deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #9635 from MicrosoftDocs/main

Browse Source 
Publish main to live, Friday 10:30 AM PST, 02/23
This commit is contained in:
Stacyrch140 2024-02-23 13:40:24 -05:00 committed by GitHub
commit 500fd6fb3e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
555 changed files with 1735 additions and 35644 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1790
.openpublishing.redirection.json
View File

File diff suppressed because it is too large Load Diff

767
windows/security/threat-protection/auditing/TOC.yml
View File

@ -1,767 +0,0 @@
- name: Security auditing
href: security-auditing-overview.md
items:
- name: Basic security audit policies
href: basic-security-audit-policies.md
items:
- name: Create a basic audit policy for an event category
href: create-a-basic-audit-policy-settings-for-an-event-category.md
- name: Apply a basic audit policy on a file or folder
href: apply-a-basic-audit-policy-on-a-file-or-folder.md
- name: View the security event log
href: view-the-security-event-log.md
- name: Basic security audit policy settings
href: basic-security-audit-policy-settings.md
items:
- name: Audit account logon events
href: basic-audit-account-logon-events.md
- name: Audit account management
href: basic-audit-account-management.md
- name: Audit directory service access
href: basic-audit-directory-service-access.md
- name: Audit logon events
href: basic-audit-logon-events.md
- name: Audit object access
href: basic-audit-object-access.md
- name: Audit policy change
href: basic-audit-policy-change.md
- name: Audit privilege use
href: basic-audit-privilege-use.md
- name: Audit process tracking
href: basic-audit-process-tracking.md
- name: Audit system events
href: basic-audit-system-events.md
- name: Advanced security audit policies
href: advanced-security-auditing.md
items:
- name: Planning and deploying advanced security audit policies
href: planning-and-deploying-advanced-security-audit-policies.md
- name: Advanced security auditing FAQ
href: advanced-security-auditing-faq.yml
items:
- name: Which editions of Windows support advanced audit policy configuration
href: which-editions-of-windows-support-advanced-audit-policy-configuration.md
- name: How to list XML elements in \<EventData>
href: how-to-list-xml-elements-in-eventdata.md
- name: Using advanced security auditing options to monitor dynamic access control objects
href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
items:
- name: Monitor the central access policies that apply on a file server
href: monitor-the-central-access-policies-that-apply-on-a-file-server.md
- name: Monitor the use of removable storage devices
href: monitor-the-use-of-removable-storage-devices.md
- name: Monitor resource attribute definitions
href: monitor-resource-attribute-definitions.md
- name: Monitor central access policy and rule definitions
href: monitor-central-access-policy-and-rule-definitions.md
- name: Monitor user and device claims during sign-in
href: monitor-user-and-device-claims-during-sign-in.md
- name: Monitor the resource attributes on files and folders
href: monitor-the-resource-attributes-on-files-and-folders.md
- name: Monitor the central access policies associated with files and folders
href: monitor-the-central-access-policies-associated-with-files-and-folders.md
- name: Monitor claim types
href: monitor-claim-types.md
- name: Advanced security audit policy settings
href: advanced-security-audit-policy-settings.md
items:
- name: Audit Credential Validation
href: audit-credential-validation.md
- name: "Event 4774 S, F: An account was mapped for logon."
href: event-4774.md
- name: "Event 4775 F: An account could not be mapped for logon."
href: event-4775.md
- name: "Event 4776 S, F: The computer attempted to validate the credentials for an account."
href: event-4776.md
- name: "Event 4777 F: The domain controller failed to validate the credentials for an account."
href: event-4777.md
- name: Audit Kerberos Authentication Service
href: audit-kerberos-authentication-service.md
items:
- name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested."
href: event-4768.md
- name: "Event 4771 F: Kerberos pre-authentication failed."
href: event-4771.md
- name: "Event 4772 F: A Kerberos authentication ticket request failed."
href: event-4772.md
- name: Audit Kerberos Service Ticket Operations
href: audit-kerberos-service-ticket-operations.md
items:
- name: "Event 4769 S, F: A Kerberos service ticket was requested."
href: event-4769.md
- name: "Event 4770 S: A Kerberos service ticket was renewed."
href: event-4770.md
- name: "Event 4773 F: A Kerberos service ticket request failed."
