
-
-*Session ID:%1*
-
-*Object:%2*
-
-*Attribute:%3*
-
-*Type of change:%4*
-
-*New Value:%5*
-
-*USN:%6*
-
-*Status Code:%7*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event is typically used for Active Directory replication troubleshooting.
-
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
deleted file mode 100644
index cff9eedb80..0000000000
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: 4935(F) Replication failure begins. 
-description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4935(F): Replication failure begins.
-
-
-<img src="images/event-4935.png" alt="Event 4935 illustration" width="448" height="312" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Description:***
-
-This event generates when Active Directory replication failure begins.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4935</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14083</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-27T18:54:48.758149800Z" /> 
- <EventRecordID>1552</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>Win2012r2.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ReplicationEvent">1</Data> 
- <Data Name="AuditStatusCode">8419</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Replication Event** \[Type = UInt32\]**:** there is no detailed information about this field in this document.
-
-**Audit Status Code** \[Type = UInt32\]**:** there is no detailed information about this field in this document.
-
-## Security Monitoring Recommendations
-
-For 4935(F): Replication failure begins.
-
--   This event is typically used for Active Directory replication troubleshooting.
-
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
deleted file mode 100644
index fb2ebfa921..0000000000
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: 4936(S) Replication failure ends. 
-description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4936(S): Replication failure ends.
-
-
-This event generates when Active Directory replication failure ends.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Schema:***
-
-*Replication failure ends.*
-
-*Replication Event:%1*
-
-*Audit Status Code:%2*
-
-*Replication Status Code:%3*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event is typically used for Active Directory replication troubleshooting.
-
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
deleted file mode 100644
index d368e3a4b5..0000000000
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: 4937(S) A lingering object was removed from a replica. 
-description: Describes security event 4937(S) A lingering object was removed from a replica.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4937(S): A lingering object was removed from a replica.
-
-
-This event generates when a [lingering object](/troubleshoot/windows-server/identity/information-lingering-objects) was removed from a replica.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
-
-***Event Schema:***
-
-*A lingering object was removed from a replica.*
-
-*Destination DRA:%1*
-
-*Source DRA:%2*
-
-*Object:%3*
-
-*Options:%4*
-
-*Status Code:%5*
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
deleted file mode 100644
index 44a42b082b..0000000000
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: 4944(S) The following policy was active when the Windows Firewall started. 
-description: Describes security event 4944(S) The following policy was active when the Windows Firewall started.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4944(S): The following policy was active when the Windows Firewall started.
-
-
-<img src="images/event-4944.png" alt="Event 4944 illustration" width="449" height="391" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates every time Windows Firewall service starts.
-
-This event shows Windows Firewall settings that were in effect when the Windows Firewall service started.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4944</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-03T00:14:56.644728300Z" /> 
- <EventRecordID>1050808</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2216" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="GroupPolicyApplied">No</Data> 
- <Data Name="Profile">Public</Data> 
- <Data Name="OperationMode">Off</Data> 
- <Data Name="RemoteAdminEnabled">Disabled</Data> 
- <Data Name="MulticastFlowsEnabled">Enabled</Data> 
- <Data Name="LogDroppedPacketsEnabled">Disabled</Data> 
- <Data Name="LogSuccessfulConnectionsEnabled">Disabled</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Group Policy Applied** \[Type = UnicodeString\]: it always has “No” value for this event. This field should show information about: was Group Policy applied for Windows Firewall when it starts or not.
-
-**Profile Used** \[Type = UnicodeString\]: shows the active profile name for the moment Windows Firewall service starts. It always has value “**Public**” for this event, because when this event generates, the active profile is not switched to “**Domain**” or “**Private**”. Typically you will see “[4956](event-4956.md)(S): Windows Firewall has changed the active profile” after this event, which will tell you the real active profile.
-
-**Operational mode** \[Type = UnicodeString\]:
-
--   **On** – if “**Firewall state:**” setting was set to “On” for “Public” profile.
-
--   **Off** - if “**Firewall state:**” setting was set to “Off” for “Public” profile.
-
-<img src="images/windows-firewall-state-off.png" alt="Windows Firewall set to Off illustration" width="382" height="395" />
-
-**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](/previous-versions/windows/it-pro/windows-server-2003/cc738900(v=ws.10))” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](/previous-versions/windows/it-pro/windows-server-2003/cc738900(v=ws.10))” Group Policy.
-
-**Allow Unicast Responses to Multicast/Broadcast Traffic** \[Type = UnicodeString\]:
-
--   **Enabled** - if “**Allow unicast response:**” Settings configuration was set to “Yes” for “Public” profile.
-
--   **Disabled** - if “**Allow unicast response:**” Settings configuration was set to “No” for “Public” profile.
-
-<img src="images/firewall-settings-public-profile.png" alt="Firewall Settings, Public Profile illustration" width="411" height="405" />
-
-**Security Logging:**
-
--   **Log Dropped Packets** \[Type = UnicodeString\]:
-
-    -   **Enabled** – if “**Log dropped packets:**” Logging configuration was set to “Yes” for “Public” profile.
-
-    -   **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
-
--   **Log Successful Connections** \[Type = UnicodeString\]:
-
-    -   **Enabled** - if “**Log successful connections:**” Logging configuration was set to “Yes” for “Public” profile.
-
-    -   **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
-
-<img src="images/logging-settings-public-profile.png" alt="Logging Settings, Public Profile illustration" width="383" height="304" />
-
-## Security Monitoring Recommendations
-
-For 4944(S): The following policy was active when the Windows Firewall started.
-
--   If you have a standard or baseline for Windows Firewall settings defined for **Public** profile (which can be the same as for Domain, for example), monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
-
--   Unfortunately this event shows configuration only for **Public** profile, but you can still compare all the settings with your organization's Windows Firewall baseline for Public profile on different computers and trigger an alert if the configuration is not the same.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
deleted file mode 100644
index 446c3da541..0000000000
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: 4945(S) A rule was listed when the Windows Firewall started. 
-description: Describes security event 4945(S) A rule was listed when the Windows Firewall started.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4945(S): A rule was listed when the Windows Firewall started.
-
-
-<img src="images/event-4945.png" alt="Event 4945 illustration" width="449" height="354" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates every time Windows Firewall service starts.
-
-This event shows the inbound and/or outbound rule that was listed when the Windows Firewall started and applied for “Public” profile.
-
-This event generates per rule.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4945</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T23:48:27.535295100Z" /> 
- <EventRecordID>1049946</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4744" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProfileUsed">Public</Data> 
- <Data Name="RuleId">NPS-NPSSvc-In-RPC</Data> 
- <Data Name="RuleName">Network Policy Server (RPC)</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Profile used** \[Type = UnicodeString\]**:** the name of the profile that the rule belongs to. It always has value “**Public”**, because this event shows rules only for “Public” profile.
-
-**Rule:**
-
--   **Rule ID** \[Type = UnicodeString\]: the unique firewall rule identifier.
-
-    To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:
-
-<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
-
--   **Rule Name** \[Type = UnicodeString\]: the name of the rule that was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
-
-<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
-
-## Security Monitoring Recommendations
-
-For 4945(S): A rule was listed when the Windows Firewall started.
-
--   Typically this event has an informational purpose.
-
--   Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration isn't the same.
-
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
deleted file mode 100644
index a823ec76fa..0000000000
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. 
-description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
-
-
-<img src="images/event-4946.png" alt="Event 4946 illustration" width="449" height="350" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates when new rule was locally added to Windows Firewall.
-
-This event doesn't generate when new rule was added via Group Policy.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4946</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-03T20:05:42.078367200Z" /> 
- <EventRecordID>1050893</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="528" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProfileChanged">All</Data> 
- <Data Name="RuleId">{F2649D59-1355-4E3C-B886-CDD08B683199}</Data> 
- <Data Name="RuleName">Allow All Rule</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Profile Changed** \[Type = UnicodeString\]**:** the list of profiles to which new rule was applied. Examples:
-
--   All
-
--   Domain, Public
-
--   Domain, Private
-
--   Private, Public
-
--   Public
-
--   Domain
-
--   Private
-
-**Added Rule:**
-
--   **Rule ID** \[Type = UnicodeString\]: the unique new firewall rule identifier.
-
-    To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:
-
-<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
-
--   **Rule Name** \[Type = UnicodeString\]: the name of the rule that was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
-
-<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
-
-## Security Monitoring Recommendations
-
-For 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
-
--   This event can be helpful in case you want to monitor all creations of new Firewall rules that were done locally.
-
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
deleted file mode 100644
index 0eff4491dc..0000000000
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. 
-description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-
-
-<img src="images/event-4947.png" alt="Event 4947 illustration" width="449" height="361" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall rule was modified.
-
-This event doesn't generate when Firewall rule was modified via Group Policy.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4947</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-03T20:27:22.485152000Z" /> 
- <EventRecordID>1050908</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="3796" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProfileChanged">All</Data> 
- <Data Name="RuleId">{F2649D59-1355-4E3C-B886-CDD08B683199}</Data> 
- <Data Name="RuleName">Allow All Rule</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Profile Changed** \[Type = UnicodeString\]**:** the list of profiles to which changed rule is applied. Examples:
-
--   All
-
--   Domain,Public
-
--   Domain,Private
-
--   Private,Public
-
--   Public
-
--   Domain
-
--   Private
-
-**Modified Rule:**
-
--   **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule.
-
-    To see the unique ID of the rule, navigate to the“**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
-
-<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
-
--   **Rule Name** \[Type = UnicodeString\]: the name of the rule that was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
-
-<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
-
-## Security Monitoring Recommendations
-
-For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-
--   This event can be helpful in case you want to monitor all Firewall rules modifications that were done locally.
-
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
deleted file mode 100644
index 66e43ae5bd..0000000000
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. 
-description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
-
-
-<img src="images/event-4948.png" alt="Event 4948 illustration" width="449" height="361" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall rule was deleted.
-
-This event doesn't generate when the rule was deleted via Group Policy.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4948</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-03T21:19:15.646187500Z" /> 
- <EventRecordID>1050934</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="528" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProfileChanged">All</Data> 
- <Data Name="RuleId">{F2649D59-1355-4E3C-B886-CDD08B683199}</Data> 
- <Data Name="RuleName">Allow All Rule</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Profile Changed** \[Type = UnicodeString\]**:** the list of profiles to which deleted rule was applied. Examples:
-
--   All
-
--   Domain, Public
-
--   Domain, Private
-
--   Private, Public
-
--   Public
-
--   Domain
-
--   Private
-
-**Deleted Rule:**
-
--   **Rule ID** \[Type = UnicodeString\]: the unique identifier for deleted firewall rule.
-
-    To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:
-
-<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
-
--   **Rule Name** \[Type = UnicodeString\]: the name of the rule that was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
-
-<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
-
-## Security Monitoring Recommendations
-
-For 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
-
--   This event can be helpful in case you want to monitor all deletions of Firewall rules that were done locally.
-
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
deleted file mode 100644
index c2ca64e36a..0000000000
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: 4949(S) Windows Firewall settings were restored to the default values. 
-description: Describes security event 4949(S) Windows Firewall settings were restored to the default values.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4949(S): Windows Firewall settings were restored to the default values.
-
-
-<img src="images/event-4949.png" alt="Event 4949 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall settings were locally restored to the default configuration.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4949</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T23:38:28.804003300Z" /> 
- <EventRecordID>1049926</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="3768" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
- <EventData /> 
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 4949(S): Windows Firewall settings were restored to the default values.
-
--   You shouldn’t see this event during normal Windows Firewall operations, because it should be intentionally done by user or software. This event should be always monitored and an alert should be triggered, especially on critical computers or devices.
-
--   This event can be helpful in case you want to monitor all changes of Firewall rules which were done locally, especially restores to default configuration.
-
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
deleted file mode 100644
index fe1a3cacc8..0000000000
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: 4950(S) A Windows Firewall setting has changed. 
-description: Describes security event 4950(S) A Windows Firewall setting has changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4950(S): A Windows Firewall setting has changed.
-
-
-<img src="images/event-4950.png" alt="Event 4950 illustration" width="449" height="354" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall local setting was changed.
-
-This event doesn't generate when Windows Firewall setting was changed via Group Policy.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4950</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-03T21:38:08.086908400Z" /> 
- <EventRecordID>1050944</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="924" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProfileChanged">Domain</Data> 
- <Data Name="SettingType">Default Outbound Action</Data> 
- <Data Name="SettingValue">Block</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Changed Profile** \[Type = UnicodeString\]**:** the name of profile in which setting was changed. Possible values are:
-
--   Public
-
--   Domain
-
--   Private
-
-**New Setting:**
-
--   **Type** \[Type = UnicodeString\]: the name of the setting that was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command:
-
-<img src="images/netsh-advfirewall-command.png" alt="Netsh advfirewall command illustration" width="951" height="422" />
-
--   **Value** \[Type = UnicodeString\]: new value of modified setting.
-
-## Security Monitoring Recommendations
-
-For 4950(S): A Windows Firewall setting has changed.
-
--   If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
-
--   This event can be helpful in case you want to monitor all changes in Windows Firewall settings that were done locally.
-
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
deleted file mode 100644
index e83a14e571..0000000000
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. 
-description: Describes security event 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
-
-
-<img src="images/event-4951.png" alt="Event 4951 illustration" width="449" height="364" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
-
-If you create a firewall rule on a newer version of Windows that references firewall settings that aren't available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it can't process the rule.
-
-The only solution is to remove the incompatible rule, and then deploy a compatible rule.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4951</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-07T21:49:06.951537900Z" /> 
- <EventRecordID>1052309</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="556" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="Profile">All</Data> 
- <Data Name="RuleId">{08CBB349-D158-46BE-81E1-2ABC59BDD523}</Data> 
- <Data Name="RuleName">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Profile** \[Type = UnicodeString\]**:** the name of the profile of the ignored rule. Possible values are:
-
--   All
-
--   Domain, Public
-
--   Domain, Private
-
--   Private, Public
-
--   Public
-
--   Domain
-
--   Private
-
-**Ignored Rule:**
-
--   **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
-
-    To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:
-
-<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
-
--   **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
-
-<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
-
-## Security Monitoring Recommendations
-
-For 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
-
--   This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
-
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
deleted file mode 100644
index d727a8f210..0000000000
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. 
-description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
-
-
-When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
-
-If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
-
-The only solution is to remove the incompatible rule, and then deploy a compatible rule.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Schema:***
-
-*Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.*
-
-*%t*
-
-*Profile:%t%1*
-
-*Partially Ignored Rule:*
-
-*%tID:%t%2*
-
-*%tName:%t%3*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
-
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
deleted file mode 100644
index a729e5af8e..0000000000
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. 
-description: Describes security event 4953(F) Windows Firewall ignored a rule because it couldn't be parsed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4953(F): Windows Firewall ignored a rule because it couldn't be parsed.
-
-
-<img src="images/event-4953.png" alt="Event 4953 illustration" width="449" height="375" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates if Windows Firewall wasn't able to parse Windows Firewall rule for some reason.
-
-It can happen if Windows Firewall rule registry entry was corrupted.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4953</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-07T22:03:40.261507200Z" /> 
- <EventRecordID>1052340</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="5088" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="Profile">All</Data> 
- <Data Name="ReasonForRejection">An error occurred.</Data> 
- <Data Name="RuleId">{08CBB349-D158-46BE-81E1-2ABC59BDD523}</Data> 
- <Data Name="RuleName">-</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Profile** \[Type = UnicodeString\]**:** the name of the profile of the ignored rule. Possible values are:
-
--   All
-
--   Domain, Public
-
--   Domain, Private
-
--   Private, Public
-
--   Public
-
--   Domain
-
--   Private
-
-**Reason for Rejection** \[Type = UnicodeString\]**:** the reason, why the rule was ignored.
-
-**Rule:**
-
--   **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
-
-    To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:
-
-<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
-
--   **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
-
-<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
-
-## Security Monitoring Recommendations
-
-For 4953(F): Windows Firewall ignored a rule because it couldn't be parsed.
-
--   This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
-
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
deleted file mode 100644
index cdb31c5fbb..0000000000
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. 
-description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
-
-
-<img src="images/event-4954.png" alt="Event 4954 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates every time Windows Firewall group policy is changed, locally or from Active Directory Group Policy.
-
-This event generates every time local Group Policy is refreshed, even if no Windows Firewall settings were modified or presented.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4954</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T23:13:14.527924800Z" /> 
- <EventRecordID>1049893</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2284" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
- <EventData /> 
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
-
--   Unfortunately this event generates every time local Group Policy is refreshed and does not indicate that settings really were modified. Typically this event can be ignored.
-
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
deleted file mode 100644
index 299e21d03c..0000000000
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: 4956(S) Windows Firewall has changed the active profile. 
-description: Describes security event 4956(S) Windows Firewall has changed the active profile.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4956(S): Windows Firewall has changed the active profile.
-
-
-<img src="images/event-4956.png" alt="Event 4956 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall has changed the active profile.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4956</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-03T00:14:56.676017600Z" /> 
- <EventRecordID>1050811</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2216" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ActiveProfile">Domain</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**New Active Profile** \[Type = UnicodeString\]**:** the name of the new active profile. Possible values are:
-
--   Domain
-
--   Public
-
--   Private
-
-## Security Monitoring Recommendations
-
-For 4956(S): Windows Firewall has changed the active profile.
-
--   Typically this event has an informational purpose.
-
--   For domain joined machines you could monitor for all events where **New Active Profile** doesn’t equal **“Domain”**. This indicates that the computer was connected to another non-domain network.
-
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
deleted file mode 100644
index a2fd4fd1b8..0000000000
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: 4957(F) Windows Firewall did not apply the following rule. 
-description: Describes security event 4957(F) Windows Firewall didn't apply the following rule.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4957(F): Windows Firewall did not apply the following rule.
-
-
-<img src="images/event-4957.png" alt="Event 4957 illustration" width="449" height="365" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall starts or apply new rule, and the rule can't be applied for some reason.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4957</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13571</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-02T23:13:14.496678500Z" /> 
- <EventRecordID>1049892</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2284" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="RuleId">CoreNet-Teredo-In</Data> 
- <Data Name="RuleName">Core Networking - Teredo (UDP-In)</Data> 
- <Data Name="RuleAttr">Local Port</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Rule Information:**
-
--   **ID** \[Type = UnicodeString\]: the unique identifier for not applied firewall rule.
-
-    To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters:
-
-<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
-
--   **Name** \[Type = UnicodeString\]: the name of the rule that wasn't applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
-
-<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
-
-**Error Information:**
-
--   **Reason** \[Type = UnicodeString\]: the reason why the rule wasn't applied.
-
-## Security Monitoring Recommendations
-
-For 4957(F): Windows Firewall did not apply the following rule.
-
--   This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
-
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
deleted file mode 100644
index b46bed82ca..0000000000
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. 
-description: Describes security event 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
-
-
-Windows Firewall with Advanced Security processed a rule that contains parameters that can't be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This exclusion isn't necessarily an error. Examine the rule for applicability on the computers to which it was applied.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
-
-***Event Schema:***
-
-*Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer:
-Rule Information:
-%tID:%t%1
-%tName:%t%2
-Error Information:
-%tError:%t%3
-%tReason:%t%4*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
-
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
deleted file mode 100644
index 12b5bf4a9b..0000000000
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ /dev/null
@@ -1,160 +0,0 @@
----
-title: 4964(S) Special groups have been assigned to a new logon. 
-description: Describes security event 4964(S) Special groups have been assigned to a new logon.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4964(S): Special groups have been assigned to a new logon.
-
-
-<img src="images/event-4964.png" alt="Event 4964 illustration" width="448" height="419" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Special Logon](audit-special-logon.md)
-
-***Event Description:***
-
-This event occurs when an account that is a member of any defined [Special Group](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) logs in.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4964</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12548</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-11T02:25:16.236443300Z" /> 
- <EventRecordID>238923</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="504" ThreadID="5008" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0xd972e</Data> 
- <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
- <Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data> 
- <Data Name="TargetUserName">ladmin</Data> 
- <Data Name="TargetDomainName">CONTOSO</Data> 
- <Data Name="TargetLogonId">0x139faf</Data> 
- <Data Name="TargetLogonGuid">{B03B6192-09AE-E77F-DD10-2DC430766040}</Data> 
- <Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-> **Note**&nbsp;&nbsp;Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups feature lets the administrator find out when a member of a certain group logs on to the computer. The Special Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry.
-
-&gt; To add Special Groups perform the following actions:
-
-&gt; 1. Open Registry Editor.
-
-&gt; 2. Locate and then click the following registry subkey: HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\Audit
-
-&gt; 3. On the Edit menu, point to New, and then click String Value.
-
-&gt; 4. Type SpecialGroups, and then press ENTER.
-
-&gt; 5. Right-click SpecialGroups, and then click Modify.
-
-&gt; 6. In the Value date box, type the group SIDs, and then click OK.
-
-&gt; A semicolon character (;) can be used to delimit the SID list. For example, you can use the following string that contains a semicolon to delimit two SIDs:
-
-&gt; S-1-5-32-544;S-1-5-32-123-54-65
-
-&gt; For more information see: <https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx>
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested logon for **New Logon** account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested logon for **New Logon** account.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
--   **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
-
-    It also can be used for correlation between a 4964 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4624](event-4624.md)(S): An account was successfully logged on.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-**New Logon:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that performed the logon. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the logon.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
--   **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
-
-    It also can be used for correlation between a 4964 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4624](event-4624.md)(S): An account was successfully logged on.”
-
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
--   **Special Groups Assigned** \[Type = UnicodeString\]: the list of special group SIDs, which **New Logon\\Security ID** is a member of.
-
-## Security Monitoring Recommendations
-
-For 4964(S): Special groups have been assigned to a new logon.
-
--   Generally speaking, every [4964](event-4964.md) event should be monitored, because the purpose of Special Groups is to define a list of critical or important groups (Domain Admins, Enterprise Admins, service account groups, and so on) and trigger an event every time a member of these groups logs on to a computer. For example, you can monitor for every Domain Administrators logon to a non-administrative workstation.
-
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
deleted file mode 100644
index 843551f1d1..0000000000
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: 4985(S) The state of a transaction has changed. 
-description: Describes security event 4985(S) The state of a transaction has changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4985(S): The state of a transaction has changed.
-
-
-<img src="images/event-4985.png" alt="Event 4985 illustration" width="468" height="473" hspace="10" align="left" />
-
-***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md), [Audit Other Privilege Use Events](audit-other-privilege-use-events.md), and [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
-
-***Event Description:***
-
-This is an informational event from file system [Transaction Manager](/windows/win32/ktm/transaction-managers).
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>4985</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12800</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-19T00:00:40.099093300Z" /> 
- <EventRecordID>274277</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="5048" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DC01$</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="TransactionId">{17EF5E21-5E2C-11E5-810F-00155D987005}</Data> 
- <Data Name="NewState">52</Data> 
- <Data Name="ResourceManager">{5F5ED427-FCCA-11E3-BD73-B54AB417B853}</Data> 
- <Data Name="ProcessId">0x370</Data> 
- <Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account through which the state of the transaction was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the state of the transaction.
-
--   **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Transaction Information:**
-
--   **RM Transaction ID** \[Type = GUID\]: unique GUID of the [transaction](/windows/win32/ktm/what-is-a-transaction). This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **New State** \[Type = UInt32\]**:** identifier of the new state of the [transaction](/windows/win32/ktm/what-is-a-transaction).
-
--   **Resource Manager** \[Type = GUID\]**:** unique GUID-Identifier of the [Resource Manager](/windows/win32/ktm/resource-managers) which associated with this [transaction](/windows/win32/ktm/what-is-a-transaction).
-
-**Process Information:**
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the state of the transaction was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-## Security Monitoring Recommendations
-
-For 4985(S): The state of a transaction has changed.
-
--   This event typically has no security relevance and used for [Transaction Manager](/windows/win32/ktm/transaction-managers) troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
deleted file mode 100644
index 00353b46f9..0000000000
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: 5024(S) The Windows Firewall Service has started successfully. 
-description: Describes security event 5024(S) The Windows Firewall Service has started successfully.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5024(S): The Windows Firewall Service has started successfully.
-
-
-<img src="images/event-5024.png" alt="Event 5024 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall (MpsSvc) service has started successfully.
-
-This event is typically logged during operating system startup process.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5024</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-09T03:22:53.842816300Z" /> 
- <EventRecordID>1101613</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="528" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
- <EventData /> 
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 5024(S): The Windows Firewall Service has started successfully.
-
--   Typically this event has an informational purpose. It’s logged during operating system startup process.
-
--   You should not see this event after system startup, so we recommend that you monitor it when it occurs outside the system startup process.
-
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
deleted file mode 100644
index d13e773f3e..0000000000
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: 5025(S) The Windows Firewall Service has been stopped. 
-description: Describes security event 5025(S) The Windows Firewall Service has been stopped.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5025(S): The Windows Firewall Service has been stopped.
-
-
-<img src="images/event-5025.png" alt="Event 5025 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall (MpsSvc) service has been stopped.
-
-This event is typically logged during operating system shutdown process.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5025</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-09T03:22:23.742965400Z" /> 
- <EventRecordID>1101606</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="508" ThreadID="3780" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
- <EventData /> 
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 5025(S): The Windows Firewall Service has been stopped.
-
--   Typically this event has an informational purpose. It’s logged during operating system shutdown process.
-
--   You should not see this event after system startup, so we recommend that you monitor it when it occurs outside the system startup process.
-
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
deleted file mode 100644
index f9bd6770a1..0000000000
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. 
-description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
-
-
-<img src="images/event-5027.png" alt="Event 5027 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
-
-Typically if this event occurs it indicates that Windows Firewall service was not able to start.
-
-It typically occurs with “[5028](event-5028.md)(S): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.”
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5027</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-13T23:10:05.318922900Z" /> 
- <EventRecordID>1101848</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2000" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ErrorCode">2147942413</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Error Code** \[Type = UInt32\]**:** unique error code. For information about error codes meanings for this event use <https://technet.microsoft.com/> or other informational resources.
-
-## Security Monitoring Recommendations
-
-For 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
-
--   This event can be a sign of software or operating system issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
-
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
deleted file mode 100644
index 8c49e63b2b..0000000000
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. 
-description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-
-
-<img src="images/event-5028.png" alt="Event 5028 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
-
-Typically if this event occurs it indicates that Windows Firewall service was not able to start.
-
-It typically occurs with “[5027](event-5027.md)(S): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.”
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5028</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-13T23:10:05.318922900Z" /> 
- <EventRecordID>1101849</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2000" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ErrorCode">2147942413</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Error Code** \[Type = UInt32\]**:** unique error code. For information about error codes meanings for this event use <https://technet.microsoft.com/> or other informational resources.
-
-## Security Monitoring Recommendations
-
-For 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-
--   This event can be a sign of software or operating system issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
-
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
deleted file mode 100644
index dfa020140d..0000000000
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. 
-description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
-
-
-Windows logs an error if either the Windows Firewall service or its driver fails to start, or if they unexpectedly terminate. The error message indicates the cause of the service failure by including an error code in the text of the message.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.*
-
-*Error Code:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
-
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
deleted file mode 100644
index 145336f252..0000000000
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: 5030(F) The Windows Firewall Service failed to start. 
-description: Describes security event 5030(F) The Windows Firewall Service failed to start.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5030(F): The Windows Firewall Service failed to start.
-
-
-Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message.
-
-This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies wasn't started.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*The Windows Firewall service failed to start.*
-
-*Error Code:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
-
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
deleted file mode 100644
index c569dbc016..0000000000
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. 
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-description: Describes security event 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.topic: reference
----
-
-# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-
-
-<img src="images/event-5031.png" alt="Event 5031 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Description:***
-
-This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
-
-If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you'll get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5031</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12810</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-22T03:46:36.634473000Z" /> 
- <EventRecordID>304373</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="2976" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="Profiles">Domain</Data> 
- <Data Name="Application">C:\\documents\\listener.exe</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
--   **Profiles** \[Type = UnicodeString\]: network profile using which application was blocked. Possible values:
-
-    -   Domain
-
-    -   Public
-
-    -   Private
-
--   **Application** \[Type = UnicodeString\]: full path and file name of executable file for blocked application.
-
-## Security Monitoring Recommendations
-
-For 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-
--   You can use this event to detect applications for which no Windows Firewall rules were created.
-
--   If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-
--   You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
deleted file mode 100644
index f982635697..0000000000
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 
-description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-
-
-Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future.
-
-This event generates if Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.*
-
-*Error Code:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
deleted file mode 100644
index 65e7a2f819..0000000000
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: 5033(S) The Windows Firewall Driver has started successfully. 
-description: Describes security event 5033(S) The Windows Firewall Driver has started successfully.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5033(S): The Windows Firewall Driver has started successfully.
-
-
-<img src="images/event-5033.png" alt="Event 5033 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) has started successfully.
-
-This event is typically logged during operating system startup process.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5033</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-09T03:22:53.526024800Z" /> 
- <EventRecordID>1101612</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="148" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
- <EventData /> 
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 5033(S): The Windows Firewall Driver has started successfully.
-
--   Typically this event has an informational purpose. It’s logged during operating system startup process.