href: event-4773.md
- name: Audit Other Account Logon Events
href: audit-other-account-logon-events.md
- name: Audit Application Group Management
href: audit-application-group-management.md
- name: Audit Computer Account Management
href: audit-computer-account-management.md
items:
- name: "Event 4741 S: A computer account was created."
href: event-4741.md
- name: "Event 4742 S: A computer account was changed."
href: event-4742.md
- name: "Event 4743 S: A computer account was deleted."
href: event-4743.md
- name: Audit Distribution Group Management
href: audit-distribution-group-management.md
items:
- name: "Event 4749 S: A security-disabled global group was created."
href: event-4749.md
- name: "Event 4750 S: A security-disabled global group was changed."
href: event-4750.md
- name: "Event 4751 S: A member was added to a security-disabled global group."
href: event-4751.md
- name: "Event 4752 S: A member was removed from a security-disabled global group."
href: event-4752.md
- name: "Event 4753 S: A security-disabled global group was deleted."
href: event-4753.md
- name: Audit Other Account Management Events
href: audit-other-account-management-events.md
items:
- name: "Event 4782 S: The password hash of an account was accessed."
href: event-4782.md
- name: "Event 4793 S: The Password Policy Checking API was called."
href: event-4793.md
- name: Audit Security Group Management
href: audit-security-group-management.md
items:
- name: "Event 4731 S: A security-enabled local group was created."
href: event-4731.md
- name: "Event 4732 S: A member was added to a security-enabled local group."
href: event-4732.md
- name: "Event 4733 S: A member was removed from a security-enabled local group."
href: event-4733.md
- name: "Event 4734 S: A security-enabled local group was deleted."
href: event-4734.md
- name: "Event 4735 S: A security-enabled local group was changed."
href: event-4735.md
- name: "Event 4764 S: A group<75>s type was changed."
href: event-4764.md
- name: "Event 4799 S: A security-enabled local group membership was enumerated."
href: event-4799.md
- name: Audit User Account Management
href: audit-user-account-management.md
items:
- name: "Event 4720 S: A user account was created."
href: event-4720.md
- name: "Event 4722 S: A user account was enabled."
href: event-4722.md
- name: "Event 4723 S, F: An attempt was made to change an account's password."
href: event-4723.md
- name: "Event 4724 S, F: An attempt was made to reset an account's password."
href: event-4724.md
- name: "Event 4725 S: A user account was disabled."
href: event-4725.md
- name: "Event 4726 S: A user account was deleted."
href: event-4726.md
- name: "Event 4738 S: A user account was changed."
href: event-4738.md
- name: "Event 4740 S: A user account was locked out."
href: event-4740.md
- name: "Event 4765 S: SID History was added to an account."
href: event-4765.md
- name: "Event 4766 F: An attempt to add SID History to an account failed."
href: event-4766.md
- name: "Event 4767 S: A user account was unlocked."
href: event-4767.md
- name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups."
href: event-4780.md
- name: "Event 4781 S: The name of an account was changed."
href: event-4781.md
- name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password."
href: event-4794.md
- name: "Event 4798 S: A user's local group membership was enumerated."
href: event-4798.md
- name: "Event 5376 S: Credential Manager credentials were backed up."
href: event-5376.md
- name: "Event 5377 S: Credential Manager credentials were restored from a backup."
href: event-5377.md
- name: Audit DPAPI Activity
href: audit-dpapi-activity.md
items:
- name: "Event 4692 S, F: Backup of data protection master key was attempted."
href: event-4692.md
- name: "Event 4693 S, F: Recovery of data protection master key was attempted."
href: event-4693.md
- name: "Event 4694 S, F: Protection of auditable protected data was attempted."
href: event-4694.md
- name: "Event 4695 S, F: Unprotection of auditable protected data was attempted."
href: event-4695.md
- name: Audit PNP Activity
href: audit-pnp-activity.md
items:
- name: "Event 6416 S: A new external device was recognized by the System."
href: event-6416.md
- name: "Event 6419 S: A request was made to disable a device."
href: event-6419.md
- name: "Event 6420 S: A device was disabled."
href: event-6420.md
- name: "Event 6421 S: A request was made to enable a device."
href: event-6421.md
- name: "Event 6422 S: A device was enabled."
href: event-6422.md
- name: "Event 6423 S: The installation of this device is forbidden by system policy."
href: event-6423.md
- name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy."