-
--   You should not see this event after system startup, so we recommend that you monitor it when it occurs outside the system startup process.
-
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
deleted file mode 100644
index 604aaafc09..0000000000
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: 5034(S) The Windows Firewall Driver was stopped. 
-description: Describes security event 5034(S) The Windows Firewall Driver was stopped.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5034(S): The Windows Firewall Driver was stopped.
-
-
-<img src="images/event-5034.png" alt="Event 5034 illustration" width="449" height="317" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) was stopped.
-
-This event is NOT logged during the operating system shutdown process.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5034</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-13T23:40:55.482270000Z" /> 
- <EventRecordID>1101856</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="140" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
- <EventData /> 
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 5034(S): The Windows Firewall Driver was stopped.
-
--   This event is NOT logged during the operating system shutdown process.
-
--   You should not see this event during normal operating system operations, so we recommend that when it occurs, you investigate why the Windows Firewall driver was stopped.
-
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
deleted file mode 100644
index b0290be5fc..0000000000
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: 5035(F) The Windows Firewall Driver failed to start. 
-description: Describes security event 5035(F) The Windows Firewall Driver failed to start.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5035(F): The Windows Firewall Driver failed to start.
-
-
-Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*The Windows Firewall Driver failed to start.*
-
-*Error Code:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
-
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
deleted file mode 100644
index 8f22210755..0000000000
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. 
-description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
-
-
-Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*The Windows Firewall Driver detected a critical runtime error, terminating.*
-
-*Error Code:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of software or operating system issues, or a sign of malicious activity that corrupted Windows Firewall Driver. We recommend monitoring this event and investigating the reason for the condition.
-
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
deleted file mode 100644
index 84ad591d34..0000000000
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: 5038(F) Code integrity determined that the image hash of a file is not valid. 
-description: Describes security event 5038(F) Code integrity determined that the image hash of a file isn't valid.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
-
-
-The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
-
-This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file isn't valid.
-
-Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.*
-
-*File Name: %filepath\\filename%*
-
-## Security Monitoring Recommendations
-
--   We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
deleted file mode 100644
index a1b4dc60e2..0000000000
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: 5039(-) A registry key was virtualized. 
-description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5039(-): A registry key was virtualized.
-
-
-This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
-
-This event occurs rarely during standard LUAFV registry key virtualization.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Registry](audit-registry.md)
-
-***Event Schema:***
-
-*A registry key was virtualized.*
-
-*Subject:*
-
-> *Security ID:%1%*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Object:*
-
-> *Key Name:%5*
->
-> *Virtual Key Name:%6*
-
-*Process Information:*
-
-> *Process ID:%7*
->
-> *Process Name%8*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There's no recommendation for this event in this document.
-
-
-
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
deleted file mode 100644
index 6ced4325e8..0000000000
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: 5051(-) A file was virtualized. 
-description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5051(-): A file was virtualized.
-
-
-This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
-
-This event occurs rarely during standard LUAFV file virtualization.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit File System](audit-file-system.md)
-
-***Event Schema:***
-
-*A file was virtualized.*
-
-*Subject:*
-
-> *Security ID:%1%*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Object:*
-
-> *File Name:%5*
->
-> *Virtual File Name:%6*
-
-*Process Information:*
-
-> *Process ID:%7*
->
-> *Process Name%8*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There's no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
deleted file mode 100644
index 5130521799..0000000000
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: 5056(S) A cryptographic self-test was performed. 
-description: Describes security event 5056(S) A cryptographic self-test was performed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5056(S): A cryptographic self-test was performed.
-
-
-This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
-
-For more information about Cryptographic Next Generation (CNG) visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for CNG troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*A cryptographic self-test was performed.*
-
-*Subject:*
-
-> *Security ID%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Module:%5*
-
-*Return Code:%6*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
-
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
deleted file mode 100644
index b45863a7f8..0000000000
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: 5057(F) A cryptographic primitive operation failed. 
-description: Describes security event 5057(F) A cryptographic primitive operation failed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5057(F): A cryptographic primitive operation failed.
-
-
-This event generates if there's a CNG primitive operation failure.
-
-For more information about Cryptographic Next Generation (CNG) visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*A cryptographic primitive operation failed.*
-
-*Subject:*
-
-> *Security ID%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Cryptographic Parameters:*
-
-> *Provider Name:%5*
->
-> *Algorithm Name%6*
-
-*Failure Information:*
-
-> *Reason:%7*
->
-> *Return Code:%8*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
-
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
deleted file mode 100644
index 52e292db53..0000000000
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-title: 5058(S, F) Key file operation. 
-description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5058(S, F): Key file operation.
-
-
-<img src="images/event-5058.png" alt="Event 5058 illustration" width="833" height="502" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used:
-
--   Microsoft Software Key Storage Provider
-
--   Microsoft Smart Card Key Storage Provider
-
-You can see these events, for example, during certificate renewal or export operations using KSP.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5058</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-14T19:32:07.888796600Z" /> 
- <EventRecordID>1048275</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="2312" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38e2d</Data> 
- <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data> 
- <Data Name="AlgorithmName">ECDH\_P521</Data> 
- <Data Name="KeyName">le-SuperAdmin-5e350d8e-ae46-458c-bac0-d8f3279c944e</Data> 
- <Data Name="KeyType">%%2500</Data> 
- <Data Name="KeyFilePath">C:\\Users\\dadmin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\c0a496c6786f0d25e8624fee96e4e580\_7a1bf91d-ebdd-449c-825d-c97f2f47cd01</Data> 
- <Data Name="Operation">%%2459</Data> 
- <Data Name="ReturnCode">0x0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key file operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Cryptographic Parameters:**
-
--   **Provider Name** \[Type = UnicodeString\]**:** the name of KSP through which the operation was performed. Can have one of the following values:
-
-    -   Microsoft Software Key Storage Provider
-
-    -   Microsoft Smart Card Key Storage Provider
-
--   **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values:
-
-    -   RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
-
-    -   DSA – Digital Signature Algorithm.
-
-    -   DH – Diffie-Hellman.
-
-    -   ECDH\_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
-
-    -   ECDH\_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
-
-    -   ECDH\_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
-
-    -   ECDSA\_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
-
-    -   ECDSA\_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
-
-    -   ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
-
--   **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example:
-
-<img src="images/certutil-command.png" alt="Certutil command illustration" width="588" height="665" />
-
--   **Key Type** \[Type = UnicodeString\]: can have one of the following values:
-
-    -   “User key.” – user’s cryptographic key.
-
-    -   “Machine key.” – machine’s cryptographic key.
-
-**Key File Operation Information:**
-
--   **File Path** \[Type = UnicodeString\]: full path and filename of the key file on which the operation was performed.
-
--   **Operation** \[Type = UnicodeString\]: performed operation. Examples:
-
-    -   Write persisted key to file.
-
-    -   Read persisted key from file.
-
-    -   Delete key file.
-
--   **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
-
-## Security Monitoring Recommendations
-
-For 5058(S, F): Key file operation.
-
--   Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”**) or a specific **“Operation”**, such as **“Delete key file”**, create monitoring rules and use this event as an information source.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
deleted file mode 100644
index 0631adf2e0..0000000000
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-title: 5059(S, F) Key migration operation. 
-description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5059(S, F): Key migration operation.
-
-
-<img src="images/event-5059.png" alt="Event 5059 illustration" width="491" height="489" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Description:***
-
-This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used:
-
--   Microsoft Software Key Storage Provider
-
--   Microsoft Smart Card Key Storage Provider
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5059</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12292</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-14T19:42:08.135265600Z" /> 
- <EventRecordID>1048447</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="3496" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38e2d</Data> 
- <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data> 
- <Data Name="AlgorithmName">ECDH\_P521</Data> 
- <Data Name="KeyName">le-SuperAdmin-795fd6c1-2fae-4bef-a6bc-4f4d464bc083</Data> 
- <Data Name="KeyType">%%2500</Data> 
- <Data Name="Operation">%%2464</Data> 
- <Data Name="ReturnCode">0x0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested key migration operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key migration operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Cryptographic Parameters:**
-
--   **Provider Name** \[Type = UnicodeString\]**:** the name of KSP through which the operation was performed. Can have one of the following values:
-
-    -   Microsoft Software Key Storage Provider
-
-    -   Microsoft Smart Card Key Storage Provider
-
--   **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values:
-
-    -   RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
-
-    -   DSA – Digital Signature Algorithm.
-
-    -   DH – Diffie-Hellman.
-
-    -   ECDH\_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
-
-    -   ECDH\_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
-
-    -   ECDH\_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
-
-    -   ECDSA\_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
-
-    -   ECDSA\_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
-
-    -   ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
-
--   **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example:
-
-<img src="images/certutil-command.png" alt="Certutil command illustration" width="588" height="665" />
-
--   **Key Type** \[Type = UnicodeString\]: can have one of the following values:
-
-    -   “User key.” – user’s cryptographic key.
-
-    -   “Machine key.” – machine’s cryptographic key.
-
-**Additional Information:**
-
--   **Operation** \[Type = UnicodeString\]: performed operation. Examples:
-
-    -   “**Export of persistent cryptographic key.**” – typically generates during key read operations, which means that the key was taken for read purposes. But it also generates during real key export operations (export certificate with private key, for example).
-
-    -   “**Import of persistent cryptographic key.**” – key import operation was performed (import certificate with private key, for example).
-
--   **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
-
-## Security Monitoring Recommendations
-
-For 5059(S, F): Key migration operation.
-
--   Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Export of persistent cryptographic key”**, create monitoring rules and use this event as an information source.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
deleted file mode 100644
index fda2a9d82d..0000000000
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: 5060(F) Verification operation failed. 
-description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5060(F): Verification operation failed.
-
-
-This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
-
-For more information about CNG, visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for CNG troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*Verification operation failed.*
-
-*Subject:*
-
-> *Security ID%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Cryptographic Parameters:*
-
-> *Provider Name:%5*
->
-> *Algorithm Name%6*
->
-> *Key Name:%7*
->
-> *Key Type:%8*
-
-*Failure Information:*
-
-> *Reason:%7*
->
-> *Return Code:%8*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
-
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
deleted file mode 100644
index 7d05fab9d4..0000000000
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ /dev/null
@@ -1,166 +0,0 @@
----
-title: 5061(S, F) Cryptographic operation. 
-description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5061(S, F): Cryptographic operation.
-
-
-<img src="images/event-5061.png" alt="Event 5061 illustration" width="486" height="489" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Description:***
-
-This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used:
-
--   Microsoft Software Key Storage Provider
-
--   Microsoft Smart Card Key Storage Provider
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5061</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12290</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-14T19:42:08.104008000Z" /> 
- <EventRecordID>1048444</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="3496" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38e2d</Data> 
- <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data> 
- <Data Name="AlgorithmName">ECDH\_P521</Data> 
- <Data Name="KeyName">le-SuperAdmin-795fd6c1-2fae-4bef-a6bc-4f4d464bc083</Data> 
- <Data Name="KeyType">%%2500</Data> 
- <Data Name="Operation">%%2480</Data> 
- <Data Name="ReturnCode">0x0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested specific cryptographic operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Cryptographic Parameters:**
-
--   **Provider Name** \[Type = UnicodeString\]**:** the name of KSP through which the operation was performed. Can have one of the following values:
-
-    -   Microsoft Software Key Storage Provider
-
-    -   Microsoft Smart Card Key Storage Provider
-
--   **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values:
-
-    -   RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman.
-
-    -   DSA – Digital Signature Algorithm.
-
-    -   DH – Diffie-Hellman.
-
-    -   ECDH\_P521 – Elliptic Curve Diffie-Hellman algorithm with 512-bit key length.
-
-    -   ECDH\_P384 – Elliptic Curve Diffie-Hellman algorithm with 384-bit key length.
-
-    -   ECDH\_P256 – Elliptic Curve Diffie-Hellman algorithm with 256-bit key length.
-
-    -   ECDSA\_P256 – Elliptic Curve Digital Signature Algorithm with 256-bit key length.
-
-    -   ECDSA\_P384 – Elliptic Curve Digital Signature Algorithm with 384-bit key length.
-
-    -   ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length.
-
--   **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example:
-
-<img src="images/certutil-command.png" alt="Certutil command illustration" width="588" height="665" />
-
--   **Key Type** \[Type = UnicodeString\]: can have one of the following values:
-
-    -   “User key.” – user’s cryptographic key.
-
-    -   “Machine key.” – machine’s cryptographic key.
-
-**Cryptographic Operation:**
-
--   **Operation** \[Type = UnicodeString\]: performed operation. Possible values:
-
-    -   Open Key. – open existing cryptographic key.
-
-    -   Create Key. – create new cryptographic key.
-
-    -   Delete Key. – delete existing cryptographic key.
-
-    -   Sign hash. – cryptographic signing operation.
-
-    -   Secret agreement.
-
-    -   Key Derivation. – key derivation operation.
-
-    -   Encrypt. – encryption operation.
-
-    -   Decrypt. – decryption operation.
-
--   **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
-
-## Security Monitoring Recommendations
-
-For 5061(S, F): Cryptographic operation.
-
--   Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Delete Key”**, create monitoring rules and use this event as an information source.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
deleted file mode 100644
index 50bb1114e2..0000000000
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: 5062(S) A kernel-mode cryptographic self-test was performed. 
-description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5062(S): A kernel-mode cryptographic self-test was performed.
-
-
-This event occurs rarely, and in some situations may be difficult to reproduce.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*A kernel-mode cryptographic self test was performed.*
-
-*Module:%1*
-
-*Return Code:%2*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
-
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
deleted file mode 100644
index 1d05f6f799..0000000000
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: 5063(S, F) A cryptographic provider operation was attempted. 
-description: Describes security event 5063(S, F) A cryptographic provider operation was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5063(S, F): A cryptographic provider operation was attempted.
-
-
-This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These functions are Cryptographic Next Generation (CNG) functions.
-
-This event generates when cryptographic provider was registered or unregistered.
-
-For more information about Cryptographic Next Generation (CNG) visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic provider operation was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Cryptographic Provider:*
-
-> *Name:%5*
->
-> *Module:%6*
->
-> *Operation:%7*
-
-*Return Code:%8*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
deleted file mode 100644
index f727a5f6af..0000000000
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: 5064(S, F) A cryptographic context operation was attempted. 
-description: Describes security event 5064(S, F) A cryptographic context operation was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5064(S, F): A cryptographic context operation was attempted.
-
-
-This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These functions are Cryptographic Next Generation (CNG) functions.
-
-This event generates when cryptographic context was created or deleted.
-
-For more information about Cryptographic Next Generation (CNG) visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic context operation was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Configuration Parameters:*
-
-> *Scope:%5*
->
-> *Context:%6*
-
-*Operation:%7*
-
-*Return Code:%8*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
deleted file mode 100644
index e94042c052..0000000000
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: 5065(S, F) A cryptographic context modification was attempted. 
-description: Describes security event 5065(S, F) A cryptographic context modification was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5065(S, F): A cryptographic context modification was attempted.
-
-This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This function is a Cryptographic Next Generation (CNG) function.
-
-This event generates when configuration information was changed for existing CNG context.
-
-For more information about Cryptographic Next Generation (CNG) visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic context modification was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Configuration Parameters:*
-
-> *Scope:%5*
->
-> *Context:%6*
-
-*Change Information:*
-
-> *Old Value:%7*
->
-> *New Value:%8*
-
-*Return Code:%9*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
deleted file mode 100644
index 4aabb3e542..0000000000
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: 5066(S, F) A cryptographic function operation was attempted. 
-description: Describes security event 5066(S, F) A cryptographic function operation was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5066(S, F): A cryptographic function operation was attempted.
-
-
-This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These functions are Cryptographic Next Generation (CNG) functions.
-
-This event generates when cryptographic function was added or removed from the list of functions that are supported by an existing CNG context.
-
-For more information about Cryptographic Next Generation (CNG) visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic function operation was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Configuration Parameters:*
-
-> *Scope:%5*
->
-> *Context:%6*
->
-> *Interface:%7*
->
-> *Function:%8*
->
-> *Position:%9*
-
-*Operation:%10*
-
-*Return Code:%11*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
deleted file mode 100644
index d7a4d6a6b2..0000000000
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: 5067(S, F) A cryptographic function modification was attempted. 
-description: Describes security event 5067(S, F) A cryptographic function modification was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5067(S, F): A cryptographic function modification was attempted.
-
-
-This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This function is a Cryptographic Next Generation (CNG) function.
-
-This event generates when configuration information for the cryptographic function of an existing CNG context was changed.
-
-For more information about Cryptographic Next Generation (CNG), visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic function modification was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Configuration Parameters:*
-
-> *Scope:%5*
->
-> *Context:%6*
->
-> *Interface:%7*
->
-> *Function:%8*
-
-*Change Information:*
-
-> *Old Value:%9*
->
-> *New Value:%10*
-
-*Return Code:%11*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
deleted file mode 100644
index a86f4345b5..0000000000
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: 5068(S, F) A cryptographic function provider operation was attempted. 
-description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5068(S, F): A cryptographic function provider operation was attempted.
-
-
-This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These functions are Cryptographic Next Generation (CNG) functions.
-
-For more information about Cryptographic Next Generation (CNG), visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic function provider operation was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Configuration Parameters:*
-
-> *Scope:%5*
->
-> *Context:%6*
->
-> *Interface:%7*
->
-> *Function:%8*
->
-> *Provider:%9*
->
-> *Position:%10*
-
-*Operation:%11*
-
-*Return Code:%12*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
deleted file mode 100644
index 15b6f1bbe3..0000000000
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: 5069(S, F) A cryptographic function property operation was attempted. 
-description: Describes security event 5069(S, F) A cryptographic function property operation was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5069(S, F): A cryptographic function property operation was attempted.
-
-
-This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function.
-
-This event generates when named property for a cryptographic function in an existing CNG context was added or removed.
-
-For more information about Cryptographic Next Generation (CNG), visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic function property operation was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Configuration Parameters:*
-
-> *Scope:%5*
->
-> *Context:%6*
->
-> *Interface:%7*
->
-> *Function:%8*
->
-> Property:%9
-
-Operation:%10
-
-Value:%11
-
-Return Code:%12
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
deleted file mode 100644
index afdb292917..0000000000
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: 5070(S, F) A cryptographic function property modification was attempted. 
-description: Describes security event 5070(S, F) A cryptographic function property modification was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5070(S, F): A cryptographic function property modification was attempted.
-
-
-This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function.
-
-This event generates when named property for a cryptographic function in an existing CNG context was updated.
-
-For more information about Cryptographic Next Generation (CNG) visit these pages:
-
--   <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
-
--   <https://www.microsoft.com/download/details.aspx?id=30688>
-
-This event is used for Cryptographic Next Generation (CNG) troubleshooting.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Schema:***
-
-*A cryptographic function property modification was attempted.*
-
-*Subject:*
-
-> *Security ID:%1*
->
-> *Account Name:%2*
->
-> *Account Domain:%3*
->
-> *Logon ID:%4*
-
-*Configuration Parameters:*
-
-> *Scope:%5*
->
-> *Context:%6*
->
-> *Interface:%7*
->
-> *Function:%8*
->
-> Property:%9
-
-Change Information:
-
-> Old Value:%10
->
-> New Value:%11
-
-Return Code:%12
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
deleted file mode 100644
index c4d5e84029..0000000000
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ /dev/null
@@ -1,238 +0,0 @@
----
-title: 5136(S) A directory service object was modified. 
-description: Describes security event 5136(S) A directory service object was modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5136(S): A directory service object was modified.
-
-
-<img src="images/event-5136.png" alt="Event 5136 illustration" width="449" height="611" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Changes](audit-directory-service-changes.md)
-
-***Event Description:***
-
-This event generates every time an Active Directory object is modified.
-
-To generate this event, the modified object must have an appropriate entry in [SACL](/windows/win32/secauthz/access-control-lists): the “**Write”** action auditing for specific attributes.
-
-For a change operation, you'll typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5136</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14081</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" /> 
- <EventRecordID>410204</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="4020" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data> 
- <Data Name="AppCorrelationID">-</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x32004</Data> 
- <Data Name="DSName">contoso.local</Data> 
- <Data Name="DSType">%%14676</Data> 
- <Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data> 
- <Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data> 
- <Data Name="ObjectClass">user</Data> 
- <Data Name="AttributeLDAPDisplayName">userAccountControl</Data> 
- <Data Name="AttributeSyntaxOID">2.5.5.9</Data> 
- <Data Name="AttributeValue">512</Data> 
- <Data Name="OperationType">%%14675</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Directory Service:**
-
--   **Name** \[Type = UnicodeString\]: the name of the Active Directory domain where the modified object is located.
-
--   **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
-
-**Object:**
-
--   **DN** \[Type = UnicodeString\]: distinguished name of the object that was modified.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
-
-    Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
-
-    Event Viewer automatically resolves **GUID** field to real object.
-
-    To translate this GUID, use the following procedure:
-
-    -   Perform the following LDAP search using LDP.exe tool:
-
-        -   Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
-
-        -   Filter: (&(objectClass=\*)(objectGUID=GUID))
-
-            -   Perform the following operations with the GUID before using it in a search request:
-
-                -   We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
-
-                -   Take first three sections a6b34ab5-551b-4626.
-
-                -   For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
-
-                -   Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
-
-                -   Delete: b54ab3a61b552646b8ee2b36b3ee6672
-
-                -   Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
-
-            -   Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
-
-        -   Scope: Subtree
-
-        -   Attributes: objectGUID
-
-<!-- -->
-
--   **Class** \[Type = UnicodeString\]: class of the object that was modified. Some of the common Active Directory object classes:
-
-    -   container – for containers.
-
-    -   user – for users.
-
-    -   group – for groups.
-
-    -   domainDNS – for domain object.
-
-    -   groupPolicyContainer – for group policy objects.
-
-        For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: <https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx>) and navigate to **Active Directory Schema\\Classes**. Or use this document: <https://msdn.microsoft.com/library/cc221630.aspx>
-
-**Attribute:**
-
--   **LDAP Display Name** \[Type = UnicodeString\]**:** the object attribute that was modified.
-
-> **Note**&nbsp;&nbsp;[LDAP Display Name](/windows/win32/adschema/a-ldapdisplayname) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol.
-
--   **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes aren't represented as objects in the schema, but they're programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined.
-
-| OID      | Syntax Name                                | Description                                              |
-|----------|--------------------------------------------|----------------------------------------------------------|
-| 2.5.5.0  | Undefined                                  | Not a legal syntax.                                      |
-| 2.5.5.1  | Object(DN-DN)                              | The fully qualified name of an object in the directory.  |
-| 2.5.5.2  | String(Object-Identifier)                  | The object identifier.                                   |
-| 2.5.5.3  | Case-Sensitive String                      | General String.                                          |
-| 2.5.5.4  | CaseIgnoreString(Teletex)                  | Differentiates uppercase and lowercase.                  |
-| 2.5.5.5  | String(Printable), String(IA5)             | Teletex. Doesn't differentiate uppercase and lowercase. |
-| 2.5.5.6  | String(Numeric)                            | Printable string or IA5-String.                          |
-| 2.5.5.7  | Object(DN-Binary)                          | Both character sets are case-sensitive.                  |
-| 2.5.5.8  | Boolean                                    | A sequence of digits.                                    |
-| 2.5.5.9  | Integer, Enumeration                       | A distinguished name plus a binary large object.         |
-| 2.5.5.10 | String(Octet)                              | TRUE or FALSE values.                                    |
-| 2.5.5.11 | String(UTC-Time), String(Generalized-Time) | A 32-bit number or enumeration.                          |
-| 2.5.5.12 | String(Unicode)                            | A string of bytes.                                       |
-| 2.5.5.13 | Object(Presentation-Address)               | UTC Time or Generalized-Time.                            |
-| 2.5.5.14 | Object(DN-String)                          | Unicode string.                                          |
-| 2.5.5.15 | String(NT-Sec-Desc)                        | Presentation address.                                    |
-| 2.5.5.16 | LargeInteger                               | A DN-String plus a Unicode string.                       |
-| 2.5.5.17 | String(Sid)                                | A Microsoft® Windows NT® Security descriptor.            |
-
-> Table 10. LDAP Attribute Syntax OIDs.
-
--   **Value** \[Type = UnicodeString\]: the value that was added or deleted, depending on the **Operation\\Type** field.
-
-**Operation:**
-
--   **Type** \[Type = UnicodeString\]**:** type of performed operation.
-
-    -   **Value Added** – new value added ('%%14674')
-
-    -   **Value Deleted** – value deleted ('%%14675', typically “Value Deleted” is a part of change operation).
-
-<!-- -->
-
--   **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
-
-## Security Monitoring Recommendations
-
-For 5136(S): A directory service object was modified.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor modifications to specific Active Directory objects, monitor for **DN** field with specific object name. For example, we recommend that you monitor all modifications to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object.
-
--   If you need to monitor modifications to specific Active Directory classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all modifications to **domainDNS** class.
-
--   If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
-
--   It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
-   
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
deleted file mode 100644
index 49ade1e081..0000000000
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ /dev/null
@@ -1,184 +0,0 @@
----
-title: 5137(S) A directory service object was created. 
-description: Describes security event 5137(S) A directory service object was created.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5137(S): A directory service object was created.
-
-
-<img src="images/event-5137.png" alt="Event 5137 illustration" width="449" height="532" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Changes](audit-directory-service-changes.md)
-
-***Event Description:***
-
-This event generates every time an Active Directory object is created.
-
-This event only generates if the parent object has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5137</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14081</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-28T18:36:26.048167500Z" /> 
- <EventRecordID>410737</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="3156" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="OpCorrelationID">{4EAD68FF-7229-42A4-8C73-AAB57169858B}</Data> 
- <Data Name="AppCorrelationID">-</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x32004</Data> 
- <Data Name="DSName">contoso.local</Data> 
- <Data Name="DSType">%%14676</Data> 
- <Data Name="ObjectDN">cn=Win2000,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="ObjectGUID">{41D5F7AF-64A2-4985-9A4B-70DAAFC7CCE6}</Data> 
- <Data Name="ObjectClass">computer</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Directory Service:**
-
--   **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where new object is created.
-
--   **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
-
-**Object:**
-
--   **DN** \[Type = UnicodeString\]: distinguished name of the object that was created.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
-
-    Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
-
-    Event Viewer automatically resolves **GUID** field to real object.
-
-    To translate this GUID, use the following procedure:
-
-    -   Perform the following LDAP search using LDP.exe tool:
-
-        -   Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
-
-        -   Filter: (&(objectClass=\*)(objectGUID=GUID))
-
-            -   Perform the following operations with the GUID before using it in a search request:
-
-                -   We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
-
-                -   Take first three sections a6b34ab5-551b-4626.
-
-                -   For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
-
-                -   Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
-
-                -   Delete: b54ab3a61b552646b8ee2b36b3ee6672
-
-                -   Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
-
-            -   Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
-
-        -   Scope: Subtree
-
-        -   Attributes: objectGUID
-
--   **Class** \[Type = UnicodeString\]: class of the object that was created. Some of the common Active Directory object classes:
-
-    -   container – for containers.
-
-    -   user – for users.
-
-    -   group – for groups.
-
-    -   domainDNS – for domain object.
-
-    -   groupPolicyContainer – for group policy objects.
-
-        For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: <https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx)> and navigate to **Active Directory Schema\\Classes**. Or use this document: <https://msdn.microsoft.com/library/cc221630.aspx>
-
-**Operation:**
-
--   **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5136](event-5136.md): A directory service object was modified.” and “[5139](event-5139.md): A directory service object was moved.”
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
-
-## Security Monitoring Recommendations
-
-For 5137(S): A directory service object was created.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class.
-
--   You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There's no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
deleted file mode 100644
index 7dac9ef63f..0000000000
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ /dev/null
@@ -1,187 +0,0 @@
----
-title: 5138(S) A directory service object was undeleted. 
-description: Describes security event 5138(S) A directory service object was undeleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5138(S): A directory service object was undeleted.
-
-
-<img src="images/event-5138.png" alt="Event 5138 illustration" width="671" height="573" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Changes](audit-directory-service-changes.md)
-
-***Event Description:***
-
-This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)).
-
-This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5138</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14081</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-02T04:34:20.611082300Z" /> 
- <EventRecordID>229336</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="544" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="OpCorrelationID">{3E2B5ECF-4C35-4C3F-8D82-B8D6F477D846}</Data> 
- <Data Name="AppCorrelationID">-</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x3be49</Data> 
- <Data Name="DSName">contoso.local</Data> 
- <Data Name="DSType">%%14676</Data> 
- <Data Name="OldObjectDN">CN=Andrei\\0ADEL:53511188-bc98-4995-9d78-2d40143c9711,CN=Deleted Objects,DC=contoso,DC=local</Data> 
- <Data Name="NewObjectDN">CN=Andrei,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="ObjectGUID">{53511188-BC98-4995-9D78-2D40143C9711}</Data> 
- <Data Name="ObjectClass">user</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** name of account that requested that the object be undeleted or restored.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Directory Service:**
-
--   **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where the object was undeleted.