href: event-6424.md
- name: Audit Process Creation
href: audit-process-creation.md
items:
- name: "Event 4688 S: A new process has been created."
href: event-4688.md
- name: "Event 4696 S: A primary token was assigned to process."
href: event-4696.md
- name: Audit Process Termination
href: audit-process-termination.md
items:
- name: "Event 4689 S: A process has exited."
href: event-4689.md
- name: Audit RPC Events
href: audit-rpc-events.md
items:
- name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted."
href: event-5712.md
- name: Audit Token Right Adjusted
href: audit-token-right-adjusted.md
items:
- name: "Event 4703 S: A user right was adjusted."
href: event-4703.md
- name: Audit Detailed Directory Service Replication
href: audit-detailed-directory-service-replication.md
items:
- name: "Event 4928 S, F: An Active Directory replica source naming context was established."
href: event-4928.md
- name: "Event 4929 S, F: An Active Directory replica source naming context was removed."
href: event-4929.md
- name: "Event 4930 S, F: An Active Directory replica source naming context was modified."
href: event-4930.md
- name: "Event 4931 S, F: An Active Directory replica destination naming context was modified."
href: event-4931.md
- name: "Event 4934 S: Attributes of an Active Directory object were replicated."
href: event-4934.md
- name: "Event 4935 F: Replication failure begins."
href: event-4935.md
- name: "Event 4936 S: Replication failure ends."
href: event-4936.md
- name: "Event 4937 S: A lingering object was removed from a replica."
href: event-4937.md
- name: Audit Directory Service Access
href: audit-directory-service-access.md
items:
- name: "Event 4662 S, F: An operation was performed on an object."
href: event-4662.md
- name: "Event 4661 S, F: A handle to an object was requested."
href: event-4661.md
- name: Audit Directory Service Changes
href: audit-directory-service-changes.md
items:
- name: "Event 5136 S: A directory service object was modified."
href: event-5136.md
- name: "Event 5137 S: A directory service object was created."
href: event-5137.md
- name: "Event 5138 S: A directory service object was undeleted."
href: event-5138.md
- name: "Event 5139 S: A directory service object was moved."
href: event-5139.md
- name: "Event 5141 S: A directory service object was deleted."
href: event-5141.md
- name: Audit Directory Service Replication
href: audit-directory-service-replication.md
items:
- name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun."
href: event-4932.md
- name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended."
href: event-4933.md
- name: Audit Account Lockout
href: audit-account-lockout.md
items:
- name: "Event 4625 F: An account failed to log on."
href: event-4625.md
- name: Audit User/Device Claims
href: audit-user-device-claims.md
items:
- name: "Event 4626 S: User/Device claims information."
href: event-4626.md
- name: Audit Group Membership
href: audit-group-membership.md
items:
- name: "Event 4627 S: Group membership information."
href: event-4627.md
- name: Audit IPsec Extended Mode
href: audit-ipsec-extended-mode.md
- name: Audit IPsec Main Mode
href: audit-ipsec-main-mode.md
- name: Audit IPsec Quick Mode
href: audit-ipsec-quick-mode.md
- name: Audit Logoff
href: audit-logoff.md
items:
- name: "Event 4634 S: An account was logged off."
href: event-4634.md
- name: "Event 4647 S: User initiated logoff."
href: event-4647.md
- name: Audit Logon
href: audit-logon.md
items:
- name: "Event 4624 S: An account was successfully logged on."
href: event-4624.md
- name: "Event 4625 F: An account failed to log on."
href: event-4625.md
- name: "Event 4648 S: A logon was attempted using explicit credentials."
href: event-4648.md
- name: "Event 4675 S: SIDs were filtered."
href: event-4675.md
- name: Audit Network Policy Server
href: audit-network-policy-server.md
- name: Audit Other Logon/Logoff Events
href: audit-other-logonlogoff-events.md
items:
- name: "Event 4649 S: A replay attack was detected."
href: event-4649.md
- name: "Event 4778 S: A session was reconnected to a Window Station."
href: event-4778.md
- name: "Event 4779 S: A session was disconnected from a Window Station."
href: event-4779.md
- name: "Event 4800 S: The workstation was locked."
href: event-4800.md
- name: "Event 4801 S: The workstation was unlocked."
href: event-4801.md
- name: "Event 4802 S: The screen saver was invoked."