-
--   **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
-
-**Object:**
-
--   **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will point to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **New DN** \[Type = UnicodeString\]: New distinguished name of undeleted object. The Active Directory container to which the object was restored.
-
--   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
-
-    Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
-
-    Event Viewer automatically resolves **GUID** field to real object.
-
-    To translate this GUID, use the following procedure:
-
-    -   Perform the following LDAP search using LDP.exe tool:
-
-        -   Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
-
-        -   Filter: (&(objectClass=\*)(objectGUID=GUID))
-
-            -   Perform the following operations with the GUID before using it in a search request:
-
-                -   We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
-
-                -   Take first three sections a6b34ab5-551b-4626.
-
-                -   For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
-
-                -   Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
-
-                -   Delete: b54ab3a61b552646b8ee2b36b3ee6672
-
-                -   Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
-
-            -   Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
-
-        -   Scope: Subtree
-
-        -   Attributes: objectGUID
-
--   **Class** \[Type = UnicodeString\]: class of the object that was undeleted. Some of the common Active Directory object classes:
-
-    -   container – for containers.
-
-    -   user – for users.
-
-    -   group – for groups.
-
-    -   domainDNS – for domain object.
-
-    -   groupPolicyContainer – for group policy objects.
-
-        For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: <https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx)> and navigate to **Active Directory Schema\\Classes**. Or use this document: <https://msdn.microsoft.com/library/cc221630.aspx>
-
-**Operation:**
-
--   **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
-
-## Security Monitoring Recommendations
-
-For 5138(S): A directory service object was undeleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
-
--   It may be a good idea to monitor all undelete events, because the operation isn't performed often. Confirm that there's a reason for the object to be undeleted.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
deleted file mode 100644
index 2b06e5309c..0000000000
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ /dev/null
@@ -1,187 +0,0 @@
----
-title: 5139(S) A directory service object was moved. 
-description: Describes security event 5139(S) A directory service object was moved.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5139(S): A directory service object was moved.
-
-
-<img src="images/event-5139.png" alt="Event 5139 illustration" width="505" height="547" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Changes](audit-directory-service-changes.md)
-
-***Event Description:***
-
-This event generates every time an Active Directory object is moved.
-
-This event only generates if the destination object has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5139</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14081</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-28T06:26:07.019116600Z" /> 
- <EventRecordID>409532</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="600" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="OpCorrelationID">{67A42C05-A70D-4348-AF19-E883CB1FCA9C}</Data> 
- <Data Name="AppCorrelationID">-</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x35867</Data> 
- <Data Name="DSName">contoso.local</Data> 
- <Data Name="DSType">%%14676</Data> 
- <Data Name="OldObjectDN">CN=NewUser,CN=Builtin,DC=contoso,DC=local</Data> 
- <Data Name="NewObjectDN">CN=NewUser,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="ObjectGUID">{06713960-9CC3-4B5D-A594-35883A04F934}</Data> 
- <Data Name="ObjectClass">user</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “move object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Directory Service:**
-
--   **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where the object was moved.
-
--   **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
-
-**Object:**
-
--   **Old DN** \[Type = UnicodeString\]: Old distinguished name of moved object.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **New DN** \[Type = UnicodeString\]: New distinguished name of moved object. The Active Directory container to which the object was moved.
-
--   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
-
-    Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
-
-    Event Viewer automatically resolves **GUID** field to real object.
-
-    To translate this GUID, use the following procedure:
-
-    -   Perform the following LDAP search using LDP.exe tool:
-
-        -   Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
-
-        -   Filter: (&(objectClass=\*)(objectGUID=GUID))
-
-            -   Perform the following operations with the GUID before using it in a search request:
-
-                -   We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
-
-                -   Take first three sections a6b34ab5-551b-4626.
-
-                -   For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
-
-                -   Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
-
-                -   Delete: b54ab3a61b552646b8ee2b36b3ee6672
-
-                -   Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
-
-            -   Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
-
-        -   Scope: Subtree
-
-        -   Attributes: objectGUID
-
--   **Class** \[Type = UnicodeString\]: class of the object that was moved. Some of the common Active Directory object classes:
-
-    -   container – for containers.
-
-    -   user – for users.
-
-    -   group – for groups.
-
-    -   domainDNS – for domain object.
-
-    -   groupPolicyContainer – for group policy objects.
-
-        For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: <https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx)> and navigate to **Active Directory Schema\\Classes**. Or use this document: <https://msdn.microsoft.com/library/cc221630.aspx>
-
-**Operation:**
-
--   **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5141](event-5141.md): A directory service object was deleted.”
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
-
-## Security Monitoring Recommendations
-
-For 5139(S): A directory service object was moved.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
-
--   You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There's no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
deleted file mode 100644
index e0afa21cd5..0000000000
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ /dev/null
@@ -1,153 +0,0 @@
----
-title: 5140(S, F) A network share object was accessed. 
-description: Describes security event 5140(S, F) A network share object was accessed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5140(S, F): A network share object was accessed.
-
-
-<img src="images/event-5140.png" alt="Event 5140 illustration" width="449" height="557" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit File Share](audit-file-share.md)
-
-***Event Description:***
-
-This event generates every time network share object was accessed.
-
-This event generates once per session, when first access attempt was made.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5140</EventID> 
- <Version>1</Version> 
- <Level>0</Level> 
- <Task>12808</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" /> 
- <EventRecordID>268495</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="772" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x541f35</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="IpAddress">10.0.0.100</Data> 
- <Data Name="IpPort">49212</Data> 
- <Data Name="ShareName">\\\\\*\\Documents</Data> 
- <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
- <Data Name="AccessMask">0x1</Data> 
- <Data Name="AccessList">%%4416</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:***
-
--   0 - Windows Server 2008, Windows Vista.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Network Information:**
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always “**File**” for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Source Address** \[Type = UnicodeString\]**:** source IP address from which access was performed.
-
-    -   IPv6 address or ::ffff:IPv4 address of a client.
-
-    -   ::1 or 127.0.0.1 means localhost.
-
--   **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access.
-
-    -   0 for local access attempts.
-
-**Share Information:**
-
--   **Share Name** \[Type = UnicodeString\]**:** the name of accessed network share. The format is: \\\\\*\\SHARE\_NAME.
-
--   **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for accessed share. The format is: \\\\??\\PATH. Can be empty, for example for **Share Name**: \\\\\*\\IPC$.
-
-**Access Request Information:**
-
--   **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event.
-
--   **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
-
-## Security Monitoring Recommendations
-
-For 5140(S, F): A network share object was accessed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event<b>.</b> For example, you could monitor share **C$** on domain controllers.
-
-- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range.
-
-- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**).
-
-- If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event.
-
-- If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific shares (“**Share Name**”), monitor this event for the “**Access Type**.”
-
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
deleted file mode 100644
index dfdea7ca5f..0000000000
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ /dev/null
@@ -1,195 +0,0 @@
----
-title: 5141(S) A directory service object was deleted. 
-description: Describes security event 5141(S) A directory service object was deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5141(S): A directory service object was deleted.
-
-
-<img src="images/event-5141.png" alt="Event 5141 illustration" width="449" height="549" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Directory Service Changes](audit-directory-service-changes.md)
-
-***Event Description:***
-
-This event generates every time an Active Directory object is deleted.
-
-This event only generates if the deleted object has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Delete”** action, auditing for specific objects.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5141</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>14081</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-28T18:48:06.792762900Z" /> 
- <EventRecordID>411118</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="4092" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="OpCorrelationID">{C8A9000C-C618-4EE9-87FF-F852C0564F18}</Data> 
- <Data Name="AppCorrelationID">-</Data> 
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x32004</Data> 
- <Data Name="DSName">contoso.local</Data> 
- <Data Name="DSType">%%14676</Data> 
- <Data Name="ObjectDN">CN=WIN2003,CN=Users,DC=contoso,DC=local</Data> 
- <Data Name="ObjectGUID">{CA15B875-AFB1-4E5A-86B2-96E61DE09110}</Data> 
- <Data Name="ObjectClass">computer</Data> 
- <Data Name="TreeDelete">%%14679</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** Active Directory domain controller.
-
-***Minimum OS Version:*** Windows Server 2008.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Directory Service:**
-
--   **Name** \[Type = UnicodeString\]: the name of an Active Directory domain, where the object was deleted.
-
--   **Type** \[Type = UnicodeString\]**:** has “**Active Directory Domain Services**” value for this event.
-
-**Object:**
-
--   **DN** \[Type = UnicodeString\]: distinguished name of the object that was deleted.
-
-> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-> 
-> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-> 
-> • DC - domainComponent
-> 
-> • CN - commonName
-> 
-> • OU - organizationalUnitName
-> 
-> • O - organizationName
-
--   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
-
-    Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.
-
-    Event Viewer automatically resolves **GUID** field to real object. For deleted objects **GUID** will be resolved to new destination of object, for example: OU=My\\0ADEL:cc94c0d7-dd53-4061-9791-e53478dbbc3b,CN=Deleted Objects,DC=contoso,DC=local.
-
-    To translate this GUID, use the following procedure:
-
-    -   Perform the following LDAP search using LDP.exe tool:
-
-        -   Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
-
-        -   Filter: (&(objectClass=\*)(objectGUID=GUID))
-
-            -   Perform the following operations with the GUID before using it in a search request:
-
-                -   We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
-
-                -   Take first three sections a6b34ab5-551b-4626.
-
-                -   For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
-
-                -   Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
-
-                -   Delete: b54ab3a61b552646b8ee2b36b3ee6672
-
-                -   Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
-
-            -   Filter example: (&(objectClass=\*)(objectGUID = \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72))
-
-        -   Scope: Subtree
-
-        -   Attributes: objectGUID
-
-<!-- -->
-
--   **Class** \[Type = UnicodeString\]: class of the object that was deleted. Some of the common Active Directory object classes:
-
-    -   container – for containers.
-
-    -   user – for users.
-
-    -   group – for groups.
-
-    -   domainDNS – for domain object.
-
-    -   groupPolicyContainer – for group policy objects.
-
-        For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: <https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx)> and navigate to **Active Directory Schema\\Classes**. Or use this document: <https://msdn.microsoft.com/library/cc221630.aspx>
-
-**Operation:**
-
--   **Tree Delete** \[Type = UnicodeString\]**:**
-
-    -   **Yes** – “Delete Subtree” operation was performed. It happens, for example, if “Use Delete Subtree server control” check box was checked during delete operation using Active Directory Users and Computers management console.
-
-    -   **No** – delete operation was performed without “Delete Subtree” server control.
-
-<img src="images/subtree-deletion.png" alt="Subtree Deletion illustration" width="337" height="271" />
-
--   **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
-
-## Security Monitoring Recommendations
-
-For 5141(S): A directory service object was deleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
-
--   If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects that shouldn't be deleted, monitor for their deletion.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
deleted file mode 100644
index 4620f55d07..0000000000
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: 5142(S) A network share object was added. 
-description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5142(S): A network share object was added.
-
-
-<img src="images/event-5142.png" alt="Event 5142 illustration" width="449" height="406" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit File Share](audit-file-share.md)
-
-***Event Description:***
-
-This event generates every time network share object was added.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5142</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12808</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T02:27:01.206646900Z" /> 
- <EventRecordID>268462</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="4304" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38d12</Data> 
- <Data Name="ShareName">\\\\\*\\Documents</Data> 
- <Data Name="ShareLocalPath">C:\\Documents</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “add network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add network share object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Share Information:**
-
--   **Share Name** \[Type = UnicodeString\]**:** the name of the added share object. The format is: \\\\\*\\SHARE\_NAME.
-
--   **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for the added share object. The format is: \\\\??\\PATH.
-
-## Security Monitoring Recommendations
-
-For 5142(S): A network share object was added.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event<b>.</b> For example, you could monitor domain controllers.
-
-- We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
-
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
deleted file mode 100644
index f7f04d6cf0..0000000000
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ /dev/null
@@ -1,259 +0,0 @@
----
-title: 5143(S) A network share object was modified. 
-description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5143(S): A network share object was modified.
-
-
-<img src="images/event-5143.png" alt="Event 5143 illustration" width="740" height="547" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit File Share](audit-file-share.md)
-
-***Event Description:***
-
-This event generates every time network share object was modified.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5143</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12808</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T02:42:56.743298600Z" /> 
- <EventRecordID>268483</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38d12</Data> 
- <Data Name="ObjectType">Directory</Data> 
- <Data Name="ShareName">\\\\\*\\Documents</Data> 
- <Data Name="ShareLocalPath">C:\\Documents</Data> 
- <Data Name="OldRemark">N/A</Data> 
- <Data Name="NewRemark">N/A</Data> 
- <Data Name="OldMaxUsers">0xffffffff</Data> 
- <Data Name="NewMaxUsers">0xffffffff</Data> 
- <Data Name="OldShareFlags">0x800</Data> 
- <Data Name="NewShareFlags">0x800</Data> 
- <Data Name="OldSD">O:S-1-5-21-3457937927-2839227994-823803824-1104G:DAD:(A;OICI;FA;;;BA)(A;OICI;FA;;;WD)</Data> 
- <Data Name="NewSD">O:BAG:DAD:(D;;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICI;FA;;;WD)(A;OICI;FA;;;BA)</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify network share object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Share Information:**
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was modified. Always “**Directory**” for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Share Name** \[Type = UnicodeString\]**:** the name of the modified share object. The format is: \\\\\*\\SHARE\_NAME
-
--   **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for the added share object. The format is: \\\\??\\PATH. Can be empty, for example for **Share Name**: \\\\\*\\IPC$.
-
-<img src="images/advanced-sharing.png" alt="Advanced Sharing illustration" width="300" height="319" />
-
--   **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
-
--   **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
-
--   **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
-
--   **New Maxusers** \[Type = HexInt32\]**:** new hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
-
--   **Old ShareFlags** \[Type = HexInt32\]: old hexadecimal value of “**Offline Settings**” caching settings window flags.
-
-<img src="images/offline-settings.png" alt="Offline Settings illustration" width="395" height="354" />
-
--   **New ShareFlags** \[Type = HexInt32\]: new hexadecimal value of “**Offline Settings**” caching settings window flags.
-
--   **Old SD** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for network share security descriptor.
-
--   **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
-
-> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
-> Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
-> See the list of possible values in the table below:
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous logon                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network sign-in user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service sign-in user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         | "RP"                            | Read All Properties  |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights | "SW"                            | All Validated Writes |
-| "KA"                       | "LO"                            | "LO"                 | List Object              |
-| "K"                        | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
-
-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
-
-## Security Monitoring Recommendations
-
-For 5143(S): A network share object was modified.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event<b>.</b> For example, you could monitor all changes to the SYSVOL share on domain controllers.
-
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
deleted file mode 100644
index df41963e27..0000000000
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: 5144(S) A network share object was deleted. 
-description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5144(S): A network share object was deleted.
-
-
-<img src="images/event-5144.png" alt="Event 5144 illustration" width="449" height="412" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit File Share](audit-file-share.md)
-
-***Event Description:***
-
-This event generates every time a network share object is deleted.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5144</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12808</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T02:17:14.820551800Z" /> 
- <EventRecordID>268368</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="4656" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38d12</Data> 
- <Data Name="ShareName">\\\\\*\\Documents</Data> 
- <Data Name="ShareLocalPath">C:\\Documents</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete network share object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Share Information:**
-
--   **Share Name** \[Type = UnicodeString\]**:** the name of the deleted share object. The format is: \\\\\*\\SHARE\_NAME
-
--   **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for the deleted share object. The format is: \\\\??\\PATH.
-
-## Security Monitoring Recommendations
-
-For 5144(S): A network share object was deleted.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
-
-- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers<b>.</b> For example, you could monitor file shares on domain controllers.
-
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
deleted file mode 100644
index 783c17d59f..0000000000
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ /dev/null
@@ -1,320 +0,0 @@
----
-title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. 
-description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5145(S, F): A network share object was checked to see whether client can be granted desired access.
-
-
-<img src="images/event-5145.png" alt="Event 5145 illustration" width="591" height="671" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Detailed File Share](audit-detailed-file-share.md)
-
-***Event Description:***
-
-This event generates every time network share object (file or folder) was accessed.
-
-*Important*: Failure events are generated only when access is denied at the file share level. No events are generated if access was denied on the file system (NTFS) level.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5145</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12811</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" /> 
- <EventRecordID>267092</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="524" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x38d34</Data> 
- <Data Name="ObjectType">File</Data> 
- <Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data> 
- <Data Name="IpPort">56926</Data> 
- <Data Name="ShareName">\\\\\*\\Documents</Data> 
- <Data Name="ShareLocalPath">\\??\\C:\\Documents</Data> 
- <Data Name="RelativeTargetName">Bginfo.exe</Data> 
- <Data Name="AccessMask">0x100081</Data> 
- <Data Name="AccessList">%%1541 %%4416 %%4423</Data> 
- <Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data> 
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Network Information:**
-
--   **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always “**File**” for this event.
-
-    The following table contains the list of the most common **Object Types**:
-
-| Directory               | Event        | Timer                | Device       |
-|-------------------------|--------------|----------------------|--------------|
-| Mutant                  | Type         | File                 | Token        |
-| Thread                  | Section      | WindowStation        | DebugObject  |
-| FilterCommunicationPort | EventPair    | Driver               | IoCompletion |
-| Controller              | SymbolicLink | WmiGuid              | Process      |
-| Profile                 | Desktop      | KeyedEvent           | Adapter      |
-| Key                     | WaitablePort | Callback             | Semaphore    |
-| Job                     | Port         | FilterConnectionPort | ALPC Port    |
-
--   **Source Address** \[Type = UnicodeString\]**:** source IP address from which access was performed.
-
-    -   IPv6 address or ::ffff:IPv4 address of a client.
-
-    -   ::1 or 127.0.0.1 means localhost.
-
--   **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access.
-
-    -   0 for local access attempts.
-
-**Share Information:**
-
--   **Share Name** \[Type = UnicodeString\]**:** the name of accessed network share. The format is: \\\\\*\\SHARE\_NAME.
-
--   **Share Path** \[Type = UnicodeString\]**:** the full system (NTFS) path for accessed share. The format is: \\\\??\\PATH. Can be empty, for example for **Share Name**: \\\\\*\\IPC$.
-
--   **Relative Target Name** \[Type = UnicodeString\]**:** relative name of the accessed target file or folder. This file-path is relative to the network share. If access was requested for the share itself, then this field appears as “**\\**”.
-
-**Access Request Information:**
-
--   **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights.
-
--   **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
-
-## Table of file access codes
-
-| <span id="File_access_codes" class="anchor"></span>Access | Hex Value,<br>Schema Value | Description   |
-|-----------------------------------------------------------|----------------------------|---------------|
-| ReadData (or ListDirectory)                               | 0x1,<br>%%4416             | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory.                                                                                                                                                                                           |
-| WriteData (or AddFile)                                    | 0x2,<br>%%4417             | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory.                                                                                                                                                                                               |
-| AppendData (or AddSubdirectory or CreatePipeInstance)     | 0x4,<br>%%4418             | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations won't overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe.                                                                                                                       |
-| ReadEA                                                    | 0x8,<br>%%4419             | The right to read extended file attributes.                                                                                                                             |
-| WriteEA                                                   | 0x10,<br>%%4420            | The right to write extended file attributes.                                                                                                                            |
-| Execute/Traverse                                          | 0x20,<br>%%4421            | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). For more information, see the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights).                                            |
-| DeleteChild                                               | 0x40,<br>%%4422            | For a directory, the right to delete a directory and all the files it contains, including read-only files.                                                                                                                                                                                                     |
-| ReadAttributes                                            | 0x80,<br>%%4423            | The right to read file attributes.                                                                                                                                                                                                                                                                             |
-| WriteAttributes                                           | 0x100,<br>%%4424           | The right to write file attributes.                                                                                                                                     |
-| DELETE                                                    | 0x10000,<br>%%1537         | The right to delete the object.                                                                                                                                         |
-| READ\_CONTROL                                             | 0x20000,<br>%%1538         | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).                                                                                                                                                                 |
-| WRITE\_DAC                                                | 0x40000,<br>%%1539         | The right to modify the discretionary access control list (DACL) in the object's security descriptor.                                                                                                                                              |
-| WRITE\_OWNER                                              | 0x80000,<br>%%1540         | The right to change the owner in the object's security descriptor                                                                                                                                                                                                                                         |
-| SYNCHRONIZE                                               | 0x100000,<br>%%1541        | The right to use the object for synchronization. This right enables a thread to wait until the object is in the signaled state. Some object types don't support this access right.                                                                                                                                  |
-| ACCESS\_SYS\_SEC                                          | 0x1000000,<br>%%1542       | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor.                                                                                                                                                                               |
-
-> <span id="_Ref433878809" class="anchor"></span>Table 13. File access codes.
-
-**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:<br><br>
-
-REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
-
--   REQUESTED\_ACCESS – the name of requested access. See [Table of file access codes](#table-of-file-access-codes), earlier in this topic.
-
--   RESULT:
-
-    -   Granted by – if access was granted.
-
-    -   Denied by – if access was denied.
-
--   ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
-
-> **Note**&nbsp;&nbsp;The **<a id="SDDL" class="anchor"></a>Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-> 
-> Example:
-> 
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-> 
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
-> See the list of possible values in the table below.
-
-## SDDL values for Access Control Entry
-
-| Value | Description                          | Value | Description                     |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO"  | Account operators                    | "PA"  | Group Policy administrators     |
-| "RU"  | Alias to allow previous Windows 2000 | "IU"  | Interactively logged-on user    |
-| "AN"  | Anonymous logon                      | "LA"  | Local administrator             |
-| "AU"  | Authenticated users                  | "LG"  | Local guest                     |
-| "BA"  | Built-in administrators              | "LS"  | Local service account           |
-| "BG"  | Built-in guests                      | "SY"  | Local system                    |
-| "BO"  | Backup operators                     | "NU"  | Network sign-in user              |
-| "BU"  | Built-in users                       | "NO"  | Network configuration operators |
-| "CA"  | Certificate server administrators    | "NS"  | Network service account         |
-| "CG"  | Creator group                        | "PO"  | Printer operators               |
-| "CO"  | Creator owner                        | "PS"  | Personal self                   |
-| "DA"  | Domain administrators                | "PU"  | Power users                     |
-| "DC"  | Domain computers                     | "RS"  | RAS servers group               |
-| "DD"  | Domain controllers                   | "RD"  | Terminal server users           |
-| "DG"  | Domain guests                        | "RE"  | Replicator                      |
-| "DU"  | Domain users                         | "RC"  | Restricted code                 |
-| "EA"  | Enterprise administrators            | "SA"  | Schema administrators           |
-| "ED"  | Enterprise domain controllers        | "SO"  | Server operators                |
-| "WD"  | Everyone                             | "SU"  | Service sign-in user              |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value                      | Description                     | Value                | Description              |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights      | Directory service access rights |
-| "GA"                       | GENERIC ALL                     | "RC"                 | Read Permissions         |
-| "GR"                       | GENERIC READ                    | "SD"                 | Delete                   |
-| "GW"                       | GENERIC WRITE                   | "WD"                 | Modify Permissions       |
-| "GX"                       | GENERIC EXECUTE                 | "WO"                 | Modify Owner             |
-| File access rights         | "RP"                            | Read All Properties  |
-| "FA"                       | FILE ALL ACCESS                 | "WP"                 | Write All Properties     |
-| "FR"                       | FILE GENERIC READ               | "CC"                 | Create All Child Objects |
-| "FW"                       | FILE GENERIC WRITE              | "DC"                 | Delete All Child Objects |
-| "FX"                       | FILE GENERIC EXECUTE            | "LC"                 | List Contents            |
-| Registry key access rights | "SW"                            | All Validated Writes |
-| "KA"                       | "LO"                            | "LO"                 | List Object              |
-| "K"                        | KEY READ                        | "DT"                 | Delete Subtree           |
-| "KW"                       | KEY WRITE                       | "CR"                 | All Extended Rights      |
-| "KX"                       | KEY EXECUTE                     |                      |                          |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
-
-For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
-
-## Security Monitoring Recommendations
-
-For 5145(S, F): A network share object was checked to see whether client can be granted desired access.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range.
-
--   Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**).
-
--   If you have critical files or folders on specific network shares, for which you need to monitor access attempts (Success and Failure), monitor for specific **Share Information\\Share Name** and **Share Information\\Relative Target Name**.
-
--   If you have domain or local accounts that should only be able to access a specific list of shared files or folders, you can monitor for access attempts outside the allowed list.
-
--   We recommend that you monitor for these **Access Request Information\\Accesses** rights (especially for Failure):
-
-    -   WriteData (or AddFile)
-
-    -   AppendData (or AddSubdirectory or CreatePipeInstance)
-
-    -   WriteEA
-
-    -   DeleteChild
-
-    -   WriteAttributes
-
-    -   DELETE
-
-    -   WRITE\_DAC
-
-    -   WRITE\_OWNER
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
deleted file mode 100644
index 9eb90940af..0000000000
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. 
-description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
-
-
-In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack starts or was detected.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Schema:***
-
-*The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.*
-
-*Network Information:*
-
-> *Type:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated.
-
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
deleted file mode 100644
index f1c753d3a9..0000000000
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: 5149(F) The DoS attack has subsided and normal processing is being resumed. 
-description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5149(F): The DoS attack has subsided and normal processing is being resumed.
-
-
-In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack ends.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Schema:***
-
-*The DoS attack has subsided and normal processing is being resumed.*
-
-*Network Information:*
-
-> *Type:%1*
->
-> *Packets Discarded:%2*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated.
-
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
deleted file mode 100644
index a5f3e3b184..0000000000
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: 5150(-) The Windows Filtering Platform blocked a packet. 
-description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5150(-): The Windows Filtering Platform blocked a packet.
-
-
-This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Schema:***
-
-*The Windows Filtering Platform has blocked a packet.*
-
-*Network Information:*
-
-> *Direction:%1*
->
-> *Source Address:%2*
->
-> *Destination Address:%3*
->
-> *EtherType:%4*
->
-> *MediaType:%5*
->
-> *InterfaceType:%6*
->
-> *VlanTag:%7*
-
-*Filter Information:*
-
-> *Filter Run-Time ID:%8*
->
-> *Layer Name:%9*
->
-> *Layer Run-Time ID:%10*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
deleted file mode 100644
index 92c88cdf47..0000000000
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. 
-description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
-
-
-This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Schema:***
-
-*A more restrictive Windows Filtering Platform filter has blocked a packet.*
-
-*Network Information:*
-
-> *Direction:%1*
->
-> *Source Address:%2*
->
-> *Destination Address:%3*
->
-> *EtherType:%4*
->
-> *MediaType:%5*
->
-> *InterfaceType:%6*
->
-> *VlanTag:%7*
-
-*Filter Information:*
-
-> *Filter Run-Time ID:%8*
->
-> *Layer Name:%9*
->
-> *Layer Run-Time ID:%10*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012, Windows 8.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
deleted file mode 100644
index 0c38edef1f..0000000000
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ /dev/null
@@ -1,185 +0,0 @@
----
-title: 5152(F) The Windows Filtering Platform blocked a packet. 
-description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5152(F): The Windows Filtering Platform blocked a packet.
-
-
-<img src="images/event-5152.png" alt="Event 5152 illustration" width="497" height="499" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
-
-***Event Description:***
-
-This event generates when [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) has blocked a network packet.
-
-This event is generated for every received network packet.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5152</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12809</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-22T16:52:37.274367300Z" /> 
- <EventRecordID>321323</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="4456" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProcessId">4556</Data> 
- <Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data> 
- <Data Name="Direction">%%14592</Data> 
- <Data Name="SourceAddress">10.0.0.100</Data> 
- <Data Name="SourcePort">49278</Data> 
- <Data Name="DestAddress">10.0.0.10</Data> 
- <Data Name="DestPort">3333</Data> 
- <Data Name="Protocol">6</Data> 
- <Data Name="FilterRTID">0</Data> 
- <Data Name="LayerName">%%14610</Data> 
- <Data Name="LayerRTID">44</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Application Information**:
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process to which blocked network packet was sent. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-    Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
-
-<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
-
-**Network Information:**
-
--   **Direction** \[Type = UnicodeString\]: direction of blocked connection.
-
-    -   Inbound – for inbound connections.
-
-    -   Outbound – for unbound connections.
-
--   **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the packet.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet.
-
--   **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which packet was received or initiated.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet.
-
--   **Protocol** \[Type = UInt32\]**:** number of the protocol that was used.
-
-| Service                                            | Protocol Number |
-|----------------------------------------------------|-----------------|
-| Internet Control Message Protocol (ICMP)           | 1               |
-| Transmission Control Protocol (TCP)                | 6               |
-| User Datagram Protocol (UDP)                       | 17              |
-| General Routing Encapsulation (PPTP data over GRE) | 47              |
-| Authentication Header (AH) IPSec                   | 51              |
-| Encapsulation Security Payload (ESP) IPSec         | 50              |
-| Exterior Gateway Protocol (EGP)                    | 8               |
-| Gateway-Gateway Protocol (GGP)                     | 3               |
-| Host Monitoring Protocol (HMP)                     | 20              |
-| Internet Group Management Protocol (IGMP)          | 88              |
-| MIT Remote Virtual Disk (RVD)                      | 66              |
-| OSPF Open Shortest Path First                      | 89              |
-| PARC Universal Packet Protocol (PUP)               | 12              |
-| Reliable Datagram Protocol (RDP)                   | 27              |
-| Reservation Protocol (RSVP) QoS                    | 46              |
-
-**Filter Information:**
-
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the packet.
-
-    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
-
-    <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
-
--   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
-
-<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
-
-## Security Monitoring Recommendations
-
-For 5152(F): The Windows Filtering Platform blocked a packet.
-
--   If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-
--   You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
-
--   Check that **Source Address** is one of the addresses assigned to the computer.
-
--   If the computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
-
--   If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
-
--   If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that aren't in the allowlist.
-
--   If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
-
--   Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
-
--   If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
deleted file mode 100644
index 0fe85f8e85..0000000000
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. 
-description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
-
-
-This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
-
-***Event Schema:***
-
-*A more restrictive Windows Filtering Platform filter has blocked a packet.*
-
-*Application Information:*
-
-> *Process ID:%1*
->
-> *Application Name:%2*
-
-*Network Information:*
-
-> *Source Address:%3*
->
-> *Source Port:%4*
->
-> *Protocol:%5*
-
-*Filter Information:*
-
-> *Filter Run-Time ID:%6*
->
-> *Layer Name:%7*
->
-> *Layer Run-Time ID:%8*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
deleted file mode 100644
index d99a804e12..0000000000
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ /dev/null
@@ -1,144 +0,0 @@
----
-title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. 
-description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-
-
-<img src="images/event-5154.png" alt="Event 5154 illustration" width="490" height="474" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Description:***
-
-This event generates every time [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) permits an application or service to listen on a port.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5154</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12810</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-22T02:04:25.757462900Z" /> 
- <EventRecordID>287929</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="3968" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProcessId">4152</Data> 
- <Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data> 
- <Data Name="SourceAddress">0.0.0.0</Data> 
- <Data Name="SourcePort">4444</Data> 
- <Data Name="Protocol">6</Data> 
- <Data Name="FilterRTID">0</Data> 
- <Data Name="LayerName">%%14609</Data> 
- <Data Name="LayerRTID">40</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Application Information**:
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-    Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
-
-<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
-
-**Network Information:**
-
--   **Source Address** \[Type = UnicodeString\]**:** local IP address on which application requested to listen on the port.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-s
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
-
--   **Protocol** \[Type = UInt32\]: protocol number. For example:
-
-    -   6 – TCP.
-
-    -   17 – UDP.
-
-        More information about possible values for this field: <https://technet.microsoft.com/library/cc959827.aspx>.
-
-**Filter Information:**
-
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you'll get value **0** in this field.
-
-    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
-
-<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
-
--   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
-
-<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
-
-## Security Monitoring Recommendations
-
-For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-
--   If you've an “allowlist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
-
--   If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
-
--   If a certain application is allowed to listen only on a specific IP address, monitor this event for **“Application Name”** and **“Network Information\\Source Address**.**”**
-
--   If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
-
--   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-
--   You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
-
--   Typically this event has an informational purpose.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
deleted file mode 100644
index 883e22bd27..0000000000
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. 
-description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
-
-
-By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system won't generate Event 5155 by itself.
-
-You can add your own filters using the WFP APIs to block listen to reproduce this event: <https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx>.
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Description:***
-
-This event generates every time the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) blocks an application or service from listening on a port for incoming connections.
-
-<br clear="all">
-
-***Event XML:***
-```xml
-<Event
-    xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-    <System>
-        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
-        <EventID>5155</EventID>
-        <Version>0</Version>
-        <Level>0</Level>
-        <Task>12810</Task>
-        <Opcode>0</Opcode>
-        <Keywords>0x8010000000000000</Keywords>
-        <TimeCreated SystemTime="2019-04-18T03:49:08.507780900Z" />
-        <EventRecordID>42196</EventRecordID>
-        <Correlation />
-        <Execution ProcessID="4" ThreadID="2788" />
-        <Channel>Security</Channel>
-        <Computer>NATHAN-AGENT2</Computer>
-        <Security />
-    </System>
-    <EventData>
-        <Data Name="ProcessId">2628</Data>
-        <Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
-        <Data Name="SourceAddress">0.0.0.0</Data>
-        <Data Name="SourcePort">5555</Data>
-        <Data Name="Protocol">6</Data>
-        <Data Name="FilterRTID">84576</Data>
-        <Data Name="LayerName">%%14609</Data>
-        <Data Name="LayerRTID">40</Data>
-    </EventData>
-</Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Application Information**:
-
--   **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process that was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-<!-- -->
-
--   **Application Name** \[Type = UnicodeString\]**:** Full path and the name of the executable for the process.
-
-    Logical disk is displayed in the format \\device\\harddiskvolume\#. You can get all local volume numbers by using the **diskpart** utility. The command to get volume numbers using diskpart is “**list volume**”:
-
-<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
-
-**Network Information:**
-
--   **Source Address** \[Type = UnicodeString\]**:** The local IP address of the computer running the application.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Source Port** \[Type = UnicodeString\]**:** The port number used by the application.
-
--   **Protocol** \[Type = UInt32\]: the protocol number being used.
-
-| Service                                            | Protocol Number |
-|----------------------------------------------------|-----------------|
-| Internet Control Message Protocol (ICMP)           | 1               |
-| Transmission Control Protocol (TCP)                | 6               |
-| User Datagram Protocol (UDP)                       | 17              |
-| General Routing Encapsulation (PPTP data over GRE) | 47              |
-| Authentication Header (AH) IPSec                   | 51              |
-| Encapsulation Security Payload (ESP) IPSec         | 50              |
-| Exterior Gateway Protocol (EGP)                    | 8               |
-| Gateway-Gateway Protocol (GGP)                     | 3               |
-| Host Monitoring Protocol (HMP)                     | 20              |
-| Internet Group Management Protocol (IGMP)          | 88              |
-| MIT Remote Virtual Disk (RVD)                      | 66              |
-| OSPF Open Shortest Path First                      | 89              |
-| PARC Universal Packet Protocol (PUP)               | 12              |
-| Reliable Datagram Protocol (RDP)                   | 27              |
-| Reservation Protocol (RSVP) QoS                    | 46              |
-
-**Filter Information:**
-
--   **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesn’t match any filters, you'll get a 0 value in this field.
-
-    To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**), for example:
-
-    <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
-
--   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As a result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**&lt;layerId&gt;**), for example:
-
-<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
-
-## Security Monitoring Recommendations
-
--   If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
deleted file mode 100644
index 5c4dd19d0c..0000000000
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ /dev/null
@@ -1,185 +0,0 @@
----
-title: 5156(S) The Windows Filtering Platform has permitted a connection. 
-description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5156(S): The Windows Filtering Platform has permitted a connection.
-
-
-<img src="images/event-5156.png" alt="Event 5156 illustration" width="491" height="506" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Description:***
-
-This event generates when [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) has allowed a connection.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5156</EventID> 
- <Version>1</Version> 
- <Level>0</Level> 
- <Task>12810</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-22T05:24:22.622090200Z" /> 
- <EventRecordID>308129</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="3712" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProcessID">4556</Data> 
- <Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data> 
- <Data Name="Direction">%%14592</Data> 
- <Data Name="SourceAddress">10.0.0.10</Data> 
- <Data Name="SourcePort">3333</Data> 
- <Data Name="DestAddress">10.0.0.100</Data> 
- <Data Name="DestPort">49278</Data> 
- <Data Name="Protocol">6</Data> 
- <Data Name="FilterRTID">70201</Data> 
- <Data Name="LayerName">%%14610</Data> 
- <Data Name="LayerRTID">44</Data> 
- <Data Name="RemoteUserID">S-1-0-0</Data> 
- <Data Name="RemoteMachineID">S-1-0-0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Application Information**:
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-    Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
-
-<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
-
-**Network Information:**
-
--   **Direction** \[Type = UnicodeString\]: direction of allowed connection.
-
-    -   Inbound – for inbound connections.
-
-    -   Outbound – for unbound connections.
-
--   **Source Address** \[Type = UnicodeString\]**:**  IP address from which the connection was initiated.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Source Port** \[Type = UnicodeString\]**:** port number from which the connection was initiated.
-
--   **Destination Address** \[Type = UnicodeString\]**:** IP address where the connection was received.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
-
--   **Protocol** \[Type = UInt32\]: number of the protocol that was used.
-
-| Service                                            | Protocol Number |
-|----------------------------------------------------|-----------------|
-| Internet Control Message Protocol (ICMP)           | 1               |
-| Transmission Control Protocol (TCP)                | 6               |
-| User Datagram Protocol (UDP)                       | 17              |
-| General Routing Encapsulation (PPTP data over GRE) | 47              |
-| Authentication Header (AH) IPSec                   | 51              |
-| Encapsulation Security Payload (ESP) IPSec         | 50              |
-| Exterior Gateway Protocol (EGP)                    | 8               |
-| Gateway-Gateway Protocol (GGP)                     | 3               |
-| Host Monitoring Protocol (HMP)                     | 20              |
-| Internet Group Management Protocol (IGMP)          | 88              |
-| MIT Remote Virtual Disk (RVD)                      | 66              |
-| OSPF Open Shortest Path First                      | 89              |
-| PARC Universal Packet Protocol (PUP)               | 12              |
-| Reliable Datagram Protocol (RDP)                   | 27              |
-| Reservation Protocol (RSVP) QoS                    | 46              |
-
-**Filter Information:**
-
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allowed the connection.
-
-    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
-
-<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
-
--   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
-
-<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
-
-## Security Monitoring Recommendations
-
-For 5156(S): The Windows Filtering Platform has permitted a connection.
-
--   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-
--   You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
-
--   Check that “**Source Address”** is one of the addresses assigned to the computer.
-
--   If the computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-
--   If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-
--   If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
-
--   If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
-
--   Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
-
--   If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
deleted file mode 100644
index 2042aa3cb3..0000000000
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ /dev/null
@@ -1,185 +0,0 @@
----
-title: 5157(F) The Windows Filtering Platform has blocked a connection. 
-description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5157(F): The Windows Filtering Platform has blocked a connection.
-
-
-<img src="images/event-5157.png" alt="Event 5157 illustration" width="491" height="503" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Description:***
-
-This event generates when [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) has blocked a connection.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5157</EventID> 
- <Version>1</Version> 
- <Level>0</Level> 
- <Task>12810</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-22T03:46:51.662750400Z" /> 
- <EventRecordID>304390</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="4520" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProcessID">4556</Data> 
- <Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data> 
- <Data Name="Direction">%%14592</Data> 
- <Data Name="SourceAddress">10.0.0.10</Data> 
- <Data Name="SourcePort">3333</Data> 
- <Data Name="DestAddress">10.0.0.100</Data> 
- <Data Name="DestPort">49218</Data> 
- <Data Name="Protocol">6</Data> 
- <Data Name="FilterRTID">110398</Data> 
- <Data Name="LayerName">%%14610</Data> 
- <Data Name="LayerRTID">44</Data> 
- <Data Name="RemoteUserID">S-1-0-0</Data> 
- <Data Name="RemoteMachineID">S-1-0-0</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Application Information**:
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to create the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
--   **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-    Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
-
-<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
-
-**Network Information:**
-
--   **Direction** \[Type = UnicodeString\]: direction of blocked connection.
-
-    -   Inbound – for inbound connections.
-
-    -   Outbound – for unbound connections.
-
--   **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the connection.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
-
--   **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which connection was received or initiated.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
-
--   **Protocol** \[Type = UInt32\]: number of the protocol that was used.
-
-| Service                                            | Protocol Number |
-|----------------------------------------------------|-----------------|
-| Internet Control Message Protocol (ICMP)           | 1               |
-| Transmission Control Protocol (TCP)                | 6               |
-| User Datagram Protocol (UDP)                       | 17              |
-| General Routing Encapsulation (PPTP data over GRE) | 47              |
-| Authentication Header (AH) IPSec                   | 51              |
-| Encapsulation Security Payload (ESP) IPSec         | 50              |
-| Exterior Gateway Protocol (EGP)                    | 8               |
-| Gateway-Gateway Protocol (GGP)                     | 3               |
-| Host Monitoring Protocol (HMP)                     | 20              |
-| Internet Group Management Protocol (IGMP)          | 88              |
-| MIT Remote Virtual Disk (RVD)                      | 66              |
-| OSPF Open Shortest Path First                      | 89              |
-| PARC Universal Packet Protocol (PUP)               | 12              |
-| Reliable Datagram Protocol (RDP)                   | 27              |
-| Reservation Protocol (RSVP) QoS                    | 46              |
-
-**Filter Information:**
-
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the connection.
-
-    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
-
-    <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
-
--   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
-
-<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
-
-## Security Monitoring Recommendations
-
-For 5157(F): The Windows Filtering Platform has blocked a connection.
-
--   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-
--   You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
-
--   Check that “**Source Address”** is one of the addresses assigned to the computer.
-
--   If the\` computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-
--   If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-
--   If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
-
--   If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
-
--   Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
-
--   If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
deleted file mode 100644
index 42d2e97dd8..0000000000
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. 
-description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-
-
-<img src="images/event-5158.png" alt="Event 5158 illustration" width="491" height="466" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Description:***
-
-This event generates every time [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) permits an application or service to bind to a local port.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5158</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12810</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-22T05:24:03.376171200Z" /> 
- <EventRecordID>308122</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="3712" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProcessId">4556</Data> 
- <Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data> 
- <Data Name="SourceAddress">0.0.0.0</Data> 
- <Data Name="SourcePort">3333</Data> 
- <Data Name="Protocol">6</Data> 
- <Data Name="FilterRTID">0</Data> 
- <Data Name="LayerName">%%14608</Data> 
- <Data Name="LayerRTID">36</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Application Information**:
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-<!-- -->
-
--   **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-    Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
-
-<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
-
-**Network Information:**
-
--   **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bound the port.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
-
--   **Protocol** \[Type = UInt32\]: number of the protocol that was used.
-
-| Service                                            | Protocol Number |
-|----------------------------------------------------|-----------------|
-| Internet Control Message Protocol (ICMP)           | 1               |
-| Transmission Control Protocol (TCP)                | 6               |
-| User Datagram Protocol (UDP)                       | 17              |
-| General Routing Encapsulation (PPTP data over GRE) | 47              |
-| Authentication Header (AH) IPSec                   | 51              |
-| Encapsulation Security Payload (ESP) IPSec         | 50              |
-| Exterior Gateway Protocol (EGP)                    | 8               |
-| Gateway-Gateway Protocol (GGP)                     | 3               |
-| Host Monitoring Protocol (HMP)                     | 20              |
-| Internet Group Management Protocol (IGMP)          | 88              |
-| MIT Remote Virtual Disk (RVD)                      | 66              |
-| OSPF Open Shortest Path First                      | 89              |
-| PARC Universal Packet Protocol (PUP)               | 12              |
-| Reliable Datagram Protocol (RDP)                   | 27              |
-| Reservation Protocol (RSVP) QoS                    | 46              |
-
-**Filter Information:**
-
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you'll get value 0 in this field.
-
-    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
-
-    <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
-
--   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
-
-<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
-
-## Security Monitoring Recommendations
-
-For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-
--   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-
--   You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
--   If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
-
--   Check that “**Source Address”** is one of the addresses assigned to the computer.
-
--   If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
-
--   Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 6 or 17.
-
--   If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
deleted file mode 100644
index e73c67f9da..0000000000
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. 
-description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
-
-
-<img src="images/event-5159.png" alt="Event 5159 illustration" width="491" height="466" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-
-***Event Description:***
-
-This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
- <EventID>5159</EventID>
- <Version>0</Version>
- <Level>0</Level>
- <Task>12810</Task>
- <Opcode>0</Opcode>
- <Keywords>0x8010000000000000</Keywords>
- <TimeCreated SystemTime="2019-04-19T07:36:55.955388300Z" />
- <EventRecordID>44097</EventRecordID>
- <Correlation />
- <Execution ProcessID="4" ThreadID="6480" />
- <Channel>Security</Channel>
- <Computer>DC01.contoso.local</Computer>
- <Security />
- </System>
-- <EventData>
- <Data Name="ProcessId">7924</Data>
- <Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
- <Data Name="SourceAddress">0.0.0.0</Data>
- <Data Name="SourcePort">5555</Data>
- <Data Name="Protocol">6</Data>
- <Data Name="FilterRTID">84614</Data>
- <Data Name="LayerName">%%14608</Data>
- <Data Name="LayerRTID">36</Data>
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Application Information**:
-
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-    <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
-
-    If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-<!-- -->
-
--   **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-    Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
-
-<img src="images/diskpart.png" alt="DiskPart illustration" width="786" height="246" />
-
-**Network Information:**
-
--   **Source Address** \[Type = UnicodeString\]**:** the local IP address of the computer running the application.
-
-    -   IPv4 Address
-
-    -   IPv6 Address
-
-    -   :: - all IP addresses in IPv6 format
-
-    -   0.0.0.0 - all IP addresses in IPv4 format
-
-    -   127.0.0.1, ::1 - localhost
-
--   **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
-
--   **Protocol** \[Type = UInt32\]: the protocol number being used.
-
-| Service                                            | Protocol Number |
-|----------------------------------------------------|-----------------|
-| Internet Control Message Protocol (ICMP)           | 1               |
-| Transmission Control Protocol (TCP)                | 6               |
-| User Datagram Protocol (UDP)                       | 17              |
-| General Routing Encapsulation (PPTP data over GRE) | 47              |
-| Authentication Header (AH) IPSec                   | 51              |
-| Encapsulation Security Payload (ESP) IPSec         | 50              |
-| Exterior Gateway Protocol (EGP)                    | 8               |
-| Gateway-Gateway Protocol (GGP)                     | 3               |
-| Host Monitoring Protocol (HMP)                     | 20              |
-| Internet Group Management Protocol (IGMP)          | 88              |
-| MIT Remote Virtual Disk (RVD)                      | 66              |
-| OSPF Open Shortest Path First                      | 89              |
-| PARC Universal Packet Protocol (PUP)               | 12              |
-| Reliable Datagram Protocol (RDP)                   | 27              |
-| Reservation Protocol (RSVP) QoS                    | 46              |
-
-**Filter Information:**
-
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you'll get value 0 in this field.
-
-    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**)**,** for example:
-
-    <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
-
--   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find the specific substring with the required layer ID (**&lt;layerId&gt;**)**,** for example:
-
-<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
-
-## Security Monitoring Recommendations
-
--   There's no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
deleted file mode 100644
index f29c101e31..0000000000
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: 5168(F) SPN check for SMB/SMB2 failed. 
-description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5168(F): SPN check for SMB/SMB2 failed.
-
-
-<img src="images/event-5168.png" alt="Event 5168 illustration" width="575" height="474" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit File Share](audit-file-share.md)
-
-***Event Description:***
-
-This event generates when SMB SPN check fails.
-
-It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852272(v=ws.11))” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5168</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12808</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-18T17:53:40.294859800Z" /> 
- <EventRecordID>268946</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="80" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0xd0cd4</Data> 
- <Data Name="SpnName">N/A</Data> 
- <Data Name="ErrorCode">0xc0000022</Data> 
- <Data Name="ServerNames">CONTOSO;contoso.local;DC01.contoso.local;DC01;LocalHost;</Data> 
- <Data Name="ConfiguredNames">N/A</Data> 
- <Data Name="IpAddresses">127.0.0.1;::1;10.0.0.10;;fe80::31ea:6c3c:f40d:1973;;fe80::5efe:10.0.0.10;</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account for which SPN check operation was failed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which SPN check operation was failed.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**SPN**:
-
--   **SPN Name** \[Type = UnicodeString\]: SPN which was used to access the server. If SPN was not provided, then the value will be “N/A”.
-
-> **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-
--   **Error Code** \[Type = HexInt32\]: hexadecimal error code, for example “0xC0000022” = STATUS\_ACCESS\_DENIED. You can find description for all SMB error codes here: <https://msdn.microsoft.com/library/ee441884.aspx>.
-
-**Server Information**:
-
--   **Server Names** \[Type = UnicodeString\]: information about possible server names to use to access the target server (NETBIOS, DNS, localhost, etc.).
-
--   **Configured Names** \[Type = UnicodeString\]: information about the names which were provided for validation. If no information was provided the value will be “**N/A**”.
-
--   **IP Addresses** \[Type = UnicodeString\]: information about possible IP addresses to use to access the target server (IPv4, IPv6).
-
-## Security Monitoring Recommendations
-
-For 5168(F): SPN check for SMB/SMB2 failed.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   We recommend monitoring for any [5168](event-5168.md) event, because it can be a sign of a configuration issue or a malicious authentication attempt.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
deleted file mode 100644
index ea9979f965..0000000000
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: 5376(S) Credential Manager credentials were backed up. 
-description: Describes security event 5376(S) Credential Manager credentials were backed up.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5376(S): Credential Manager credentials were backed up.
-
-
-<img src="images/event-5376.png" alt="Event 5376 illustration" width="449" height="404" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time the user (**Subject**) successfully backs up the [credential manager](/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)) database.
-
-Typically this can be done by clicking “Back up Credentials” in Credential Manager in the Control Panel.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5376</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-22T03:28:02.200404700Z" /> 
- <EventRecordID>175779</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="548" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d7c</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that performed the backup operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the backup operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-## Security Monitoring Recommendations
-
-For 5376(S): Credential Manager credentials were backed up.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Every [5376](event-5376.md) event should be recorded for all local and domain accounts, because this action (back up Credential Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
deleted file mode 100644
index e5a9be7063..0000000000
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: 5377(S) Credential Manager credentials were restored from a backup. 
-description: Describes security event 5377(S) Credential Manager credentials were restored from a backup.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5377(S): Credential Manager credentials were restored from a backup.
-
-
-<img src="images/event-5377.png" alt="Event 5377 illustration" width="449" height="404" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
-
-***Event Description:***
-
-This event generates every time the user (**Subject**) successfully restores the [credential manager](/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)) database.
-
-Typically this can be done by clicking “Restore Credentials” in Credential Manager in the Control Panel.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5377</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13824</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-08-22T03:35:47.523266300Z" /> 
- <EventRecordID>175780</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="520" ThreadID="1236" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x30d7c</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that performed the restore operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the restore operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-## Security Monitoring Recommendations
-
-For 5377(S): Credential Manager credentials were restored from a backup.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Every [5377](event-5377.md) event should be recorded for all local and domain accounts, because this action (restore Credential Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or malicious activity.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
deleted file mode 100644
index 6d1ac9a70f..0000000000
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: 5378(F) The requested credentials delegation was disallowed by policy. 
-description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5378(F): The requested credentials delegation was disallowed by policy.
-
-
-<img src="images/event-5378.png" alt="Event 5378 illustration" width="449" height="438" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event generates requested [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) credentials delegation was disallowed by [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation policy.
-
-It typically occurs when [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation for [WinRM](/windows/win32/winrm/portal) [double-hop](/windows/win32/winrm/multi-hop-support) session was not set properly.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5378</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-11T03:23:48.502346900Z" /> 
- <EventRecordID>1198733</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="4308" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">0x2b1e04</Data> 
- <Data Name="Package">CREDSSP</Data> 
- <Data Name="UserUPN">dadmin@contoso</Data> 
- <Data Name="TargetServer">WSMAN/dc01.contoso.local</Data> 
- <Data Name="CredType">%%8098</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested credentials delegation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested credentials delegation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Credential Delegation Information:**
-
--   **Security Package** \[Type = UnicodeString\]: the name of [Security Package](/windows/win32/secauthn/ssp-aps-versus-ssps) which was used. Always **CREDSSP** for this event.
-
--   **User's UPN** \[Type = UnicodeString\]: [UPN](/windows/win32/secauthn/user-name-formats) of the account for which delegation was requested.
-
--   **Target Server** \[Type = UnicodeString\]: SPN of the target service for which delegation was requested.
-
-> **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-
--   **Credential Type** \[Type = UnicodeString\]: types of credentials which were presented for delegation:
-
-| Credentials Type    | Description                                                                                                                                 |
-|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| Default credentials | The credentials obtained when the user first logs on to Windows.                                                                            |
-| Fresh credentials   | The credentials that the user is prompted for when executing an application.                                                                |
-| Saved credentials   | The credentials that are saved using [Credential Manager](/windows/win32/secauthn/credential-manager). |
-
-## Security Monitoring Recommendations
-
-For 5378(F): The requested credentials delegation was disallowed by policy.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have defined CredSSP delegation policy, then this event will show you policy violations. We recommend collecting these events and investigating every policy violation.
-
--   This event also can be used for CredSSP delegation troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
deleted file mode 100644
index a3065a4f0a..0000000000
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: 5447(S) A Windows Filtering Platform filter has been changed. 
-description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5447(S): A Windows Filtering Platform filter has been changed.
-
-
-<img src="images/event-5447.png" alt="Event 5447 illustration" width="493" height="793" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Description:***
-
-This event generates every time a [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) filter has been changed.
-
-It typically generates during Group Policy update procedures.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5447</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13573</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-07T23:51:12.191198900Z" /> 
- <EventRecordID>1060216</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="3784" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ProcessId">284</Data> 
- <Data Name="UserSid">S-1-5-19</Data> 
- <Data Name="UserName">NT AUTHORITY\\LOCAL SERVICE</Data> 
- <Data Name="ProviderKey">{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}</Data> 
- <Data Name="ProviderName">Microsoft Corporation</Data> 
- <Data Name="ChangeType">%%16385</Data> 
- <Data Name="FilterKey">{91334E6D-FFAB-40F1-8C43-5554965C228D}</Data> 
- <Data Name="FilterName">Port Scanning Prevention Filter</Data> 
- <Data Name="FilterType">%%16388</Data> 
- <Data Name="FilterId">100100</Data> 
- <Data Name="LayerKey">{AC4A9833-F69D-4648-B261-6DC84835EF39}</Data> 
- <Data Name="LayerName">Inbound Transport v4 Discard Layer</Data> 
- <Data Name="LayerId">13</Data> 
- <Data Name="Weight">13835058055315718144</Data> 
- <Data Name="Conditions">Condition ID: {632ce23b-5167-435c-86d7-e903684aa80c} Match value: No flags set Condition value: 0x00000003</Data> 
- <Data Name="Action">%%16391</Data> 
- <Data Name="CalloutKey">{EDA08606-2494-4D78-89BC-67837C03B969}</Data> 
- <Data Name="CalloutName">WFP Built-in Silent Drop Transport v4 Discard Layer Callout</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
-For 5447(S): A Windows Filtering Platform filter has been changed.
-
--   This event mainly used for Windows Filtering Platform troubleshooting and typically has little to no security relevance.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
deleted file mode 100644
index 8b751f272e..0000000000
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-title: 5632(S, F) A request was made to authenticate to a wireless network. 
-description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5632(S, F): A request was made to authenticate to a wireless network.
-
-
-<img src="images/event-5632.png" alt="Event 5632 illustration" width="419" height="417" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event generates when [802.1x](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11)) authentication attempt was made for wireless network.
-
-It typically generates when network adapter connects to new wireless network.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
- <EventID>5632</EventID>
- <Version>1</Version>
- <Level>0</Level>
- <Task>12551</Task>
- <Opcode>0</Opcode>
- <Keywords>0x8020000000000000</Keywords>
- <TimeCreated SystemTime="2015-11-10T23:10:34.052054800Z" />
- <EventRecordID>44113845</EventRecordID>
- <Correlation />
- <Execution ProcessID="712" ThreadID="4176" />
- <Channel>Security</Channel>
- <Computer>XXXXXXX.redmond.corp.microsoft.com</Computer>
- <Security />
- </System>
-- <EventData>
- <Data Name="SSID">Nokia</Data>
- <Data Name="Identity">host/XXXXXXXX.redmond.corp.microsoft.com</Data>
- <Data Name="SubjectUserName">-</Data>
- <Data Name="SubjectDomainName">-</Data>
- <Data Name="SubjectLogonId">0x0</Data>
- <Data Name="PeerMac">18:64:72:F3:33:91</Data>
- <Data Name="LocalMac">02:1A:C5:14:59:C9</Data>
- <Data Name="IntfGuid">{2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}</Data>
- <Data Name="ReasonCode">0x0</Data>
- <Data Name="ReasonText">The operation was successful.</Data>
- <Data Name="ErrorCode">0x0</Data>
- <Data Name="EAPReasonCode">0x0</Data>
- <Data Name="EapRootCauseString" />
- <Data Name="EAPErrorCode">0x0</Data>
- </EventData>
- </Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) or another type of account identifier for which 802.1x authentication request was made.
-
-> **Note**&nbsp;&nbsp;[User principal name](/windows/win32/secauthn/user-name-formats) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Network Information:**
-
--   **Name (SSID)** \[Type = UnicodeString\]**:** SSID of the wireless network to which authentication request was sent.
-
-> **Note**&nbsp;&nbsp;A **service set identifier (SSID)** is a sequence of characters that uniquely names a wireless local area network (WLAN). An SSID is sometimes referred to as a "network name." This name allows stations to connect to the desired network when multiple independent networks operate in the same physical area.
-
--   **Interface GUID** \[Type = GUID\]**:** GUID of the network interface which was used for authentication request.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-You can see interface’s GUID using the following commands:
-
--   “netsh lan show interfaces” – for wired interfaces.
-
--   “netsh wlan show interfaces” – for wireless interfaces.
-
-<img src="images/netsh-lan-command.png" alt="Netsh LAN command illustration" width="834" height="286" />
-
--   **Local MAC Address** \[Type = UnicodeString\]**:** local interface’s MAC-address.
-
--   **Peer MAC Address** \[Type = UnicodeString\]**:** peer’s (typically – access point) MAC-address.
-
-**Additional Information:**
-
--   **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: <https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx>, <https://technet.microsoft.com/library/cc727747(v=ws.10).aspx>.
-
--   **Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document.
-
--   **EAP Reason Code** \[Type = HexInt32\]**:** there's no information about this field in this document. See [EAP Related Error and Information Constants](/windows/win32/eaphost/eap-related-error-and-information-constants) for additional information.
-
--   **EAP Root Cause String** \[Type = UnicodeString\]**:** there's no information about this field in this document.
-
--   **EAP Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document.
-
-## Security Monitoring Recommendations
-
-For 5632(S, F): A request was made to authenticate to a wireless network.
-
--   There's no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
deleted file mode 100644
index 5c2c68695a..0000000000
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: 5633(S, F) A request was made to authenticate to a wired network. 
-description: Describes security event 5633(S, F) A request was made to authenticate to a wired network.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5633(S, F): A request was made to authenticate to a wired network.
-
-
-<img src="images/event-5633.png" alt="Event 5633 illustration" width="528" height="449" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-
-***Event Description:***
-
-This event generates when [802.1x](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11)) authentication attempt was made for wired network.
-
-It typically generates when network adapter connects to new wired network.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5633</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12551</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-11T01:26:59.679232500Z" /> 
- <EventRecordID>1198715</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="500" ThreadID="2920" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="InterfaceName">Microsoft Hyper-V Network Adapter</Data> 
- <Data Name="Identity">-</Data> 
- <Data Name="SubjectUserName">-</Data> 
- <Data Name="SubjectDomainName">-</Data> 
- <Data Name="SubjectLogonId">0x0</Data> 
- <Data Name="ReasonCode">0x70003</Data> 
- <Data Name="ReasonText">The network does not support authentication</Data> 
- <Data Name="ErrorCode">0x0</Data> 
- </EventData>
-</Event>
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) of account for which 802.1x authentication request was made.
-
-> **Note**&nbsp;&nbsp;[User principal name](/windows/win32/secauthn/user-name-formats) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Interface:**
-
--   **Name** \[Type = UnicodeString\]: the name (description) of network interface which was used for authentication request. You can get the list of all available network adapters using “**ipconfig /all**” command. See “Description” row for every network adapter:
-
-<img src="images/ipconfig-command.png" alt="Ipconfig command illustration" width="951" height="506" />
-
-**Additional Information:**
-
--   **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: <https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx>, <https://technet.microsoft.com/library/cc727747(v=ws.10).aspx>.
-
--   **Error Code** \[Type = HexInt32\]: unique [EAP error code](/windows/win32/eaphost/eap-related-error-and-information-constants).
-
-## Security Monitoring Recommendations
-
-For 5633(S, F): A request was made to authenticate to a wired network.
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
deleted file mode 100644
index 8fe2ad8714..0000000000
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: 5712(S) A Remote Procedure Call (RPC) was attempted. 
-description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5712(S): A Remote Procedure Call (RPC) was attempted.
-
-
-It appears that this event never occurs.
-
-***Subcategory:***&nbsp;[Audit RPC Events](audit-rpc-events.md)
-
-***Event Schema:***
-
-*A Remote Procedure Call (RPC) was attempted.*
-
-*Subject:*
-
-> *SID:%1*
->
-> *Name:%2*
->
-> *Account Domain:%3*
->
-> *LogonId:%4*
-
-*Process Information:*
-
-> *PID:%5
-> Name:%6*
-
-*Network Information:*
-
-> *Remote IP Address:%7*
->
-> *Remote Port:%8*
-
-*RPC Attributes:*
-
-> *Interface UUID:%9*
->
-> *Protocol Sequence:%10*
->
-> *Authentication Service:%11*
->
-> *Authentication Level:%12*
-
-***Required Server Roles:*** no information.
-
-***Minimum OS Version:*** no information.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
deleted file mode 100644
index 7f06d1e907..0000000000
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: 5888(S) An object in the COM+ Catalog was modified. 
-description: Describes security event 5888(S) An object in the COM+ Catalog was modified.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5888(S): An object in the COM+ Catalog was modified.
-
-
-<img src="images/event-5888.png" alt="Event 5888 illustration" width="457" height="489" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates when the object in [COM+ Catalog](/windows/win32/cossdk/the-com--catalog) was modified.
-
-For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5888</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12290</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T20:37:22.400120200Z" /> 
- <EventRecordID>344994</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="1352" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectUserDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">222443</Data> 
- <Data Name="ObjectCollectionName">Applications</Data> 
- <Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data> 
- <Data Name="ModifiedObjectProperties">Name = 'COMApp' -> 'COMApp-New' cCOL\_SecurityDescriptor = '<Opaque>' -> '<Opaque>'</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “modify/change object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify/change object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **COM+ Catalog Collection** \[Type = UnicodeString\]: the name of COM+ collection in which the object was modified. Here is the list of possible collection values with descriptions:
-
-| Collection                                                                                                       | Description                                                                                                                                                                                                     |
-|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [ApplicationCluster](/windows/win32/cossdk/applicationcluster)            | Contains a list of the servers in the application cluster.                                                                                                                                                      |
-| [ApplicationInstances](/windows/win32/cossdk/applicationinstances)          | Contains an object for each instance of a running COM+ application.                                                                                                                                             |
-| [Applications](/windows/win32/cossdk/applications)                  | Contains an object for each COM+ application installed on the local computer.                                                                                                                                   |
-| [Components](/windows/win32/cossdk/components)                    | Contains an object for each component in the application to which it is related.                                                                                                                                |
-| [ComputerList](/windows/win32/cossdk/computerlist)                  | Contains a list of the computers found in the Computers folder of the Component Services administration tool.                                                                                                   |
-| [DCOMProtocols](/windows/win32/cossdk/dcomprotocols)                 | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol.                                                                                                                   |
-| [ErrorInfo](/windows/win32/cossdk/errorinfo)                     | Retrieves extended error information regarding methods that deal with multiple objects.                                                                                                                         |
-| [EventClassesForIID](/windows/win32/cossdk/eventclassesforiid)            | Retrieves information regarding event classes.                                                                                                                                                                  |
-| [FilesForImport](/windows/win32/cossdk/filesforimport)                | Retrieves information from its MSI file about an application that can be imported.                                                                                                                              |
-| [InprocServers](/windows/win32/cossdk/inprocservers)                 | Contains a list of the in-process servers registered with the system. It contains an object for each component.                                                                                                 |
-| [InterfacesForComponent](/windows/win32/cossdk/interfacesforcomponent)        | Contains an object for each interface exposed by the component to which the collection is related.                                                                                                              |
-| [LegacyComponents](/windows/win32/cossdk/legacycomponents)              | Contains an object for each unconfigured component in the application to which it is related.                                                                                                                   |
-| [LegacyServers](/windows/win32/cossdk/legacyservers)                 | Identical to the [InprocServers](/windows/win32/cossdk/inprocservers) collection except that this collection also includes local servers.                           |
-| [LocalComputer](/windows/win32/cossdk/localcomputer)                 | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing.                                                                                       |
-| [MethodsForInterface](/windows/win32/cossdk/methodsforinterface)           | Contains an object for each method on the interface to which the collection is related.                                                                                                                         |
-| [Partitions](/windows/win32/cossdk/partitions)                    | Used to specify the applications contained in each partition.                                                                                                                                                   |
-| [PartitionUsers](/windows/win32/cossdk/partitionusers)                | Used to specify the users contained in each partition.                                                                                                                                                          |
-| [PropertyInfo](/windows/win32/cossdk/propertyinfo)                  | Retrieves information about the properties that a specified collection supports.                                                                                                                                |
-| [PublisherProperties](/windows/win32/cossdk/publisherproperties)           | Contains an object for each publisher property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection.                          |
-| [RelatedCollectionInfo](/windows/win32/cossdk/relatedcollectioninfo)         | Retrieves information about other collections related to the collection from which it is called.                                                                                                                |
-| [Roles](/windows/win32/cossdk/roles)                         | Contains an object for each role assigned to the application to which it is related.                                                                                                                            |
-| [RolesForComponent](/windows/win32/cossdk/rolesforcomponent)             | Contains an object for each role assigned to the component to which the collection is related.                                                                                                                  |
-| [RolesForInterface](/windows/win32/cossdk/rolesforinterface)             | Contains an object for each role assigned to the interface to which the collection is related.                                                                                                                  |
-| [RolesForMethod](/windows/win32/cossdk/rolesformethod)                | Contains an object for each role assigned to the method to which the collection is related.                                                                                                                     |
-| [RolesForPartition](/windows/win32/cossdk/rolesforpartition)             | Contains an object for each role assigned to the partition to which the collection is related.                                                                                                                  |
-| [Root](/windows/win32/cossdk/root)                          | Contains the top-level collections on the catalog.                                                                                                                                                              |
-| [SubscriberProperties](/windows/win32/cossdk/subscriberproperties)          | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection.                         |
-| [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent)     | Contains an object for each subscription for the parent [Components](/windows/win32/cossdk/components) collection.                                               |
-| [TransientPublisherProperties](/windows/win32/cossdk/transientpublisherproperties)  | Contains an object for each publisher property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection.                             |
-| [TransientSubscriberProperties](/windows/win32/cossdk/transientsubscriberproperties) | Contains an object for each subscriber property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection.                            |
-| [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions)        | Contains an object for each transient subscription.                                                                                                                                                             |
-| [UsersInPartitionRole](/windows/win32/cossdk/usersinpartitionrole)          | Contains an object for each user in the partition role to which the collection is related.                                                                                                                      |
-| [UsersInRole](/windows/win32/cossdk/usersinrole)                   | Contains an object for each user in the role to which the collection is related.                                                                                                                                |
-| [WOWInprocServers](/windows/win32/cossdk/wowinprocservers)              | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers.                                                                                                 |
-| [WOWLegacyServers](/windows/win32/cossdk/wowlegacyservers)              | Identical to the [LegacyServers](/windows/win32/cossdk/legacyservers) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
-
--   **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the modified object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](/windows/win32/cossdk/applications), then you can find that:
-
-    -   **ID** - A GUID representing the application. This property is returned when the [Key](/windows/win32/api/comadmin/nf-comadmin-icatalogobject-get_key) property method is called on an object of this collection.
-
-    -   **AppPartitionID** - A GUID representing the application partition ID.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Object Properties Modified** \[Type = UnicodeString\]: the list of object’s (**Object Name**) properties which were modified.
-
-    The items have the following format: Property\_Name = ‘OLD\_VALUE’ -&gt; ‘NEW\_VALUE’
-
-    Check description for specific **COM+ Catalog Collection** to see the list of object’s properties and descriptions.
-
-## Security Monitoring Recommendations
-
-For 5888(S): An object in the COM+ Catalog was modified.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a specific COM+ object for which you need to monitor all modifications, monitor all [5888](event-5888.md) events with the corresponding **Object Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
deleted file mode 100644
index 32bd5bffd8..0000000000
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: 5889(S) An object was deleted from the COM+ Catalog. 
-description: Describes security event 5889(S) An object was deleted from the COM+ Catalog.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5889(S): An object was deleted from the COM+ Catalog.
-
-
-<img src="images/event-5889.png" alt="Event 5889 illustration" width="472" height="653" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates when the object in the [COM+ Catalog](/windows/win32/cossdk/the-com--catalog) was deleted.
-
-For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5889</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12290</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T20:44:42.948569400Z" /> 
- <EventRecordID>344998</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="4756" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectUserDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">222443</Data> 
- <Data Name="ObjectCollectionName">Applications</Data> 
- <Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data> 
- <Data Name="ObjectProperties">Name = COMApp-New ApplicationProxyServerName = ProcessType = 2 CommandLine = ServiceName = <null> RunAsUserType = 1 Identity = Interactive User Description = IsSystem = N Authentication = 4 ShutdownAfter = 3 RunForever = N Password = \*\*\*\*\*\*\*\* Activation = Local Changeable = Y Deleteable = Y CreatedBy = AccessChecksLevel = 1 ApplicationAccessChecksEnabled = 1 cCOL\_SecurityDescriptor = <Opaque> ImpersonationLevel = 3 AuthenticationCapability = 64 CRMEnabled = 0 3GigSupportEnabled = 0 QueuingEnabled = 0 QueueListenerEnabled = N EventsEnabled = 1 ProcessFlags = 0 ThreadMax = 0 ApplicationProxy = 0 CRMLogFile = DumpEnabled = 0 DumpOnException = 0 DumpOnFailfast = 0 MaxDumpCount = 5 DumpPath = %systemroot%\\system32\\com\\dmp IsEnabled = 1 AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70} ConcurrentApps = 1 RecycleLifetimeLimit = 0 RecycleCallLimit = 0 RecycleActivationLimit = 0 RecycleMemoryLimit = 0 RecycleExpirationTimeout = 15 QCListenerMaxThreads = 0 QCAuthenticateMsgs = 0 ApplicationDirectory = SRPTrustLevel = 262144 SRPEnabled = 0 SoapActivated = 0 SoapVRoot = SoapMailTo = SoapBaseUrl = Replicable = 1</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **COM+ Catalog Collection** \[Type = UnicodeString\]: the name of COM+ collection in which COM+ object was deleted. Here is the list of possible collection values with descriptions:
-
-| Collection                                                                                                       | Description                                                                                                                                                                                                     |
-|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [ApplicationCluster](/windows/win32/cossdk/applicationcluster)            | Contains a list of the servers in the application cluster.                                                                                                                                                      |
-| [ApplicationInstances](/windows/win32/cossdk/applicationinstances)          | Contains an object for each instance of a running COM+ application.                                                                                                                                             |
-| [Applications](/windows/win32/cossdk/applications)                  | Contains an object for each COM+ application installed on the local computer.                                                                                                                                   |
-| [Components](/windows/win32/cossdk/components)                    | Contains an object for each component in the application to which it is related.                                                                                                                                |
-| [ComputerList](/windows/win32/cossdk/computerlist)                  | Contains a list of the computers found in the Computers folder of the Component Services administration tool.                                                                                                   |
-| [DCOMProtocols](/windows/win32/cossdk/dcomprotocols)                 | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol.                                                                                                                   |
-| [ErrorInfo](/windows/win32/cossdk/errorinfo)                     | Retrieves extended error information regarding methods that deal with multiple objects.                                                                                                                         |
-| [EventClassesForIID](/windows/win32/cossdk/eventclassesforiid)            | Retrieves information regarding event classes.                                                                                                                                                                  |
-| [FilesForImport](/windows/win32/cossdk/filesforimport)                | Retrieves information from its MSI file about an application that can be imported.                                                                                                                              |
-| [InprocServers](/windows/win32/cossdk/inprocservers)                 | Contains a list of the in-process servers registered with the system. It contains an object for each component.                                                                                                 |
-| [InterfacesForComponent](/windows/win32/cossdk/interfacesforcomponent)        | Contains an object for each interface exposed by the component to which the collection is related.                                                                                                              |
-| [LegacyComponents](/windows/win32/cossdk/legacycomponents)              | Contains an object for each unconfigured component in the application to which it is related.                                                                                                                   |
-| [LegacyServers](/windows/win32/cossdk/legacyservers)                 | Identical to the [InprocServers](/windows/win32/cossdk/inprocservers) collection except that this collection also includes local servers.                           |
-| [LocalComputer](/windows/win32/cossdk/localcomputer)                 | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing.                                                                                       |
-| [MethodsForInterface](/windows/win32/cossdk/methodsforinterface)           | Contains an object for each method on the interface to which the collection is related.                                                                                                                         |
-| [Partitions](/windows/win32/cossdk/partitions)                    | Used to specify the applications contained in each partition.                                                                                                                                                   |
-| [PartitionUsers](/windows/win32/cossdk/partitionusers)                | Used to specify the users contained in each partition.                                                                                                                                                          |
-| [PropertyInfo](/windows/win32/cossdk/propertyinfo)                  | Retrieves information about the properties that a specified collection supports.                                                                                                                                |
-| [PublisherProperties](/windows/win32/cossdk/publisherproperties)           | Contains an object for each publisher property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection.                          |
-| [RelatedCollectionInfo](/windows/win32/cossdk/relatedcollectioninfo)         | Retrieves information about other collections related to the collection from which it is called.                                                                                                                |
-| [Roles](/windows/win32/cossdk/roles)                         | Contains an object for each role assigned to the application to which it is related.                                                                                                                            |
-| [RolesForComponent](/windows/win32/cossdk/rolesforcomponent)             | Contains an object for each role assigned to the component to which the collection is related.                                                                                                                  |
-| [RolesForInterface](/windows/win32/cossdk/rolesforinterface)             | Contains an object for each role assigned to the interface to which the collection is related.                                                                                                                  |
-| [RolesForMethod](/windows/win32/cossdk/rolesformethod)                | Contains an object for each role assigned to the method to which the collection is related.                                                                                                                     |
-| [RolesForPartition](/windows/win32/cossdk/rolesforpartition)             | Contains an object for each role assigned to the partition to which the collection is related.                                                                                                                  |
-| [Root](/windows/win32/cossdk/root)                          | Contains the top-level collections on the catalog.                                                                                                                                                              |
-| [SubscriberProperties](/windows/win32/cossdk/subscriberproperties)          | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection.                         |
-| [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent)     | Contains an object for each subscription for the parent [Components](/windows/win32/cossdk/components) collection.                                               |
-| [TransientPublisherProperties](/windows/win32/cossdk/transientpublisherproperties)  | Contains an object for each publisher property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection.                             |
-| [TransientSubscriberProperties](/windows/win32/cossdk/transientsubscriberproperties) | Contains an object for each subscriber property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection.                            |
-| [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions)        | Contains an object for each transient subscription.                                                                                                                                                             |
-| [UsersInPartitionRole](/windows/win32/cossdk/usersinpartitionrole)          | Contains an object for each user in the partition role to which the collection is related.                                                                                                                      |
-| [UsersInRole](/windows/win32/cossdk/usersinrole)                   | Contains an object for each user in the role to which the collection is related.                                                                                                                                |
-| [WOWInprocServers](/windows/win32/cossdk/wowinprocservers)              | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers.                                                                                                 |
-| [WOWLegacyServers](/windows/win32/cossdk/wowlegacyservers)              | Identical to the [LegacyServers](/windows/win32/cossdk/legacyservers) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
-
--   **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the deleted object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](/windows/win32/cossdk/applications), then you can find that:
-
-    -   **ID** - A GUID representing the application. This property is returned when the [Key](/windows/win32/api/comadmin/nf-comadmin-icatalogobject-get_key) property method is called on an object of this collection.
-
-    -   **AppPartitionID** - A GUID representing the application partition ID.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Object Details** \[Type = UnicodeString\]: the list of deleted object’s (**Object Name**) properties.
-
-    The items have the following format: Property\_Name = VALUE
-
-    Check description for specific **COM+ Catalog Collection** to see the list of object’s properties and descriptions.
-
-## Security Monitoring Recommendations
-
-For 5889(S): An object was deleted from the COM+ Catalog.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you have a specific COM+ object for which you need to monitor all modifications (especially delete operations), monitor all [5889](event-5889.md) events with the corresponding **Object Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
deleted file mode 100644
index 959e6fd3e4..0000000000
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: 5890(S) An object was added to the COM+ Catalog. 
-description: Describes security event 5890(S) An object was added to the COM+ Catalog.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 5890(S): An object was added to the COM+ Catalog.
-
-
-<img src="images/event-5890.png" alt="Event 5890 illustration" width="449" height="462" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates when new object was added to the [COM+ Catalog](/windows/win32/cossdk/the-com--catalog).
-
-For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>5890</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>12290</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-09-23T19:45:04.239886800Z" /> 
- <EventRecordID>344980</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="516" ThreadID="2856" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
- <Data Name="SubjectUserName">dadmin</Data> 
- <Data Name="SubjectUserDomainName">CONTOSO</Data> 
- <Data Name="SubjectLogonId">222443</Data> 
- <Data Name="ObjectCollectionName">Roles</Data> 
- <Data Name="ObjectIdentifyingProperties">ApplId = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} Name = CreatorOwner</Data> 
- <Data Name="ObjectProperties">Description =</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that requested the “add object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add object” operation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Object**:
-
--   **COM+ Catalog Collection** \[Type = UnicodeString\]: the name of COM+ collection to which the new object was added. Here is the list of possible collection values with descriptions:
-
-| Collection                                                                                                       | Description                                                                                                                                                                                                     |
-|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [ApplicationCluster](/windows/win32/cossdk/applicationcluster)            | Contains a list of the servers in the application cluster.                                                                                                                                                      |
-| [ApplicationInstances](/windows/win32/cossdk/applicationinstances)          | Contains an object for each instance of a running COM+ application.                                                                                                                                             |
-| [Applications](/windows/win32/cossdk/applications)                  | Contains an object for each COM+ application installed on the local computer.                                                                                                                                   |
-| [Components](/windows/win32/cossdk/components)                    | Contains an object for each component in the application to which it is related.                                                                                                                                |
-| [ComputerList](/windows/win32/cossdk/computerlist)                  | Contains a list of the computers found in the Computers folder of the Component Services administration tool.                                                                                                   |
-| [DCOMProtocols](/windows/win32/cossdk/dcomprotocols)                 | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol.                                                                                                                   |
-| [ErrorInfo](/windows/win32/cossdk/errorinfo)                     | Retrieves extended error information regarding methods that deal with multiple objects.                                                                                                                         |
-| [EventClassesForIID](/windows/win32/cossdk/eventclassesforiid)            | Retrieves information regarding event classes.                                                                                                                                                                  |
-| [FilesForImport](/windows/win32/cossdk/filesforimport)                | Retrieves information from its MSI file about an application that can be imported.                                                                                                                              |
-| [InprocServers](/windows/win32/cossdk/inprocservers)                 | Contains a list of the in-process servers registered with the system. It contains an object for each component.                                                                                                 |
-| [InterfacesForComponent](/windows/win32/cossdk/interfacesforcomponent)        | Contains an object for each interface exposed by the component to which the collection is related.                                                                                                              |
-| [LegacyComponents](/windows/win32/cossdk/legacycomponents)              | Contains an object for each unconfigured component in the application to which it is related.                                                                                                                   |
-| [LegacyServers](/windows/win32/cossdk/legacyservers)                 | Identical to the [InprocServers](/windows/win32/cossdk/inprocservers) collection except that this collection also includes local servers.                           |
-| [LocalComputer](/windows/win32/cossdk/localcomputer)                 | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing.                                                                                       |
-| [MethodsForInterface](/windows/win32/cossdk/methodsforinterface)           | Contains an object for each method on the interface to which the collection is related.                                                                                                                         |
-| [Partitions](/windows/win32/cossdk/partitions)                    | Used to specify the applications contained in each partition.                                                                                                                                                   |
-| [PartitionUsers](/windows/win32/cossdk/partitionusers)                | Used to specify the users contained in each partition.                                                                                                                                                          |
-| [PropertyInfo](/windows/win32/cossdk/propertyinfo)                  | Retrieves information about the properties that a specified collection supports.                                                                                                                                |
-| [PublisherProperties](/windows/win32/cossdk/publisherproperties)           | Contains an object for each publisher property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection.                          |
-| [RelatedCollectionInfo](/windows/win32/cossdk/relatedcollectioninfo)         | Retrieves information about other collections related to the collection from which it is called.                                                                                                                |
-| [Roles](/windows/win32/cossdk/roles)                         | Contains an object for each role assigned to the application to which it is related.                                                                                                                            |
-| [RolesForComponent](/windows/win32/cossdk/rolesforcomponent)             | Contains an object for each role assigned to the component to which the collection is related.                                                                                                                  |
-| [RolesForInterface](/windows/win32/cossdk/rolesforinterface)             | Contains an object for each role assigned to the interface to which the collection is related.                                                                                                                  |
-| [RolesForMethod](/windows/win32/cossdk/rolesformethod)                | Contains an object for each role assigned to the method to which the collection is related.                                                                                                                     |
-| [RolesForPartition](/windows/win32/cossdk/rolesforpartition)             | Contains an object for each role assigned to the partition to which the collection is related.                                                                                                                  |
-| [Root](/windows/win32/cossdk/root)                          | Contains the top-level collections on the catalog.                                                                                                                                                              |
-| [SubscriberProperties](/windows/win32/cossdk/subscriberproperties)          | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection.                         |
-| [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent)     | Contains an object for each subscription for the parent [Components](/windows/win32/cossdk/components) collection.                                               |
-| [TransientPublisherProperties](/windows/win32/cossdk/transientpublisherproperties)  | Contains an object for each publisher property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection.                             |
-| [TransientSubscriberProperties](/windows/win32/cossdk/transientsubscriberproperties) | Contains an object for each subscriber property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection.                            |
-| [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions)        | Contains an object for each transient subscription.                                                                                                                                                             |
-| [UsersInPartitionRole](/windows/win32/cossdk/usersinpartitionrole)          | Contains an object for each user in the partition role to which the collection is related.                                                                                                                      |
-| [UsersInRole](/windows/win32/cossdk/usersinrole)                   | Contains an object for each user in the role to which the collection is related.                                                                                                                                |
-| [WOWInprocServers](/windows/win32/cossdk/wowinprocservers)              | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers.                                                                                                 |
-| [WOWLegacyServers](/windows/win32/cossdk/wowlegacyservers)              | Identical to the [LegacyServers](/windows/win32/cossdk/legacyservers) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
-
--   **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the new object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](/windows/win32/cossdk/applications), then you can find that:
-
-    -   **ID** - A GUID representing the application. This property is returned when the [Key](/windows/win32/api/comadmin/nf-comadmin-icatalogobject-get_key) property method is called on an object of this collection.
-
-    -   **AppPartitionID** - A GUID representing the application partition ID.
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
--   **Object Details** \[Type = UnicodeString\]: the list of new object’s (**Object Name**) properties.
-
-    The items have the following format: Property\_Name = VALUE
-
-    Check description for specific **COM+ Catalog Collection** to see the list of object’s properties and descriptions.
-
-## Security Monitoring Recommendations
-
-For 5890(S): An object was added to the COM+ Catalog.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all [5890](event-5890.md) events with the corresponding **COM+ Catalog Collection** field value.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
deleted file mode 100644
index 826d274d51..0000000000
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: 6144(S) Security policy in the group policy objects has been applied successfully. 
-description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6144(S): Security policy in the group policy objects has been applied successfully.
-
-
-<img src="images/event-6144.png" alt="Event 6144 illustration" width="449" height="347" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Description:***
-
-This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself.
-
-It's a routine event that shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
-
-This event generates every time Group Policy is applied to the computer.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6144</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13573</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-07T22:59:32.280498500Z" /> 
- <EventRecordID>1055041</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="712" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ErrorCode">0</Data> 
- <Data Name="GPOList">{8AB9311A-E5FB-4A5A-8FB7-027D1B877D6D} DC Main Policy</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Return Code** \[Type = UInt32\]: always has “**0**” value for this event.
-
-**GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”.
-
-You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet with “**–Name** GROUP\_POLICY\_NAME” parameter. Row “Id” is the GUID of the Group Policy:
-
-<img src="images/windows-powershell-get-gpo.png" alt="Windows PowerShell Get-GPO illustration" width="685" height="302" />
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-## Security Monitoring Recommendations
-
-For 6144(S): Security policy in the group policy objects has been applied successfully.
-
--   If you have a pre-defined list of Group Policy Objects that contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and if there's any difference, you must trigger an alert.
-
--   This event is mostly an informational event.
-
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
deleted file mode 100644
index a5e630ff72..0000000000
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. 
-description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/08/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
-
-
-<img src="images/event-6145.png" alt="Event 6145 illustration" width="464" height="361" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Description:***
-
-This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
-
-This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings can't be resolved or translated to the real account name.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6145</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13573</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8010000000000000</Keywords> 
- <TimeCreated SystemTime="2015-10-07T22:43:54.183603800Z" /> 
- <EventRecordID>1052680</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="524" ThreadID="3476" /> 
- <Channel>Security</Channel> 
- <Computer>DC01.contoso.local</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="ErrorCode">1332</Data> 
- <Data Name="GPOList">{6AC1786C-016F-11D2-945F-00C04fB984F9} Default Domain Controllers Policy {31B2F340-016D-11D2-945F-00C04FB984F9} Default Domain Policy</Data> 
- </EventData>
- </Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008, Windows Vista.
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Error Code** \[Type = UInt32\]: specific error code that shows the error that happened during Group Policy processing. You can find the meaning of specific error code here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>. For example, error code 1332 means that “no mapping between account names and security IDs was done”.
-
-**GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied with errors to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”.
-
-You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet with “**–Name** GROUP\_POLICY\_NAME” parameter. Row “Id” is the GUID of the Group Policy:
-
-<img src="images/windows-powershell-get-gpo.png" alt="Windows PowerShell Get-GPO illustration" width="685" height="302" />
-
-> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-## Security Monitoring Recommendations
-
-For 6145(F): One or more errors occurred while processing security policy in the group policy objects.
-
--   This event indicates that Group Policy Objects that were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
-
--   If you have a pre-defined list of Group Policy Objects that contain Security Settings and that must be applied to specific computers, check this event to see if errors occurred when the Security Settings were applied. If so, you can review the error codes and investigate the cause of the failure.
-
--   Typically this event has an informational purpose and the reason is configuration errors in Group Policy’s security settings.
-
--   This event might be used for Group Policy troubleshooting purposes.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
deleted file mode 100644
index 307122724f..0000000000
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. 
-description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6281(F): Code Integrity determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-
-
-The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-
-[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-
-This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.*
-
-*File Name:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
deleted file mode 100644
index 0f1bdbe078..0000000000
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. 
-description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
-
-*IP address of the client that sent this response:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
deleted file mode 100644
index 56a4cdce4c..0000000000
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. 
-description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*BranchCache: Received invalid data from a peer. Data discarded.*
-
-*IP address of the client that sent this data:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
deleted file mode 100644
index 5e47ee6c4d..0000000000
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. 
-description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.*
-
-*IP address of the client that sent this message: %1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
deleted file mode 100644
index f442562eb5..0000000000
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. 
-description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.*
-
-*Domain name of the hosted cache is:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
deleted file mode 100644
index 387de30aa7..0000000000
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. 
-description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.*
-
-*Domain name of the hosted cache:%1*
-
-*Error Code:%2*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
deleted file mode 100644
index 50bb5a679b..0000000000
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. 
-description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*BranchCache: %2 instance(s) of event id %1 occurred.*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There's no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
deleted file mode 100644
index 758b702bb1..0000000000
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. 
-description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*%1 registered to Windows Firewall to control filtering for the following:*
-
-*%2.*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There's no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
deleted file mode 100644
index 7c1f4a4e30..0000000000
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: 6407(-) 1%. 
-description: Describes security event 6407(-) 1%. This event is a BranchCache event, which is outside the scope of this document.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6407(-): 1%.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There's no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
deleted file mode 100644
index ccdc08387f..0000000000
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. 
-description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
deleted file mode 100644
index 8ad3091f3a..0000000000
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: 6409(-) BranchCache A service connection point object could not be parsed. 
-description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6409(-): BranchCache: A service connection point object could not be parsed.
-
-
-[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
-
-There is no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
-
-***Event Schema:***
-
-*BranchCache: A service connection point object could not be parsed.*
-
-*SCP object GUID: %1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
deleted file mode 100644
index c9dc6f669c..0000000000
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. 
-description: Describes security event 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
-
-
-[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-
-This event generates due to writable [shared sections](/previous-versions/windows/desktop/cc307397(v=msdn.10)) being present in a file image.
-
-There's no example of this event in this document.
-
-***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
-
-***Event Schema:***
-
-*Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.*
-
-*File Name:%1*
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2012 R2, Windows 8.1.
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
deleted file mode 100644
index 8629acdd90..0000000000
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-title: 6416(S) A new external device was recognized by the System. 
-description: Describes security event 6416(S) A new external device was recognized by the System.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6416(S): A new external device was recognized by the System.
-
-
-<img src="images/event-6416.png" alt="Event 6416 illustration" width="438" height="598" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit PNP Activity](audit-pnp-activity.md)
-
-***Event Description:***
-
-This event generates every time a new external device is recognized by a system.
-
-This event generates, for example, when a new external device is connected or enabled.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6416</EventID> 
- <Version>1</Version> 
- <Level>0</Level> 
- <Task>13316</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-13T18:20:16.818569900Z" /> 
- <EventRecordID>436</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="308" /> 
- <Channel>Security</Channel> 
- <Computer>DESKTOP-NFC0HVN</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data> 
- <Data Name="SubjectDomainName">WORKGROUP</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="DeviceId">SCSI\\Disk&Ven\_Seagate&Prod\_Expansion\\000000</Data> 
- <Data Name="DeviceDescription">Seagate Expansion SCSI Disk Device</Data> 
- <Data Name="ClassId">{4D36E967-E325-11CE-BFC1-08002BE10318}</Data> 
- <Data Name="ClassName">DiskDrive</Data> 
- <Data Name="VendorIds">SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_0636 SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_ SCSI\\DiskSeagate\_ SCSI\\Seagate\_Expansion\_\_\_\_\_\_\_0 Seagate\_Expansion\_\_\_\_\_\_\_0 GenDisk</Data> 
- <Data Name="CompatibleIds">SCSI\\Disk SCSI\\RAW</Data> 
- <Data Name="LocationInformation">Bus Number 0, Target Id 0, LUN 0</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows Server 2016, Windows 10.
-
-***Event Versions:***
-
--   0 - Windows 10.
-
--   1 - Windows 10 \[Version 1511\].
-
-    -   Added “Device ID” field.
-
-    -   Added “Device Name” field.
-
-    -   Added “Class Name” field.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that registered the new device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the new device.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Device ID** \[Type = UnicodeString\] \[Version 1\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics1.png" alt="Device Properties device instance path illustration" width="557" height="316" />
-
-**Device Name** \[Type = UnicodeString\] \[Version 1\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics2.png" alt="Device Properties device description illustration" width="557" height="305" />
-
-**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics3.png" alt="Device Properties class GUID illustration" width="557" height="300" />
-
-**Class Name** \[Type = UnicodeString\] \[Version 1\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics4.png" alt="Device Properties class illustration" width="557" height="298" />
-
-**Vendor IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics5.png" alt="Device Properties hardware IDs illustration" width="557" height="313" />
-
-**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics6.png" alt="Device Properties compatible IDs illustration" width="557" height="337" />
-
-**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics7.png" alt="Device Properties location illustration" width="557" height="298" />
-
-## Security Monitoring Recommendations
-
-For 6416(S): A new external device was recognized by the System.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   You can use this event to track the events and event information shown in the following table by using the listed fields:
-
-| Event and event information to monitor              | Field to use               |
-|-----------------------------------------------------|----------------------------|
-| Device recognition events, **Device Instance Path** | “**Device ID**”            |
-| Device recognition events, **Device Description**   | “**Device Name**”          |
-| Device recognition events, **Class GUID**           | “**Class ID**”             |
-| Device recognition events, **Hardware IDs**         | “**Vendor IDs**”           |
-| Device recognition events, **Compatible IDs**       | “**Compatible IDs**”       |
-| Device recognition events, **Location information** | “**Location Information**” |
-
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
deleted file mode 100644
index e5dfac4ae6..0000000000
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-title: 6419(S) A request was made to disable a device. 
-description: Describes security event 6419(S) A request was made to disable a device.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6419(S): A request was made to disable a device.
-
-
-<img src="images/event-6419.png" alt="Event 6419 illustration" width="526" height="682" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit PNP Activity](audit-pnp-activity.md)
-
-***Event Description:***
-
-This event generates every time when someone made a request to disable a device.
-
-This event doesn’t mean that device was disabled.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6419</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13316</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-14T22:23:26.789591400Z" /> 
- <EventRecordID>483</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="2192" ThreadID="1392" /> 
- <Channel>Security</Channel> 
- <Computer>DESKTOP-NFC0HVN</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data> 
- <Data Name="SubjectUserName">ladmin</Data> 
- <Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data> 
- <Data Name="SubjectLogonId">0x3fcc7</Data> 
- <Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data> 
- <Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data> 
- <Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data> 
- <Data Name="ClassName">Biometric</Data> 
- <Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data> 
- <Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF</Data> 
- <Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows 10 \[Version 1511\].
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made the request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made the request.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics1.png" alt="Device Properties device instance path illustration" width="557" height="316" />
-
-**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics2.png" alt="Device Properties device description illustration" width="557" height="305" />
-
-**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics3.png" alt="Device Properties class GUID illustration" width="557" height="300" />
-
-**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics4.png" alt="Device Properties class illustration" width="557" height="298" />
-
-**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics5.png" alt="Device Properties hardware IDs illustration" width="557" height="313" />
-
-**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics6.png" alt="Device Properties compatible IDs illustration" width="557" height="337" />
-
-**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics7.png" alt="Device Properties location illustration" width="557" height="298" />
-
-## Security Monitoring Recommendations
-
-For 6419(S): A request was made to disable a device.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   You can use this event to track the events and event information shown in the following table by using the listed fields:
-
-| Event and event information to monitor            | Field to use               |
-|---------------------------------------------------|----------------------------|
-| Device disable requests, **Device Instance Path** | “**Device ID**”            |
-| Device disable requests, **Device Description**   | “**Device Name**”          |
-| Device disable requests, **Class GUID**           | “**Class ID**”             |
-| Device disable requests, **Hardware IDs**         | “**Hardware IDs**”         |
-| Device disable requests, **Compatible IDs**       | “**Compatible IDs**”       |
-| Device disable requests, **Location information** | “**Location Information**” |
-
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
deleted file mode 100644
index 068cc2db0e..0000000000
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ /dev/null
@@ -1,141 +0,0 @@
----
-title: 6420(S) A device was disabled. 
-description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6420(S): A device was disabled.
-
-
-<img src="images/event-6420.png" alt="Event 6420 illustration" width="526" height="682" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit PNP Activity](audit-pnp-activity.md)
-
-***Event Description:***
-
-This event generates every time specific device was disabled.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6420</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13316</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-14T22:23:29.137398300Z" /> 
- <EventRecordID>484</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="88" /> 
- <Channel>Security</Channel> 
- <Computer>DESKTOP-NFC0HVN</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data> 
- <Data Name="SubjectDomainName">WORKGROUP</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data> 
- <Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data> 
- <Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data> 
- <Data Name="ClassName">Biometric</Data> 
- <Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data> 
- <Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF</Data> 
- <Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows 10 \[Version 1511\].
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that disabled the device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that disabled the device.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics1.png" alt="Device Properties device instance path illustration" width="557" height="316" />
-
-**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics2.png" alt="Device Properties device description illustration" width="557" height="305" />
-
-**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics3.png" alt="Device Properties class GUID illustration" width="557" height="300" />
-
-**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics4.png" alt="Device Properties class illustration" width="557" height="298" />
-
-**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics5.png" alt="Device Properties hardware IDs illustration" width="557" height="313" />
-
-**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics6.png" alt="Device Properties compatible IDs illustration" width="557" height="337" />
-
-**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics7.png" alt="Device Properties location illustration" width="557" height="298" />
-
-## Security Monitoring Recommendations
-
-For 6420(S): A device was disabled.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   You can use this event to track the events and event information shown in the following table by using the listed fields:
-
-| Event and event information to monitor          | Field to use               |
-|-------------------------------------------------|----------------------------|
-| Device disable events, **Device Instance Path** | “**Device ID**”            |
-| Device disable events, **Device Description**   | “**Device Name**”          |
-| Device disable events, **Class GUID**           | “**Class ID**”             |
-| Device disable events, **Hardware IDs**         | “**Hardware IDs**”         |
-| Device disable events, **Compatible IDs**       | “**Compatible IDs**”       |
-| Device disable events, **Location information** | “**Location Information**” |
-
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
deleted file mode 100644
index 778380652b..0000000000
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-title: 6421(S) A request was made to enable a device. 
-description: Describes security event 6421(S) A request was made to enable a device.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6421(S): A request was made to enable a device.
-
-
-<img src="images/event-6421.png" alt="Event 6421 illustration" width="526" height="682" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit PNP Activity](audit-pnp-activity.md)
-
-***Event Description:***
-
-This event generates every time when someone made a request to enable a device.
-
-This event doesn’t mean that device was enabled.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6421</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13316</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-14T22:37:50.034918700Z" /> 
- <EventRecordID>485</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="2192" ThreadID="1392" /> 
- <Channel>Security</Channel> 
- <Computer>DESKTOP-NFC0HVN</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data> 
- <Data Name="SubjectUserName">ladmin</Data> 
- <Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data> 
- <Data Name="SubjectLogonId">0x3fcc7</Data> 
- <Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data> 
- <Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data> 
- <Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data> 
- <Data Name="ClassName">Biometric</Data> 
- <Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data> 
- <Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF</Data> 
- <Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows 10 \[Version 1511\].
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that made the request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that made the request.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics1.png" alt="Device Properties device instance path illustration" width="557" height="316" />
-
-**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics2.png" alt="Device Properties device description illustration" width="557" height="305" />
-
-**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics3.png" alt="Device Properties class GUID illustration" width="557" height="300" />
-
-**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics4.png" alt="Device Properties class illustration" width="557" height="298" />
-
-**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics5.png" alt="Device Properties hardware IDs illustration" width="557" height="313" />
-
-**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics6.png" alt="Device Properties compatible IDs illustration" width="557" height="337" />
-
-**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics7.png" alt="Device Properties location illustration" width="557" height="298" />
-
-## Security Monitoring Recommendations
-
-For 6421(S): A request was made to enable a device.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   You can use this event to track the events and event information shown in the following table by using the listed fields:
-
-| Event and event information to monitor           | Field to use               |
-|--------------------------------------------------|----------------------------|
-| Device enable requests, **Device Instance Path** | “**Device ID**”            |
-| Device enable requests, **Device Description**   | “**Device Name**”          |
-| Device enable requests, **Class GUID**           | “**Class ID**”             |
-| Device enable requests, **Hardware IDs**         | “**Hardware IDs**”         |
-| Device enable requests, **Compatible IDs**       | “**Compatible IDs**”       |
-| Device enable requests, **Location information** | “**Location Information**” |
-
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
deleted file mode 100644
index 5ff3f69b78..0000000000
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-title: 6422(S) A device was enabled. 
-description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6422(S): A device was enabled.
-
-
-<img src="images/event-6422.png" alt="Event 6422 illustration" width="526" height="682" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit PNP Activity](audit-pnp-activity.md)
-
-***Event Description:***
-
-This event generates every time specific device was enabled.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6422</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13316</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-14T22:37:50.036050900Z" /> 
- <EventRecordID>486</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="4" ThreadID="408" /> 
- <Channel>Security</Channel> 
- <Computer>DESKTOP-NFC0HVN</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data> 
- <Data Name="SubjectDomainName">WORKGROUP</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data> 
- <Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data> 
- <Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data> 
- <Data Name="ClassName">Biometric</Data> 
- <Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data> 
- <Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00 USB\\Class\_FF</Data> 
- <Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows 10 \[Version 1511\].
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that enabled the device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that enabled the device.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics1.png" alt="Device Properties device instance path illustration" width="557" height="316" />
-
-**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics2.png" alt="Device Properties device description illustration" width="557" height="305" />
-
-**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics3.png" alt="Device Properties class GUID illustration" width="557" height="300" />
-
-**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics4.png" alt="Device Properties class illustration" width="557" height="298" />
-
-**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics5.png" alt="Device Properties hardware IDs illustration" width="557" height="313" />
-
-**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics6.png" alt="Device Properties compatible IDs illustration" width="557" height="337" />
-
-**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics7.png" alt="Device Properties location illustration" width="557" height="298" />
-
-## Security Monitoring Recommendations
-
-For 6422(S): A device was enabled.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   You can use this event to track the events and event information shown in the following table by using the listed fields:
-
-| Event and event information to monitor         | Field to use               |
-|------------------------------------------------|----------------------------|
-| Device enable events, **Device Instance Path** | “**Device ID**”            |
-| Device enable events, **Device Description**   | “**Device Name**”          |
-| Device enable events, **Class GUID**           | “**Class ID**”             |
-| Device enable events, **Hardware IDs**         | “**Hardware IDs**”         |
-| Device enable events, **Compatible IDs**       | “**Compatible IDs**”       |
-| Device enable events, **Location information** | “**Location Information**” |
-
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
deleted file mode 100644
index 3aeaebb602..0000000000
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ /dev/null
@@ -1,149 +0,0 @@
----
-title: 6423(S) The installation of this device is forbidden by system policy. 
-description: Describes security event 6423(S) The installation of this device is forbidden by system policy.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6423(S): The installation of this device is forbidden by system policy.
-
-
-<img src="images/event-6423.png" alt="Event 6423 illustration" width="526" height="680" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit PNP Activity](audit-pnp-activity.md)
-
-***Event Description:***
-
-This event generates every time installation of this device is forbidden by system policy.
-
-Device installation restriction group policies are located here: **\\Computer Configuration\\Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. If one of the policies restricts installation of a specific device, this event will be generated.
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-<br clear="all">
-
-***Event XML:***
-```
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
- <EventID>6423</EventID> 
- <Version>0</Version> 
- <Level>0</Level> 
- <Task>13316</Task> 
- <Opcode>0</Opcode> 
- <Keywords>0x8020000000000000</Keywords> 
- <TimeCreated SystemTime="2015-11-14T22:49:34.647975900Z" /> 
- <EventRecordID>488</EventRecordID> 
- <Correlation /> 
- <Execution ProcessID="828" ThreadID="1924" /> 
- <Channel>Security</Channel> 
- <Computer>DESKTOP-NFC0HVN</Computer> 
- <Security /> 
- </System>
-- <EventData>
- <Data Name="SubjectUserSid">S-1-5-18</Data> 
- <Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data> 
- <Data Name="SubjectDomainName">WORKGROUP</Data> 
- <Data Name="SubjectLogonId">0x3e7</Data> 
- <Data Name="DeviceId">USB\\VID\_04F3&PID\_012D\\7&1E3A8971&0&2</Data> 
- <Data Name="DeviceDescription">Touchscreen</Data> 
- <Data Name="ClassId">{00000000-0000-0000-0000-000000000000}</Data> 
- <Data Name="ClassName" /> 
- <Data Name="HardwareIds">USB\\VID\_04F3&PID\_012D&REV\_0013 USB\\VID\_04F3&PID\_012D</Data> 
- <Data Name="CompatibleIds">USB\\Class\_03&SubClass\_00&Prot\_00 USB\\Class\_03&SubClass\_00 USB\\Class\_03</Data> 
- <Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data> 
- </EventData>
-</Event>
-
-```
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows 10 \[Version 1511\].
-
-***Event Versions:*** 0.
-
-***Field Descriptions:***
-
-**Subject:**
-
--   **Security ID** \[Type = SID\]**:** SID of account that forbids the device installation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
--   **Account Name** \[Type = UnicodeString\]**:** the name of the account that forbids the device installation.
-
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
-    -   Domain NETBIOS name example: CONTOSO
-
-    -   Lowercase full domain name: contoso.local
-
-    -   Uppercase full domain name: CONTOSO.LOCAL
-
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-**Device ID** \[Type = UnicodeString\]: “**Device instance path**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics1.png" alt="Device Properties device instance path illustration" width="557" height="316" />
-
-**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics2.png" alt="Device Properties device description illustration" width="557" height="305" />
-
-**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics3.png" alt="Device Properties class GUID illustration" width="557" height="300" />
-
-**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics4.png" alt="Device Properties class illustration" width="557" height="298" />
-
-**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics5.png" alt="Device Properties hardware IDs illustration" width="557" height="313" />
-
-**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics6.png" alt="Device Properties compatible IDs illustration" width="557" height="337" />
-
-**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
-
-<img src="images/synaptics7.png" alt="Device Properties location illustration" width="557" height="298" />
-
-## Security Monitoring Recommendations
-
-For 6423(S): The installation of this device is forbidden by system policy.
-
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
--   If you want to track device installation policy violations then you need to track every event of this type.
-
-<!-- -->
-
--   Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-
--   You can use this event to track the policy violations and related information shown in the following table by using the listed fields:
-
-| Policy violation and related information to monitor             | Field to use               |
-|-----------------------------------------------------------------|----------------------------|
-| Device installation policy violations, **Device Instance Path** | “**Device ID**”            |
-| Device installation policy violations, **Device Description**   | “**Device Name**”          |
-| Device installation policy violations, **Class GUID**           | “**Class ID**”             |
-| Device installation policy violations, **Hardware IDs**         | “**Hardware IDs**”         |
-| Device installation policy violations, **Compatible IDs**       | “**Compatible IDs**”       |
-| Device installation policy violations, **Location information** | “**Location Information**” |
-
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
deleted file mode 100644
index 5d206fb5f9..0000000000
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. 
-description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
-
-
-This event occurs rarely, and in some situations may be difficult to reproduce.
-
-***Subcategory:***&nbsp;[Audit PNP Activity](audit-pnp-activity.md)
-
-***Required Server Roles:*** None.
-
-***Minimum OS Version:*** Windows 10 \[Version 1511\].
-
-***Event Versions:*** 0.
-
-## Security Monitoring Recommendations
-
--   There is no recommendation for this event in this document.
-
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
deleted file mode 100644
index ccbd578203..0000000000
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: File System (Global Object Access Auditing)
-description: The policy setting, File System (Global Object Access Auditing), enables you to configure a global system access control list (SACL) for an entire computer.
-ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# File System (Global Object Access Auditing)
-
-
-This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
-
-If you select the **Configure security** check box on the policy’s property page, you can add a user or group to the global SACL. This user/group addition enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type.
-
-If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This SACL (of such a constitution) means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
-This policy setting must be used in combination with the **File System** security policy setting under Object Access. For more information, see [Audit File System](audit-file-system.md).
-
-## Related topics
-
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
deleted file mode 100644
index 0c2a17c7e0..0000000000
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-title: How to get a list of XML data name elements in <EventData>
-description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>.
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# How to get a list of XML data name elements in EventData
-
-
-The Security log uses a manifest where you can get all of the event schema.
-
-Run the following command from an elevated PowerShell prompt:
-
-```powershell
-$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
-```
-
-The `.events` property is a collection of all of the events listed in the manifest on the local machine.
-
-For each event, there is a `.Template` property for the XML template used for the event properties (if there are any).
-
-For example:
-
-```powershell
-PS C:\WINDOWS\system32> $SecEvents.events[100]
-
-
-Id          : 4734
-Version     : 0
-LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
-Level       : System.Diagnostics.Eventing.Reader.EventLevel
-Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
-Task        : System.Diagnostics.Eventing.Reader.EventTask
-Keywords    : {}
-Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
-                <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="TargetSid" inType="win:SID" outType="xs:string"/>
-                <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
-                <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
-                <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
-              </template>
-
-Description : A security-enabled local group was deleted.
-
-              Subject:
-                Security ID:            %4
-                Account Name:           %5
-                Account Domain:         %6
-                Logon ID:               %7
-
-              Group:
-                Security ID:            %3
-                Group Name:             %1
-                Group Domain:           %2
-
-              Additional Information:
-                Privileges:             %8
-
-
-
-PS C:\WINDOWS\system32> $SecEvents.events[100].Template
-<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
-  <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
-  <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
-  <data name="TargetSid" inType="win:SID" outType="xs:string"/>
-  <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
-  <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
-  <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
-  <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
-  <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
-</template>
-
-```
-
-## Mapping data name elements to the names in an event description
-
-You can use the &lt;Template&gt; and &lt;Description&gt; to map the data name elements that appear in XML view to the names that appear in the event description.
-
-The &lt;Description&gt; is just the format string (if you’re used to `Console.Writeline` or `sprintf` statements), and the &lt;Template&gt; is the source of the input parameters for the &lt;Description&gt;.
-
-Using Security event 4734 as an example:
-
-```xml
-Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
-                <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="TargetSid" inType="win:SID" outType="xs:string"/>
-                <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
-                <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
-                <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
-                <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
-              </template>
-
-Description : A security-enabled local group was deleted.
-
-              Subject:
-                Security ID:            %4
-                Account Name:           %5
-                Account Domain:         %6
-                Logon ID:               %7
-
-              Group:
-                Security ID:            %3
-                Group Name:             %1
-                Group Domain:           %2
-
-              Additional Information:
-                Privileges:             %8
-
-```
-
-For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
-
-For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**.
-
-A caveat to this principle is an often overlooked property of events called Version (in the &lt;SYSTEM&gt; element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
-
diff --git a/windows/security/threat-protection/auditing/images/ad-sites-and-services.png b/windows/security/threat-protection/auditing/images/ad-sites-and-services.png
deleted file mode 100644
index 74758aef69..0000000000
Binary files a/windows/security/threat-protection/auditing/images/ad-sites-and-services.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/advanced-sharing.png b/windows/security/threat-protection/auditing/images/advanced-sharing.png
deleted file mode 100644
index f72b7dd37b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/advanced-sharing.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/auditpol-list-subcategory.png b/windows/security/threat-protection/auditing/images/auditpol-list-subcategory.png
deleted file mode 100644
index 91f043fc24..0000000000
Binary files a/windows/security/threat-protection/auditing/images/auditpol-list-subcategory.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/auditpol-list-user.png b/windows/security/threat-protection/auditing/images/auditpol-list-user.png
deleted file mode 100644
index cabf86563d..0000000000
Binary files a/windows/security/threat-protection/auditing/images/auditpol-list-user.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/branchcache-properties.png b/windows/security/threat-protection/auditing/images/branchcache-properties.png
deleted file mode 100644
index 31f13be679..0000000000
Binary files a/windows/security/threat-protection/auditing/images/branchcache-properties.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/certutil-command.png b/windows/security/threat-protection/auditing/images/certutil-command.png
deleted file mode 100644
index ce60fa8034..0000000000
Binary files a/windows/security/threat-protection/auditing/images/certutil-command.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/computer-management.png b/windows/security/threat-protection/auditing/images/computer-management.png
deleted file mode 100644
index 74548ab836..0000000000
Binary files a/windows/security/threat-protection/auditing/images/computer-management.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/diskpart.png b/windows/security/threat-protection/auditing/images/diskpart.png
deleted file mode 100644
index f2ebf04b35..0000000000
Binary files a/windows/security/threat-protection/auditing/images/diskpart.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-1100.png b/windows/security/threat-protection/auditing/images/event-1100.png
deleted file mode 100644
index aea16fdfc2..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-1100.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-1102.png b/windows/security/threat-protection/auditing/images/event-1102.png
deleted file mode 100644
index 3d342a51fa..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-1102.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-1104.png b/windows/security/threat-protection/auditing/images/event-1104.png
deleted file mode 100644
index b275530d7a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-1104.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-1105.png b/windows/security/threat-protection/auditing/images/event-1105.png
deleted file mode 100644
index cedf9019f6..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-1105.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-1108.png b/windows/security/threat-protection/auditing/images/event-1108.png
deleted file mode 100644
index aa55df090d..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-1108.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4608.png b/windows/security/threat-protection/auditing/images/event-4608.png
deleted file mode 100644
index 256605977f..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4608.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4610.png b/windows/security/threat-protection/auditing/images/event-4610.png
deleted file mode 100644
index 0046d6c73d..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4610.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4611.png b/windows/security/threat-protection/auditing/images/event-4611.png
deleted file mode 100644
index f0721a4860..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4611.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4614.png b/windows/security/threat-protection/auditing/images/event-4614.png
deleted file mode 100644
index aaa731eacb..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4614.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4616.png b/windows/security/threat-protection/auditing/images/event-4616.png
deleted file mode 100644
index f33eb34fef..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4616.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4618.png b/windows/security/threat-protection/auditing/images/event-4618.png
deleted file mode 100644
index 7e98ebf7d0..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4618.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4622.png b/windows/security/threat-protection/auditing/images/event-4622.png
deleted file mode 100644
index 4283128955..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4622.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4624.png b/windows/security/threat-protection/auditing/images/event-4624.png
deleted file mode 100644
index f12908f0b0..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4624.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4625.png b/windows/security/threat-protection/auditing/images/event-4625.png
deleted file mode 100644
index 4ca8559f18..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4625.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4626.png b/windows/security/threat-protection/auditing/images/event-4626.png
deleted file mode 100644
index 9d2aa55f16..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4626.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4627.png b/windows/security/threat-protection/auditing/images/event-4627.png
deleted file mode 100644
index 53e75a4a88..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4627.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4634.png b/windows/security/threat-protection/auditing/images/event-4634.png
deleted file mode 100644
index e014592cc8..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4634.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4647.png b/windows/security/threat-protection/auditing/images/event-4647.png
deleted file mode 100644
index f11ddf8996..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4647.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4648.png b/windows/security/threat-protection/auditing/images/event-4648.png
deleted file mode 100644
index 54721193e7..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4648.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4656.png b/windows/security/threat-protection/auditing/images/event-4656.png
deleted file mode 100644
index aba3b592a8..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4656.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4657.png b/windows/security/threat-protection/auditing/images/event-4657.png
deleted file mode 100644
index 4b0ffbad21..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4657.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4658.png b/windows/security/threat-protection/auditing/images/event-4658.png
deleted file mode 100644
index 7bf584e4f4..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4658.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4660.png b/windows/security/threat-protection/auditing/images/event-4660.png
deleted file mode 100644
index 55c57de435..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4660.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4661.png b/windows/security/threat-protection/auditing/images/event-4661.png
deleted file mode 100644
index f2b6f57b5b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4661.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4662.png b/windows/security/threat-protection/auditing/images/event-4662.png
deleted file mode 100644
index d2d50bda5a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4662.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4663.png b/windows/security/threat-protection/auditing/images/event-4663.png
deleted file mode 100644
index 13629253a0..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4663.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4664.png b/windows/security/threat-protection/auditing/images/event-4664.png
deleted file mode 100644
index 07b9624fdf..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4664.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4670.png b/windows/security/threat-protection/auditing/images/event-4670.png
deleted file mode 100644
index 664fdca981..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4670.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4672.png b/windows/security/threat-protection/auditing/images/event-4672.png
deleted file mode 100644
index 12a54cb1a8..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4672.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4673.png b/windows/security/threat-protection/auditing/images/event-4673.png
deleted file mode 100644
index ac773069eb..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4673.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4674.png b/windows/security/threat-protection/auditing/images/event-4674.png
deleted file mode 100644
index a10eaaa6f7..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4674.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4688.png b/windows/security/threat-protection/auditing/images/event-4688.png
deleted file mode 100644
index 5ce471eda2..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4688.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4689.png b/windows/security/threat-protection/auditing/images/event-4689.png
deleted file mode 100644
index 1c80bf5428..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4689.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4690.png b/windows/security/threat-protection/auditing/images/event-4690.png
deleted file mode 100644
index 400c1aa7df..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4690.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4691.png b/windows/security/threat-protection/auditing/images/event-4691.png
deleted file mode 100644
index 8b5563f136..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4691.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4692.png b/windows/security/threat-protection/auditing/images/event-4692.png
deleted file mode 100644
index a26a483b4e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4692.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4693.png b/windows/security/threat-protection/auditing/images/event-4693.png
deleted file mode 100644
index 6180d34954..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4693.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4696.png b/windows/security/threat-protection/auditing/images/event-4696.png
deleted file mode 100644
index 1169b0e437..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4696.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4697.png b/windows/security/threat-protection/auditing/images/event-4697.png
deleted file mode 100644
index 4cafd71282..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4697.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4698.png b/windows/security/threat-protection/auditing/images/event-4698.png
deleted file mode 100644
index d8c35fc625..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4698.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4699.png b/windows/security/threat-protection/auditing/images/event-4699.png
deleted file mode 100644
index 5e11312a32..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4699.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4700.png b/windows/security/threat-protection/auditing/images/event-4700.png
deleted file mode 100644
index 922b70cbbb..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4700.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4701.png b/windows/security/threat-protection/auditing/images/event-4701.png
deleted file mode 100644
index 71d9ba8d82..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4701.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4702.png b/windows/security/threat-protection/auditing/images/event-4702.png
deleted file mode 100644
index 58b66921ff..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4702.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4703-partial.png b/windows/security/threat-protection/auditing/images/event-4703-partial.png
deleted file mode 100644
index 61df0471f9..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4703-partial.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4703.png b/windows/security/threat-protection/auditing/images/event-4703.png
deleted file mode 100644
index 2ddb6584cd..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4703.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4704.png b/windows/security/threat-protection/auditing/images/event-4704.png
deleted file mode 100644
index a12b3d0e8e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4704.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4705.png b/windows/security/threat-protection/auditing/images/event-4705.png
deleted file mode 100644
index fbea053355..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4705.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4706.png b/windows/security/threat-protection/auditing/images/event-4706.png
deleted file mode 100644
index d692c6de11..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4706.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4707.png b/windows/security/threat-protection/auditing/images/event-4707.png
deleted file mode 100644
index 455e4aea5c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4707.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4713.png b/windows/security/threat-protection/auditing/images/event-4713.png
deleted file mode 100644
index a5577751f2..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4713.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4714.png b/windows/security/threat-protection/auditing/images/event-4714.png
deleted file mode 100644
index b7aba8b550..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4714.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4715.png b/windows/security/threat-protection/auditing/images/event-4715.png
deleted file mode 100644
index d61cdf4bee..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4715.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4716.png b/windows/security/threat-protection/auditing/images/event-4716.png
deleted file mode 100644
index 34b7456f04..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4716.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4717.png b/windows/security/threat-protection/auditing/images/event-4717.png
deleted file mode 100644
index 2ada59cc59..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4717.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4718.png b/windows/security/threat-protection/auditing/images/event-4718.png
deleted file mode 100644
index 1cfddd3e3b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4718.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4719.png b/windows/security/threat-protection/auditing/images/event-4719.png
deleted file mode 100644
index 4cc7540a6c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4719.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4720.png b/windows/security/threat-protection/auditing/images/event-4720.png
deleted file mode 100644
index d5c0d35986..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4720.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4722.png b/windows/security/threat-protection/auditing/images/event-4722.png
deleted file mode 100644
index 0796375b65..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4722.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4723.png b/windows/security/threat-protection/auditing/images/event-4723.png
deleted file mode 100644
index e8f55a4cf3..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4723.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4724.png b/windows/security/threat-protection/auditing/images/event-4724.png
deleted file mode 100644
index d51ee410e3..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4724.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4725.png b/windows/security/threat-protection/auditing/images/event-4725.png
deleted file mode 100644
index 961f810c35..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4725.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4726.png b/windows/security/threat-protection/auditing/images/event-4726.png
deleted file mode 100644
index 6bcdae24fb..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4726.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4731.png b/windows/security/threat-protection/auditing/images/event-4731.png
deleted file mode 100644
index 3547a1397c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4731.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4732.png b/windows/security/threat-protection/auditing/images/event-4732.png
deleted file mode 100644
index 62cdd84ef7..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4732.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4733.png b/windows/security/threat-protection/auditing/images/event-4733.png
deleted file mode 100644
index 7ebc924898..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4733.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4734.png b/windows/security/threat-protection/auditing/images/event-4734.png
deleted file mode 100644
index 4df94214f8..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4734.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4735.png b/windows/security/threat-protection/auditing/images/event-4735.png
deleted file mode 100644
index dc3fbe0f84..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4735.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4738.png b/windows/security/threat-protection/auditing/images/event-4738.png
deleted file mode 100644
index 3b540b816e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4738.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4739.png b/windows/security/threat-protection/auditing/images/event-4739.png
deleted file mode 100644
index 5fb89bb560..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4739.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4740.png b/windows/security/threat-protection/auditing/images/event-4740.png
deleted file mode 100644
index 19d652dac4..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4740.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4741.png b/windows/security/threat-protection/auditing/images/event-4741.png
deleted file mode 100644
index b06a01a83e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4741.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4742.png b/windows/security/threat-protection/auditing/images/event-4742.png
deleted file mode 100644
index 8922eb978b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4742.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4743.png b/windows/security/threat-protection/auditing/images/event-4743.png
deleted file mode 100644
index 1225c25c02..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4743.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4749.png b/windows/security/threat-protection/auditing/images/event-4749.png
deleted file mode 100644
index fad8e00ade..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4749.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4750.png b/windows/security/threat-protection/auditing/images/event-4750.png
deleted file mode 100644
index 08d0b6c848..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4750.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4751.png b/windows/security/threat-protection/auditing/images/event-4751.png
deleted file mode 100644
index d9fd6c7928..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4751.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4752.png b/windows/security/threat-protection/auditing/images/event-4752.png
deleted file mode 100644
index 3464cca5a3..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4752.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4753.png b/windows/security/threat-protection/auditing/images/event-4753.png
deleted file mode 100644
index 41ee823086..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4753.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4764.png b/windows/security/threat-protection/auditing/images/event-4764.png
deleted file mode 100644
index 5c376a7176..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4764.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4767.png b/windows/security/threat-protection/auditing/images/event-4767.png
deleted file mode 100644
index bb3c9a8524..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4767.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4768.png b/windows/security/threat-protection/auditing/images/event-4768.png
deleted file mode 100644
index 6150806515..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4768.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4769.png b/windows/security/threat-protection/auditing/images/event-4769.png
deleted file mode 100644
index ad96b8df58..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4769.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4770.png b/windows/security/threat-protection/auditing/images/event-4770.png
deleted file mode 100644
index e780578ec3..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4770.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4771.png b/windows/security/threat-protection/auditing/images/event-4771.png
deleted file mode 100644
index b87ef7dc23..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4771.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4776.png b/windows/security/threat-protection/auditing/images/event-4776.png
deleted file mode 100644
index b0ffefdee9..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4776.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4778.png b/windows/security/threat-protection/auditing/images/event-4778.png
deleted file mode 100644
index 0888c950de..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4778.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4779.png b/windows/security/threat-protection/auditing/images/event-4779.png
deleted file mode 100644
index f578cdd53f..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4779.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4781.png b/windows/security/threat-protection/auditing/images/event-4781.png
deleted file mode 100644
index f344879f9d..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4781.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4782.png b/windows/security/threat-protection/auditing/images/event-4782.png
deleted file mode 100644
index 3f2822bf9c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4782.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4793.png b/windows/security/threat-protection/auditing/images/event-4793.png
deleted file mode 100644
index 2def52c754..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4793.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4794.png b/windows/security/threat-protection/auditing/images/event-4794.png
deleted file mode 100644
index 08b15adb1e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4794.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4798.png b/windows/security/threat-protection/auditing/images/event-4798.png
deleted file mode 100644
index 727cf0ce90..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4798.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4799.png b/windows/security/threat-protection/auditing/images/event-4799.png
deleted file mode 100644
index 2bbb69f812..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4799.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4800.png b/windows/security/threat-protection/auditing/images/event-4800.png
deleted file mode 100644
index e7354b3995..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4800.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4801.png b/windows/security/threat-protection/auditing/images/event-4801.png
deleted file mode 100644
index 695e124a94..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4801.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4802.png b/windows/security/threat-protection/auditing/images/event-4802.png
deleted file mode 100644
index 1225e2c79f..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4802.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4803.png b/windows/security/threat-protection/auditing/images/event-4803.png
deleted file mode 100644
index 677663e56a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4803.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4817.png b/windows/security/threat-protection/auditing/images/event-4817.png
deleted file mode 100644
index 4d71e12ad1..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4817.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4818.png b/windows/security/threat-protection/auditing/images/event-4818.png
deleted file mode 100644
index 65c049a552..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4818.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4819.png b/windows/security/threat-protection/auditing/images/event-4819.png
deleted file mode 100644
index 7f56089668..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4819.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4826.png b/windows/security/threat-protection/auditing/images/event-4826.png
deleted file mode 100644
index 326f7a2a02..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4826.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4865.png b/windows/security/threat-protection/auditing/images/event-4865.png
deleted file mode 100644
index ddbe9a6034..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4865.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4866.png b/windows/security/threat-protection/auditing/images/event-4866.png
deleted file mode 100644
index 2015250a48..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4866.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4867.png b/windows/security/threat-protection/auditing/images/event-4867.png
deleted file mode 100644
index 0f0b6c0662..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4867.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4902.png b/windows/security/threat-protection/auditing/images/event-4902.png
deleted file mode 100644
index 9df8c87ecd..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4902.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4904.png b/windows/security/threat-protection/auditing/images/event-4904.png
deleted file mode 100644
index 016ebf2d95..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4904.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4905.png b/windows/security/threat-protection/auditing/images/event-4905.png
deleted file mode 100644
index 1366e366ef..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4905.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4906.png b/windows/security/threat-protection/auditing/images/event-4906.png
deleted file mode 100644
index 043d6827aa..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4906.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4907.png b/windows/security/threat-protection/auditing/images/event-4907.png
deleted file mode 100644
index d29b170401..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4907.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4908.png b/windows/security/threat-protection/auditing/images/event-4908.png
deleted file mode 100644
index 523cb84a9b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4908.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4911.png b/windows/security/threat-protection/auditing/images/event-4911.png
deleted file mode 100644
index bfc3830df3..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4911.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4912.png b/windows/security/threat-protection/auditing/images/event-4912.png
deleted file mode 100644
index 9a01e1273e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4912.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4913.png b/windows/security/threat-protection/auditing/images/event-4913.png
deleted file mode 100644
index a2657ec645..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4913.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4928.png b/windows/security/threat-protection/auditing/images/event-4928.png
deleted file mode 100644
index 8c0ad8368a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4928.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4929.png b/windows/security/threat-protection/auditing/images/event-4929.png
deleted file mode 100644
index 380b52aaee..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4929.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4930.png b/windows/security/threat-protection/auditing/images/event-4930.png
deleted file mode 100644
index 9c28a8f677..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4930.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4931.png b/windows/security/threat-protection/auditing/images/event-4931.png
deleted file mode 100644
index fb7add47fc..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4931.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4932.png b/windows/security/threat-protection/auditing/images/event-4932.png
deleted file mode 100644
index 5086bed8e7..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4932.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4933.png b/windows/security/threat-protection/auditing/images/event-4933.png
deleted file mode 100644
index 49456d0e08..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4933.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4935.png b/windows/security/threat-protection/auditing/images/event-4935.png
deleted file mode 100644
index 7a1c8a85ab..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4935.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4944.png b/windows/security/threat-protection/auditing/images/event-4944.png
deleted file mode 100644
index 8c05133463..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4944.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4945.png b/windows/security/threat-protection/auditing/images/event-4945.png
deleted file mode 100644
index a3828ba271..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4945.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4946.png b/windows/security/threat-protection/auditing/images/event-4946.png
deleted file mode 100644
index d06ba42b67..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4946.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4947.png b/windows/security/threat-protection/auditing/images/event-4947.png
deleted file mode 100644
index ba67a44c7c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4947.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4948.png b/windows/security/threat-protection/auditing/images/event-4948.png
deleted file mode 100644
index b956769c0a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4948.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4949.png b/windows/security/threat-protection/auditing/images/event-4949.png
deleted file mode 100644
index c60530df7f..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4949.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4950.png b/windows/security/threat-protection/auditing/images/event-4950.png
deleted file mode 100644
index fcf6504a6b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4950.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4951.png b/windows/security/threat-protection/auditing/images/event-4951.png
deleted file mode 100644
index 164e6bc717..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4951.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4953.png b/windows/security/threat-protection/auditing/images/event-4953.png
deleted file mode 100644
index 438e9bf324..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4953.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4954.png b/windows/security/threat-protection/auditing/images/event-4954.png
deleted file mode 100644
index 33f6da3866..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4954.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4956.png b/windows/security/threat-protection/auditing/images/event-4956.png
deleted file mode 100644
index fad74aef48..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4956.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4957.png b/windows/security/threat-protection/auditing/images/event-4957.png
deleted file mode 100644
index 8805c6964b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4957.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4964.png b/windows/security/threat-protection/auditing/images/event-4964.png
deleted file mode 100644
index 13dd095a3f..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4964.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-4985.png b/windows/security/threat-protection/auditing/images/event-4985.png
deleted file mode 100644
index f182c22d48..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-4985.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5024.png b/windows/security/threat-protection/auditing/images/event-5024.png
deleted file mode 100644
index 900efa51c7..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5024.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5025.png b/windows/security/threat-protection/auditing/images/event-5025.png
deleted file mode 100644
index 1af6e5594c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5025.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5027.png b/windows/security/threat-protection/auditing/images/event-5027.png
deleted file mode 100644
index 30f8e9887e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5027.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5028.png b/windows/security/threat-protection/auditing/images/event-5028.png
deleted file mode 100644
index c4fffb4a49..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5028.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5031.png b/windows/security/threat-protection/auditing/images/event-5031.png
deleted file mode 100644
index 854c827ce8..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5031.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5033.png b/windows/security/threat-protection/auditing/images/event-5033.png
deleted file mode 100644
index d8eaad7cef..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5033.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5034.png b/windows/security/threat-protection/auditing/images/event-5034.png
deleted file mode 100644
index 2b3d8464da..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5034.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5058.png b/windows/security/threat-protection/auditing/images/event-5058.png
deleted file mode 100644
index 9cc4569845..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5058.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5059.png b/windows/security/threat-protection/auditing/images/event-5059.png
deleted file mode 100644
index 5896afdaa5..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5059.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5061.png b/windows/security/threat-protection/auditing/images/event-5061.png
deleted file mode 100644
index dd953b85be..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5061.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5136.png b/windows/security/threat-protection/auditing/images/event-5136.png
deleted file mode 100644
index e1b8a249fd..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5136.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5137.png b/windows/security/threat-protection/auditing/images/event-5137.png
deleted file mode 100644
index 423a9e4e9c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5137.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5138.png b/windows/security/threat-protection/auditing/images/event-5138.png
deleted file mode 100644
index fee3c30140..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5138.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5139.png b/windows/security/threat-protection/auditing/images/event-5139.png
deleted file mode 100644
index f4966fa100..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5139.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5140.png b/windows/security/threat-protection/auditing/images/event-5140.png
deleted file mode 100644
index 927285b3cb..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5140.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5141.png b/windows/security/threat-protection/auditing/images/event-5141.png
deleted file mode 100644
index 350ca4e5bf..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5141.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5142.png b/windows/security/threat-protection/auditing/images/event-5142.png
deleted file mode 100644
index c2fffdf288..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5142.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5143.png b/windows/security/threat-protection/auditing/images/event-5143.png
deleted file mode 100644
index c301bde59d..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5143.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5144.png b/windows/security/threat-protection/auditing/images/event-5144.png
deleted file mode 100644
index 96a6176367..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5144.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5145.png b/windows/security/threat-protection/auditing/images/event-5145.png
deleted file mode 100644
index 73c1364328..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5145.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5152.png b/windows/security/threat-protection/auditing/images/event-5152.png
deleted file mode 100644
index 2f06bab5b4..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5152.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5154.png b/windows/security/threat-protection/auditing/images/event-5154.png
deleted file mode 100644
index 1ee4716063..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5154.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5156.png b/windows/security/threat-protection/auditing/images/event-5156.png
deleted file mode 100644
index 93ac25973a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5156.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5157.png b/windows/security/threat-protection/auditing/images/event-5157.png
deleted file mode 100644
index d44c2b5188..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5157.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5158.png b/windows/security/threat-protection/auditing/images/event-5158.png
deleted file mode 100644
index 65b65085d3..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5158.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5159.png b/windows/security/threat-protection/auditing/images/event-5159.png
deleted file mode 100644
index a2f9134fe8..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5159.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5168.png b/windows/security/threat-protection/auditing/images/event-5168.png
deleted file mode 100644
index 509000797f..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5168.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5376.png b/windows/security/threat-protection/auditing/images/event-5376.png
deleted file mode 100644
index b439b4ee5b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5376.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5377.png b/windows/security/threat-protection/auditing/images/event-5377.png
deleted file mode 100644
index 061f81ce3c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5377.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5378.png b/windows/security/threat-protection/auditing/images/event-5378.png
deleted file mode 100644
index d89a1a40dd..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5378.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5447.png b/windows/security/threat-protection/auditing/images/event-5447.png
deleted file mode 100644
index 97b8fd61a6..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5447.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5632.png b/windows/security/threat-protection/auditing/images/event-5632.png
deleted file mode 100644
index 2d732bd578..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5632.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5633.png b/windows/security/threat-protection/auditing/images/event-5633.png
deleted file mode 100644
index a6a378c5f7..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5633.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5888.png b/windows/security/threat-protection/auditing/images/event-5888.png
deleted file mode 100644
index 028ee2be06..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5888.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5889.png b/windows/security/threat-protection/auditing/images/event-5889.png
deleted file mode 100644
index 2e1164bb69..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5889.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-5890.png b/windows/security/threat-protection/auditing/images/event-5890.png
deleted file mode 100644
index 46b9cc8e30..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-5890.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6144.png b/windows/security/threat-protection/auditing/images/event-6144.png
deleted file mode 100644
index b13fba0760..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6144.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6145.png b/windows/security/threat-protection/auditing/images/event-6145.png
deleted file mode 100644
index 31cca8d59e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6145.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6416.png b/windows/security/threat-protection/auditing/images/event-6416.png
deleted file mode 100644
index d4ba5077b2..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6416.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6419.png b/windows/security/threat-protection/auditing/images/event-6419.png
deleted file mode 100644
index c1a5604016..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6419.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6420.png b/windows/security/threat-protection/auditing/images/event-6420.png
deleted file mode 100644
index 546589127c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6420.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6421.png b/windows/security/threat-protection/auditing/images/event-6421.png
deleted file mode 100644
index a3cbe78e3c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6421.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6422.png b/windows/security/threat-protection/auditing/images/event-6422.png
deleted file mode 100644
index 74b1575dae..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6422.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/event-6423.png b/windows/security/threat-protection/auditing/images/event-6423.png
deleted file mode 100644
index dc383d254e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/event-6423.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/filters-xml-file.png b/windows/security/threat-protection/auditing/images/filters-xml-file.png
deleted file mode 100644
index 9a35082fd7..0000000000
Binary files a/windows/security/threat-protection/auditing/images/filters-xml-file.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/firewall-settings-public-profile.png b/windows/security/threat-protection/auditing/images/firewall-settings-public-profile.png
deleted file mode 100644
index fc4ac0b4c6..0000000000
Binary files a/windows/security/threat-protection/auditing/images/firewall-settings-public-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/group-policy-editor.png b/windows/security/threat-protection/auditing/images/group-policy-editor.png
deleted file mode 100644
index 361e4c3943..0000000000
Binary files a/windows/security/threat-protection/auditing/images/group-policy-editor.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/group-policy.png b/windows/security/threat-protection/auditing/images/group-policy.png
deleted file mode 100644
index aa4dd8b838..0000000000
Binary files a/windows/security/threat-protection/auditing/images/group-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/impact-property.png b/windows/security/threat-protection/auditing/images/impact-property.png
deleted file mode 100644
index b65b204b68..0000000000
Binary files a/windows/security/threat-protection/auditing/images/impact-property.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/ipconfig-command.png b/windows/security/threat-protection/auditing/images/ipconfig-command.png
deleted file mode 100644
index abebb23207..0000000000
Binary files a/windows/security/threat-protection/auditing/images/ipconfig-command.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/logging-settings-public-profile.png b/windows/security/threat-protection/auditing/images/logging-settings-public-profile.png
deleted file mode 100644
index 32aceb9fee..0000000000
Binary files a/windows/security/threat-protection/auditing/images/logging-settings-public-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/msb.png b/windows/security/threat-protection/auditing/images/msb.png
deleted file mode 100644
index fb546a41c4..0000000000
Binary files a/windows/security/threat-protection/auditing/images/msb.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/netsh-advfirewall-command.png b/windows/security/threat-protection/auditing/images/netsh-advfirewall-command.png
deleted file mode 100644
index 56d7caa0c4..0000000000
Binary files a/windows/security/threat-protection/auditing/images/netsh-advfirewall-command.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/netsh-lan-command.png b/windows/security/threat-protection/auditing/images/netsh-lan-command.png
deleted file mode 100644
index 776bbd1bd3..0000000000
Binary files a/windows/security/threat-protection/auditing/images/netsh-lan-command.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/offline-settings.png b/windows/security/threat-protection/auditing/images/offline-settings.png
deleted file mode 100644
index f9596725c1..0000000000
Binary files a/windows/security/threat-protection/auditing/images/offline-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/query-session.png b/windows/security/threat-protection/auditing/images/query-session.png
deleted file mode 100644
index 7e7a29e4fc..0000000000
Binary files a/windows/security/threat-protection/auditing/images/query-session.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/registry-editor-audit.png b/windows/security/threat-protection/auditing/images/registry-editor-audit.png
deleted file mode 100644
index 055863b04b..0000000000
Binary files a/windows/security/threat-protection/auditing/images/registry-editor-audit.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/registry-editor-firewallrules.png b/windows/security/threat-protection/auditing/images/registry-editor-firewallrules.png
deleted file mode 100644
index 5b3c291a9a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/registry-editor-firewallrules.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/schema-search.png b/windows/security/threat-protection/auditing/images/schema-search.png
deleted file mode 100644
index 6028e60fa1..0000000000
Binary files a/windows/security/threat-protection/auditing/images/schema-search.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/subkeys-under-security-key.png b/windows/security/threat-protection/auditing/images/subkeys-under-security-key.png
deleted file mode 100644
index fdef5ec55d..0000000000
Binary files a/windows/security/threat-protection/auditing/images/subkeys-under-security-key.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/subtree-deletion.png b/windows/security/threat-protection/auditing/images/subtree-deletion.png
deleted file mode 100644
index 588960f260..0000000000
Binary files a/windows/security/threat-protection/auditing/images/subtree-deletion.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics1.png b/windows/security/threat-protection/auditing/images/synaptics1.png
deleted file mode 100644
index 81716c5ad1..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics1.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics2.png b/windows/security/threat-protection/auditing/images/synaptics2.png
deleted file mode 100644
index 2fc2d10737..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics2.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics3.png b/windows/security/threat-protection/auditing/images/synaptics3.png
deleted file mode 100644
index cbcb7c466a..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics3.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics4.png b/windows/security/threat-protection/auditing/images/synaptics4.png
deleted file mode 100644
index 67bfc1f857..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics4.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics5.png b/windows/security/threat-protection/auditing/images/synaptics5.png
deleted file mode 100644
index 4e8285a462..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics5.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics6.png b/windows/security/threat-protection/auditing/images/synaptics6.png
deleted file mode 100644
index 79c9b3a1a2..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics6.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics7.png b/windows/security/threat-protection/auditing/images/synaptics7.png
deleted file mode 100644
index 2ffc025437..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics7.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/task-manager.png b/windows/security/threat-protection/auditing/images/task-manager.png
deleted file mode 100644
index 47aa593f98..0000000000
Binary files a/windows/security/threat-protection/auditing/images/task-manager.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/wfpstate-xml.png b/windows/security/threat-protection/auditing/images/wfpstate-xml.png
deleted file mode 100644
index 88695f63ed..0000000000
Binary files a/windows/security/threat-protection/auditing/images/wfpstate-xml.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/whoami-privilege-list.png b/windows/security/threat-protection/auditing/images/whoami-privilege-list.png
deleted file mode 100644
index 4c335aa7b5..0000000000
Binary files a/windows/security/threat-protection/auditing/images/whoami-privilege-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/windows-firewall-state-off.png b/windows/security/threat-protection/auditing/images/windows-firewall-state-off.png
deleted file mode 100644
index 3be52d38ac..0000000000
Binary files a/windows/security/threat-protection/auditing/images/windows-firewall-state-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/windows-firewall-with-advanced-security.png b/windows/security/threat-protection/auditing/images/windows-firewall-with-advanced-security.png
deleted file mode 100644
index c6b59d896e..0000000000
Binary files a/windows/security/threat-protection/auditing/images/windows-firewall-with-advanced-security.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/windows-powershell-get-gpo.png b/windows/security/threat-protection/auditing/images/windows-powershell-get-gpo.png
deleted file mode 100644
index b6a818703c..0000000000
Binary files a/windows/security/threat-protection/auditing/images/windows-powershell-get-gpo.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
deleted file mode 100644
index 2db4bc7e3a..0000000000
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Monitor central access policy and rule definitions
-description: Learn how to use advanced security auditing options to monitor changes to central access policy and central access rule definitions.
-ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor central access policy and rule definitions
-
-
-This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
-
-Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They're stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
-
-Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
-
-> [!NOTE]
-> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
-**Configure settings to monitor central access policy and rule definition changes**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  In Server Manager, point to **Tools** and select **Group Policy Management**.
-3.  In the console tree, right-click the default domain controller Group Policy Object, and then select **Edit**.
-4.  Double-click **Computer Configuration** and select **Security Settings**. Expand **Advanced Audit Policy Configuration** and **System Audit Policies**, select **DS Access**, and then double-click **Audit directory service changes**.
-5.  Select the **Configure the following audit events** and **Success** check boxes (and the **Failure** check box, if you want). Then select **OK**.
-6.  Close the Group Policy Management Editor.
-7.  Open the Active Directory Administrative Center.
-8.  Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**.
-9.  Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab.
-10. Select **Add**, add a security auditing setting for the container, and then close all the security properties dialog boxes.
-
-After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored.
-
-**Verify that central access policy and rule definition changes are monitored**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  Open the Active Directory Administrative Center.
-3.  Under **Dynamic Access Control**, right-click **Central Access Policies**, and then select **Properties**.
-4.  Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab.
-5.  Select **Add**, add a security auditing setting for the container, and then close all security properties dialog boxes.
-6.  In the **Central Access Policies** container, add a new central access policy (or select one that already exists). Select **Properties** in the **Tasks** pane, and then change one or more attributes.
-7.  Select **OK**, and then close the Active Directory Administrative Center.
-8.  In Server Manager, select **Tools** and then **Event Viewer**.
-9.  Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log.
-
-### Related topics
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
deleted file mode 100644
index 13bd276728..0000000000
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Monitor claim types
-description: Learn how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.
-ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor claim types
-
-
-This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.
-
-Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
-
-Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic
-Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
-
->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
-**To configure settings to monitor changes to claim types**
-
-1.  Sign in to your domain controller by using domain administrator credential.
-2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3.  In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**.
-4.  Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
-5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-
-After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being monitored.
-
-**To verify that changes to claim types are monitored**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  Open the Active Directory Administrative Center.
-3.  Under **Dynamic Access Control**, right-click **Claim Types**, and then click **Properties**.
-4.  Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
-5.  Click **Add**, add a security auditing setting for the container, and then close all the Security properties dialog boxes.
-6.  In the **Claim Types** container, add a new claim type or select an existing claim type. In the **Tasks** pane, click **Properties**, and then change one or more attributes.
-
-    Click **OK**, and then close the Active Directory Administrative Center.
-
-7.  Open Event Viewer on this domain controller, expand **Windows Logs**, and select the **Security** log.
-
-    Look for event 5137. Key information to look for includes the name of the new attribute that was added, the type of claim that was created, and the user who created the claim.
-
-### Related resource
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
deleted file mode 100644
index 0554f4f44d..0000000000
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Monitor resource attribute definitions
-description: Learn how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.
-ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor resource attribute definitions
-
-
-This topic for the IT professional describes how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.
-Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
-
-For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md).
-
-Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
-
->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
-**To configure settings to monitor changes to resource attributes**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3.  In the console tree, right-click the Group Policy Object for the default domain controller, and then click **Edit**.
-4.  Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
-5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-6.  Close the Group Policy Management Editor.
-7.  Open the Active Directory Administrative Center.
-8.  Under **Dynamic Access Control**, right-click **Resource Properties**, and then click **Properties**.
-9.  Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
-10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
-
-After you configure settings to monitor changes to resource attributes in AD DS, verify that the changes are being monitored.
-
-**To verify that changes to resource definitions are monitored**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  Open the Active Directory Administrative Center.
-3.  Under **Dynamic Access Control**, click **Resource Properties**, and then double-click a resource attribute.
-4.  Make changes to this resource attribute.
-5.  Click **OK**, and then close the Active Directory Administrative Center.
-6.  In Server Manager, click **Tools**, and then click **Event Viewer**.
-7.  Expand **Windows Logs**, and then click **Security**. Verify that event 5137 appears in the security log.
-
-### Related resource
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
deleted file mode 100644
index 0086d38798..0000000000
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Monitor central access policies for files or folders
-description: Monitor changes to central access policies associated with files and folders, when using advanced security auditing options for dynamic access control objects.
-ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor the central access policies associated with files and folders
-
-
-This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
-
-This security audit policy and the event that it records are generated when the central access policy that's associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
-
-For information about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
-
-Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview).
-
-> [!NOTE]
-> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
-**To configure settings to monitor central access policies associated with files or folders**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  In Server Manager, point to **Tools**, and then select **Group Policy Management**.
-3.  In the console tree, right-click the flexible access Group Policy Object, and then select **Edit**.
-4.  Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
-5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
-6.  Turn on auditing for a file or folder as described in the following procedure.
-
-**To turn on auditing for a file or folder**
-
-1.  Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
-2.  Right-click the file or folder, select **Properties**, and then select the **Security** tab.
-3.  Select **Advanced**, select the **Auditing** tab, and then select **Continue**.
-
-    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-
-4.  Select **Add**, select **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then select **OK**.
-5.  In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**.
-6.  To complete the configuration of the object SACL, select **OK** four times.
-7.  Open a File Explorer window, and then select or create a file or folder to audit.
-8.  Open an elevated command prompt, and then run the following command:
-
-    `gpupdate /force`
-
-After you configure settings to monitor changes to the central access policies that are associated with files and folders, verify that the changes are being monitored.
-
-**To verify that changes to central access policies associated with files and folders are monitored**
-
-1.  Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
-2.  Open a File Explorer window, and then select the file or folder that you configured for auditing in the previous procedure.
-3.  Right-click the file or folder, select **Properties**, select the **Security** tab, and then select **Advanced**.
-4.  Select the **Central Policy** tab, select **Change**, select a different central access policy (if one is available) or select **No Central Access Policy**, and then select **OK** twice.
-    > [!NOTE]
-    > You must select a setting that is different than your original setting to generate the audit event.
-
-5.  In Server Manager, select **Tools**, and then select **Event Viewer**.
-6.  Expand **Windows Logs**, and then select **Security**.
-7.  Look for event 4913, which is generated when the central access policy that's associated with a file or folder changes. This event includes the security identifiers (SIDs) of the old and new central access policies.
-
-### Related resource
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
deleted file mode 100644
index 01731d7b6e..0000000000
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Monitor central access policies on a file server
-description: Learn how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options.
-ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor the central access policies that apply on a file server
-
-
-This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management.
-
-Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you haven't yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
-
-**To configure settings to monitor changes to central access policies**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  In Server Manager, point to **Tools**, and then select **Group Policy Management**.
-3.  In the console tree, select the flexible access Group Policy Object, and then select **Edit**.
-4.  Select **Computer Configuration** > **Security Settings** > **Advanced Audit Policy Configuration** > **Policy Change** > **Other Policy Change Events**.
-
-   > [!NOTE]
-   > This policy setting monitors policy changes that might not be captured otherwise, such as CAP changes or trusted platform module configuration changes.
-     
-5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
-
-After you modify the CAPs on the domain controller, verify that the changes have been applied to the file server and that the proper events are logged.
-
-**To verify changes to the central access policies**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  Open the Group Policy Management Console.
-3.  Select **Default domain policy**, and then select **Edit**.
-4.  Select **Computer Configuration** > **Policies**, and then select **Windows Settings**.
-5.  Select **Security Settings** > **File system**, and then select **Manage CAPs**.
-6.  In the wizard that appears, follow the instructions to add a new CAP, and then select **OK**.
-7.  Use local administrator credentials to sign in to the server that hosts resources that are subject to the CAPs you changed.
-8.  Select the Windows logo key+R, and then type **cmd** to open a command prompt window.
-
-   > [!NOTE]
-   > If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-     
-9.  Type **gpupdate /force**, and then select the Enter key.
-10. In Server Manager, select **Tools**, and then select **Event Viewer**.
-11. Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log.
-
-## Related resources
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
deleted file mode 100644
index 37a5df774a..0000000000
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Monitor the resource attributes on files and folders
-description: Learn how to use advanced security auditing options to monitor attempts to change settings on the resource attributes of files.
-ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor the resource attributes on files and folders
-
-
-This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects.
-
-If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples include:
-
--   Changing files that have been marked as high business value to low business value.
--   Changing the Retention attribute of files that have been marked for retention.
--   Changing the Department attribute of files that are marked as belonging to a particular department.
-
-Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview) .
-
->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
-**To monitor changes to resource attributes on files**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3.  In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
-4.  Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
-5.  Select the **Configure the following audit events** check box, select the **Success** and **Failure** check boxes, and then click **OK**.
-
-After you configure settings to monitor resource attributes on files, verify that the changes are being monitored.
-
-**To verify that changes to resource attributes on files are monitored**
-
-1.  Use administrator credentials to sign in to the server that hosts the resource you want to monitor.
-2.  From an elevated command prompt, type **gpupdate /force**, and then press ENTER.
-3.  Attempt to change resource properties on one or more files and folders.
-4.  In Server Manager, click **Tools**, and then click **Event Viewer**.
-5.  Expand **Windows Logs**, and then click **Security**.
-6.  Depending on which resource attributes you attempted to change, you should look for the following events:
-
-    -   Event 4911, which tracks changes to file attributes
-    -   Event 4913, which tracks changes to central access policies
-
-    Key information to look for includes the name and account domain of the principal attempting to change the resource attribute, the object that the principal is attempting to modify, and information about the changes that are being attempted.
-
-### Related resource
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
deleted file mode 100644
index 4e187a67d2..0000000000
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Monitor the use of removable storage devices
-description: Learn how advanced security auditing options can be used to monitor attempts to use removable storage devices to access network resources.
-ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor the use of removable storage devices
-
-This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
-
-If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device.
-
-Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored.
-
-Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
-> [!NOTE]
-> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299(v=vs.85)). This may require the device to restart to apply the new security descriptor.
-
-## To configure settings to monitor removable storage devices
-
-1. Sign in to your domain controller by using domain administrator credentials.
-2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**.
-4. Double-click **Computer Configuration**, double-click **Policies**, double-click **Windows Settings**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Object Access**, and then double-click **Audit Removable Storage**.
-5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-6. If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**.
-7. Click **OK**, and then close the Group Policy Management Editor.
-
-After you configure the settings to monitor removable storage devices, use the following procedure to verify that the settings are active.
-
-## To verify that removable storage devices are monitored
-
-1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
-
-    > [!NOTE]
-    > If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-2. Type **gpupdate /force**, and press ENTER.
-3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
-4. In Server Manager, click **Tools**, and then click **Event Viewer**.
-5. Expand **Windows Logs**, and then click **Security**.
-6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**.
-
-    For more information, see [Audit Removable Storage](audit-removable-storage.md).
-
-    Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
-
-    > [!NOTE]
-    > Even after configuring settings to monitor removable storage devices, some versions of Windows 10 may require registry key **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotPlugSecureOpen** to be set to **1** to start logging the removable storage audit events.
-
-    > [!NOTE]
-    > We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
-
-### Related resource
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control)
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
deleted file mode 100644
index e4792764cf..0000000000
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Monitor user and device claims during sign-in
-description: Learn how to monitor user and device claims that are associated with a user’s security token. This advice assumes you have deployed Dynamic Access Control.
-ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Monitor user and device claims during sign-in
-
-
-This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you're using advanced security auditing options to monitor dynamic access control objects.
-
-Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at the sign-in stage. For example, information about Department, Company, Project, or Security clearances might be included in the token.
-
-Use the following procedures to monitor changes to user claims and device claims in the user’s sign-in token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
-
->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
-**To monitor user and device claims in user logon token**
-
-1.  Sign in to your domain controller by using domain administrator credentials.
-2.  In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3.  In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
-4.  Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **Logon/Logoff**, and then double-click **Audit User/Device claims**.
-5.  Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-6.  Close the Group Policy Management Editor.
-
-After you configure settings to monitor user and device claims, verify that the changes are being monitored.
-
-**To verify that user and device claims in user logon token are monitored**
-
-1.  With local administrator credentials, sign in to a file server that is subject to the flexible access Group Policy Object.
-2.  Open an elevated command prompt, and run the following command:
-
-    `gpupdate force`
-
-3.  From a client computer, connect to a file share on the file server as a user who has access permissions to the file server.
-4.  On the file server, open Event Viewer, expand **Windows Logs**, and select the **Security** log. Look for event 4626, and confirm that it contains information about user claims and device claims.
-
-### Related resource
-
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
deleted file mode 100644
index c4bdc43d1f..0000000000
--- a/windows/security/threat-protection/auditing/other-events.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Other Events 
-description: Describes the Other Events auditing subcategory, which includes events that are generated automatically and enabled by default.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.date: 09/09/2021
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# Other Events
-
-
-Events in this section generate automatically and are enabled by default.
-
-**Events List:**
-
--   [1100](event-1100.md)(S): The event logging service has shut down.
-
--   [1102](event-1102.md)(S): The audit log was cleared.
-
--   [1104](event-1104.md)(S): The security log is now full.
-
--   [1105](event-1105.md)(S): Event log automatic backup.
-
--   [1108](event-1108.md)(S): The event logging service encountered an error while processing an incoming event published from %1
-
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
deleted file mode 100644
index 3d589a1ec4..0000000000
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ /dev/null
@@ -1,373 +0,0 @@
----
-title: Plan and deploy advanced security audit policies
-description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
-ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Plan and deploy advanced security audit policies
-
-
-This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
-
-Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you've a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
-
-To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT operations comply with corporate and regulatory requirements.
-
-No organization has unlimited resources to monitor every resource and activity on a network. If you don't plan well, you'll likely have gaps in your auditing strategy. But if you try to audit every resource and activity, you may gather too much monitoring data, including thousands of benign audit entries that an analyst will have to sift through to identify the narrow set of entries that warrant closer examination. Such volume could delay or prevent auditors from identifying suspicious activity. Too much monitoring can leave an organization as vulnerable as not enough.
-
-Here are some features that can help you focus your effort:
-
--   **Advanced audit policy settings:** You can apply and manage detailed audit policy settings through Group Policy.
--   **"Reason for access" auditing:** You can specify and identify the permissions that were used to generate a particular object access security event.
--   **Global object access auditing:** You can define system access control lists (SACLs) for an entire computer file system or registry.
-
-To deploy these features and plan an effective security auditing strategy, you need to:
-
--   Identify your most critical resources and the most important activities that you need to track.
--   Identify the audit settings that you can use to track these activities.
--   Assess the advantages and potential costs associated with each.
--   Test these settings to validate your choices.
--   Develop plans for deploying and managing your audit policy.
-
-## About this guide
-
-This article guides you through the steps to plan a security auditing policy that uses Windows auditing features. The policy must address vital business needs, including:
-
--   Network reliability
--   Regulatory requirements
--   Protection of data and intellectual property
--   Users, including employees, contractors, partners, and customers
--   Client computers and applications
--   Servers and the applications and services running on those servers
-
-The audit policy also must identify processes for managing audit data after it's been logged, including:
-
--   Collecting, evaluating, and reviewing data
--   Storing and (if necessary) disposing of data
-
-By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs.
-
-## Understand the security audit policy design process
-
-Designing and deploying a Windows security audit policy involves the following tasks, which are described in this document:
-
--   [Identify your Windows security audit policy deployment goals](#bkmk-1)
-
-    This section helps define the business objectives that will guide your Windows security audit policy. It also helps  define the resources, users, and computers that will be the focus of your auditing.
-
--   [Map your security audit policy to groups of users, computers, and resources](#bkmk-2)
-
-    This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. It also explains when to use basic audit policy settings and when to use advanced security audit policy settings.
-
--   [Map your security auditing goals to a security audit policy configuration](#bkmk-3)
-
-    This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings to address auditing scenarios.
-
--   [Plan for security audit monitoring and management](#bkmk-4)
-
-    This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you audit, your Windows event logs can fill up quickly. This section also explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also covers how to address storage requirements.
-
--   [Deploy the security audit policy](#bkmk-5)
-
-    This section provides guidelines for effective deployment of a Windows security audit policy. Deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you've selected will produce the audit data that you need. But only a carefully staged pilot and incremental deployment based on your domain and organizational unit (OU) structure will confirm that the audit data you generate can be monitored and meets your needs.
-
-## <a href="" id="bkmk-1"></a>Identify your Windows security audit policy deployment goals
-
-A security audit policy must support and be an integrated aspect of an organization's overall security framework.
-
-Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which provide the strongest justification for the focus of a security audit.
-
-To create your Windows security audit plan, begin by identifying:
-
--   The overall network environment, including the domains, OUs, and security groups
--   The resources on the network, the users of those resources, and how those resources are used
--   Regulatory requirements
-
-### Network environment
-
-An organization's domain and organizational unit (OU) structure provide a fundamental starting point for thinking about how to apply a security audit policy. They likely provide a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. Your domain and OU structure probably already provide logical groups of users, resources, and activities that justify the resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources](#bkmk-2) later in this document.
-
-In addition to your domain model, determine whether your organization maintains a systematic threat model. A good threat model can help identify threats to key components in your infrastructure. Then you can apply audit settings that enhance your ability to identify and counter those threats.
-
-> [!IMPORTANT]
-> Including auditing in your organization's security plan also helps you budget resources to the areas where auditing can achieve the best results.
-
-### Data and resources
-
-For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of your data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance your existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you can manage.
-
-You can record if these resources have high, medium, or low business impact; the cost to the organization if these data resources are accessed by unauthorized users; and the risks that such access can pose to the organization. The type of access by users (such as *read*, *modify*, or *copy*) can also pose different levels of risk.
-
-Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss of credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information.
-
-The following table provides an example of a resource analysis for an organization.
-
-| Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements |
-| - | - | - | - | - |
-| Payroll data| Corp-Finance-1| Accounting: Read/write on Corp-Finance-1<br/>Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
-| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2<br/>Lab Assistants: Write only on MedRec-2<br/>Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
-| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1<br/>Public: Read only on Web-Ext-1| Low| Public education and corporate image|
-
-### Users
-
-Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate.
-
-Organizations can create distinctions based on the type of rights and permissions that users need to do their jobs. Under the classification *administrators*, for example, large organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under *users*, permissions and Group Policy settings can apply to all users in an organization or as few as a subset of employees in a given department.
-
-Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you're complying with these requirements.
-
-To effectively audit user activity, begin by listing the different types of users in your organization, the types of data they need access to, and the data they shouldn't have access to.
-
-Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a business partner, customer, or general user; the data they have access to; and the permissions they have to access that data.
-
-The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create more columns to differentiate between different types of network activity, such as sign-in hours and permission use.
-
-| Groups | Data | Possible auditing considerations |
-| - | - | - |
-| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
-| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
-| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.|
-
-### Computers
-
-Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
-
--   Whether the computers are servers, desktop computers, or portable computers
--   The important applications that the computers run, such as Microsoft Exchange Server, SQL Server, or Forefront Identity Manager
-
-    > [!NOTE]
-    > For more information about auditing:
-    > - In Exchange Server, see [Exchange 2010 Security Guide](/previous-versions/office/exchange-server-2010/bb691338(v=exchg.141)).
-    > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
-    > - In SQL Server 2012, see [SQL Server Audit (Database Engine)](/sql/relational-databases/security/auditing/sql-server-audit-database-engine).
-
--   The operating system versions
-
-    > [!NOTE]
-    > The operating system version determines which auditing options are available and the volume of audit event data.
-
--   The business value of the data
-
-For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network.
-
-The following table illustrates an analysis of computers in an organization.
-
-| Type of computer and applications | Operating system version | Where located |
-| - | - | - |
-| Servers hosting Exchange Server| Windows Server 2008 R2| ExchangeSrv OU|
-| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
-| Portable computers  | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
-| Web servers | Windows Server 2008 R2 | WebSrv OU|
-
-### Regulatory requirements
-
-Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries/regions have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
-
-For more information, see the [System Center Process Pack for IT GRC](/previous-versions/tn-archive/dd206732(v=technet.10)).
-
-## <a href="" id="bkmk-2"></a>Map your security audit policy to groups of users, computers, and resources
-
-By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings:
-
--   The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
--   Decide whether every policy setting that you select should be enforced across the organization or apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers.
--   By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that's linked at a lower level can overwrite inherited policies.
-
-    For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of extra settings. To do this assignation, you can link a second GPO to that specific lower-level OU. Then, a sign-in audit setting that's applied at the OU level will override a conflicting sign-in audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing.
-
--   Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to *computer* OUs, not to *user* OUs. But in most cases, you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This functionality enables auditing for a security group that contains only the users you specify.
-
-    For example, you could configure a SACL for a folder called *Payroll Data* on Accounting Server 1. You can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. But, because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder will generate audit events.
-
--   Advanced security audit policy settings were introduced in Windows Server 2008 R2 and Windows 7. These advanced audit policies can only be applied to those operating systems and later versions by using Group Policy.
-
-
-> [!IMPORTANT]
-> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
-
-If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
-
-
-The following examples show how you can apply audit policies to an organization's OU structure:
-
--   Apply data activity settings to an OU that contains file servers. If your organization has servers that contain sensitive data, consider putting them in a separate OU. Then you can configure and apply a more precise audit policy to these servers.
--   Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs by department, consider applying more-detailed security permissions on critical resources that are accessed by employees who work in more-sensitive areas, such as network administrators or the legal department.
--   Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers.
-
-## <a href="" id="bkmk-3"></a>Map your security auditing goals to a security audit policy configuration
-
-After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of:
-- Computers that need to be monitored
-- Activities that you want to audit
-- Audit events that your audit configuration will generate
-- Administrators available to analyze and act upon audit data
-
-To create your audit policy configuration, you need to:
-
-1.  Explore all the audit policy settings that can be used to address your needs.
-1.  Choose the audit settings that will most effectively address the audit requirements there were identified in the previous section.
-1.  Confirm that the settings that you choose are compatible with the operating systems running on the computers that you want to monitor.
-1.  Decide which configuration options (*success*, *failure*, or both *success* and *failure*) you want to use for the audit settings.
-1.  Deploy the audit settings in a lab or test environment to verify that they meet your desired results for volume, supportability, and comprehensiveness. Then, deploy the audit settings in a pilot production environment to check that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data.
-
-### Explore audit policy options
-
-You can view and configure security audit policy settings in the supported versions of Windows in the following locations:
-
--   *Security Settings\\Local Policies\\Audit Policy*
--   *Security Settings\\Local Policies\\Security Options*
--   *Security Settings\\Advanced Audit Policy Configuration*
-
-For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
-
-### Choose audit settings to use
-
-Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under *Security Settings\\Advanced Audit Policy Configuration* can be used to monitor the following types of activity:
-
--   Data and resources
--   Users
--   Network
-
-> [!IMPORTANT]
-> Settings that are described in the reference might also provide valuable information about activity audited by another setting. For example, the settings that you use to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status and potentially for how well you're managing the activities of users on the network.
-
-### Data and resource activity
-
-Compromise to an organization's data resources can cause tremendous financial losses, lost prestige, and legal liability. If your organization has critical data resources that must be protected, the following settings can provide valuable monitoring and forensic data:
-
--   **Object Access\\[Audit File Share](audit-file-share.md)**: This policy setting enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated with this setting will vary depending on the number of client computers that try to access the file share. On a file server or domain controller, volume may be high because of SYSVOL access by client computers for policy processing. If you don't need to record routine access by client computers on the file share, you may want to log audit events only for failed attempts to access the file share.
--   **Object Access\\[Audit File System](audit-file-system.md)**: This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects, such as files and folders, that have configured SACLs, and only if the type of access requested (such as *write*, *read*, or *modify*) and the account that's making the request match the settings in the SACL.
-
-    If *success* auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If *failure* auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that you configured to be monitored.
-
-    > [!NOTE]
-    > To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
-
--   **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL.
-
-    Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes.
-
--   **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented.
-
-    > [!IMPORTANT]
-    > The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
-
-### User activity
-
-The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers.
-
-In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track various user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network:
-
--   **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful sign-in attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use various credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
--   **Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md)**: These policy settings enable you to monitor the applications that a user opens and close on a computer.
--   **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enables you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
--   **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to sign in with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious.
--   **Logon/Logoff\\[Audit Logoff](audit-logoff.md)** and **Logon/Logoff\\[Audit Logon](audit-logon.md)**: Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
-
-    > [!NOTE]
-    > There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated.
-
--   **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons.
--   **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done.
--   **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section.
--   **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting and its role in providing "reason for access" audit data is described in the previous section.
--   **Object Access\\[Audit Registry](audit-registry.md)**: Monitoring for changes to the registry is one of the best ways for administrators to ensure that malicious users don't make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs and only if the type of access that's requested, such as *write*, *read*, or *modify*, and the account making the request match the settings in the SACL.
-
-    > [!IMPORTANT]
-    > On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer.
-
--   **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
--   **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
-
-### Network activity
-
-The following network activity policy settings enable you to monitor security-related issues that aren't necessarily covered in the data or user-activity categories but that can be important for network status and protection.
-
-- **Account Management**: Use the policy settings in this category to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the [User activity](#user-activity) and [Data and resource activity](#data-and-resource-activity) sections.
-- **Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)**: Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting enables you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting enables you to monitor the use of Kerberos service tickets.
-
-    >[!NOTE]
-    >**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed.
-
--   **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
--   **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers.
--   **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
--   **Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md)**: Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these protections.
--   **Policy Change**: These policy settings and events enable you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, monitoring any changes or attempted changes to these policies can be an important aspect of security management for a network.
--   **Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md)**: This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network can't be detected.
--   **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor various changes to an organization's IPsec policies.
--   **Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)**: This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it's protected against network attacks.
-
-### Confirm operating system version compatibility
-
-Not all versions of Windows support advanced audit policy settings or the use of Group Policy to manage these settings. For more information, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md).
-
-The audit policy settings under **Local Policies\\Audit Policy** overlap with the audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories enable you to focus your auditing efforts on critical activities while reducing the amount of audit data that's less important to your organization.
-
-For example, **Local Policies\\Audit Policy** contains a single setting called **[Audit account logon events](/previous-versions/windows/it-pro/windows-server-2003/cc787176(v=ws.10))**. When this setting is configured, it generates at least 10 types of audit events.
-
-In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing:
-
--   Credential Validation
--   Kerberos Authentication Service
--   Kerberos Service Ticket Operations
--   Other Account Logon Events
-
-These settings enable you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible.
-
-### *Success*, *failure*, or both
-
-Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This question is an important one. The answer depends on the criticality of the event and the implications of the decision for event volume.
-
-For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this access failure could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events.
-
-But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so that you have an audit trail of every user who tries to access the resource.
-
-## <a href="" id="bkmk-4"></a>Plan for security audit monitoring and management
-
-Networks may contain hundreds of servers that run critical services or store critical data, all of which need to be monitored. There may be tens or even hundreds of thousands of computers on the network. These numbers may not be an issue if the ratio of servers or client computers per administrator is low. And even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how the administrator will obtain event data to review. Following are some options for obtaining the event data.
-
--   Will you keep event data on a local computer until an administrator signs in to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity.
--   Will you collect event data so that it can be reviewed from a central console? If so, there are many computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer.
-
-In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what happens when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and select **Properties**. You can configure the following properties:
-
--   **Overwrite events as needed (oldest events first)**: This option is the default one, which is acceptable in most situations.
--   **Archive the log when full, do not overwrite events**: This option can be used when all log data needs to be saved. But the scenario suggests that you may not be reviewing audit data frequently enough.
--   **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you don't want to lose any audit data, don't want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
-
-You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following location in the GPMC: **Computer
-Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include:
-
--   **Maximum Log Size (KB)**: This policy setting specifies the maximum size of the log files. In the Local Group Policy Editor and Event Viewer, you can enter values as large as 2 TB. If this setting isn't configured, event logs have a default maximum size of 20 megabytes.
-
--   **Log Access**: This policy setting determines which user accounts have access to log files and what usage rights are granted.
--   **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
--   **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained.
-
-Many organizations are now required to store archived log files for many years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](/previous-versions/tn-archive/dd206732(v=technet.10)).
-
-## <a href="" id="bkmk-5"></a>Deploy the security audit policy
-
-Before deploying the audit policy in a production environment, it's critical that you determine the effects of the policy settings that you've configured.
-
-The first step in assessing your audit policy deployment is to create a test environment in a lab. Use it to simulate the various use scenarios that you identified to confirm that the audit settings you selected are configured correctly and generate the type of results you want.
-
-However, unless you can run fairly realistic simulations of network usage patterns, a lab setup can't provide accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve:
-
--   A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location
--   A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**
--   A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings
-
-After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include more OUs and sets of audit policy settings until production deployment is complete.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
deleted file mode 100644
index e411afa653..0000000000
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: Registry (Global Object Access Auditing)
-description: The Advanced Security Audit policy setting, Registry (Global Object Access Auditing), enables you to configure a global system access control list (SACL).
-ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Registry (Global Object Access Auditing)
-
-
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer.
-
-If you select the **Configure security** check box on this policy’s property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the registry. The specified SACL is then automatically applied to every registry object type.
-
-This policy setting must be used in combination with the **Registry** security policy setting under Object Access. For more info, see [Audit Registry](audit-registry.md).
-
-## Related topics
-
-- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
deleted file mode 100644
index 250f523977..0000000000
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Security auditing
-description: Learn about security auditing features in Windows, and how your organization can benefit from using them to make your network more secure and easily managed.
-ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Security auditing
-
-
-Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
-
-## <a href="" id="bkmk-over"></a>
-
-Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you've determined to be valuable in your risk assessment.
-
-## In this section
-
-| Topic | Description |
-| - | - |
-|[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. |
-|[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently. |
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
deleted file mode 100644
index bc12d22422..0000000000
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Using advanced security auditing options to monitor dynamic access control objects
-description: Domain admins can set up advanced security audit options in Windows 10 to target specific users, or monitor potentially significant activity on multiple devices
-ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Using advanced security auditing options to monitor dynamic access control objects
-
-
-This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-
-These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-security-auditing-with-central-audit-policies--demonstration-steps-).
-
-## In this guide
-
-Domain administrators can create and deploy expression-based security audit policies by using file classification information (resource attributes), user claims, and device claims to target specific users and resources to monitor potentially significant activities on one or more computers. These policies can be deployed centrally by using Group Policy, or directly on a computer, in a folder, or in individual files.
-
-## In this section
-
-| Topic | Description |
-| - | - |
-| [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md) | This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. |
-| [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md) | This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. |
-| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.|
-| [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md) | This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. |
-| [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)| This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you're using advanced security auditing options to monitor dynamic access control objects. |
-| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. |
-| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. |
-| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.|
-
->**Important:**  This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
-
-## Related topics
-
-- [Security auditing](security-auditing-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
deleted file mode 100644
index 49c2f8a769..0000000000
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: View the security event log
-description: The security log records each event as defined by the audit policies you set on each object.
-ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.collection:
-  - highpri
-  - tier3
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# View the security event log
-
-
-The security log records each event as defined by the audit policies you set on each object.
-
-**To view the security log**
-
-1.  Open Event Viewer.
-2.  In the console tree, expand **Windows Logs**, and then click **Security**. The results pane lists individual security events.
-3.  If you want to see more details about a specific event, in the results pane, click the event.
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
deleted file mode 100644
index 543c3f0dbc..0000000000
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Which editions of Windows support advanced audit policy configuration
-description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
-ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31
-ms.reviewer:
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/09/2021
----
-
-# Which editions of Windows support advanced audit policy configuration
-
-
-Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
-There's no difference in security auditing support between 32-bit and 64-bit versions.
-Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
-