href: event-4802.md
- name: "Event 4803 S: The screen saver was dismissed."
href: event-4803.md
- name: "Event 5378 F: The requested credentials delegation was disallowed by policy."
href: event-5378.md
- name: "Event 5632 S, F: A request was made to authenticate to a wireless network."
href: event-5632.md
- name: "Event 5633 S, F: A request was made to authenticate to a wired network."
href: event-5633.md
- name: Audit Special Logon
href: audit-special-logon.md
items:
- name: "Event 4964 S: Special groups have been assigned to a new logon."
href: event-4964.md
- name: "Event 4672 S: Special privileges assigned to new logon."
href: event-4672.md
- name: Audit Application Generated
href: audit-application-generated.md
- name: Audit Certification Services
href: audit-certification-services.md
- name: Audit Detailed File Share
href: audit-detailed-file-share.md
items:
- name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access."
href: event-5145.md
- name: Audit File Share
href: audit-file-share.md
items:
- name: "Event 5140 S, F: A network share object was accessed."
href: event-5140.md
- name: "Event 5142 S: A network share object was added."
href: event-5142.md
- name: "Event 5143 S: A network share object was modified."
href: event-5143.md
- name: "Event 5144 S: A network share object was deleted."
href: event-5144.md
- name: "Event 5168 F: SPN check for SMB/SMB2 failed."
href: event-5168.md
- name: Audit File System
href: audit-file-system.md
items:
- name: "Event 4656 S, F: A handle to an object was requested."
href: event-4656.md
- name: "Event 4658 S: The handle to an object was closed."
href: event-4658.md
- name: "Event 4660 S: An object was deleted."
href: event-4660.md
- name: "Event 4663 S: An attempt was made to access an object."
href: event-4663.md
- name: "Event 4664 S: An attempt was made to create a hard link."
href: event-4664.md
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: "Event 5051: A file was virtualized."
href: event-5051.md
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: Audit Filtering Platform Connection
href: audit-filtering-platform-connection.md
items:
- name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network."
href: event-5031.md
- name: "Event 5150: The Windows Filtering Platform blocked a packet."
href: event-5150.md
- name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet."
href: event-5151.md
- name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections."
href: event-5154.md
- name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections."
href: event-5155.md
- name: "Event 5156 S: The Windows Filtering Platform has permitted a connection."
href: event-5156.md
- name: "Event 5157 F: The Windows Filtering Platform has blocked a connection."
href: event-5157.md
- name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port."
href: event-5158.md
- name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port."
href: event-5159.md
- name: Audit Filtering Platform Packet Drop
href: audit-filtering-platform-packet-drop.md
items:
- name: "Event 5152 F: The Windows Filtering Platform blocked a packet."
href: event-5152.md
- name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet."
href: event-5153.md
- name: Audit Handle Manipulation
href: audit-handle-manipulation.md
items:
- name: "Event 4690 S: An attempt was made to duplicate a handle to an object."
href: event-4690.md
- name: Audit Kernel Object
href: audit-kernel-object.md
items:
- name: "Event 4656 S, F: A handle to an object was requested."
href: event-4656.md
- name: "Event 4658 S: The handle to an object was closed."
href: event-4658.md
- name: "Event 4660 S: An object was deleted."
href: event-4660.md
- name: "Event 4663 S: An attempt was made to access an object."
href: event-4663.md
- name: Audit Other Object Access Events
href: audit-other-object-access-events.md
items:
- name: "Event 4671: An application attempted to access a blocked ordinal through the TBS."
href: event-4671.md
- name: "Event 4691 S: Indirect access to an object was requested."
href: event-4691.md
- name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."
href: event-5148.md
- name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed."
href: event-5149.md
- name: "Event 4698 S: A scheduled task was created."
href: event-4698.md
- name: "Event 4699 S: A scheduled task was deleted."
href: event-4699.md
- name: "Event 4700 S: A scheduled task was enabled."
href: event-4700.md
- name: "Event 4701 S: A scheduled task was disabled."
href: event-4701.md
- name: "Event 4702 S: A scheduled task was updated."
href: event-4702.md
- name: "Event 5888 S: An object in the COM+ Catalog was modified."
href: event-5888.md
- name: "Event 5889 S: An object was deleted from the COM+ Catalog."
href: event-5889.md
- name: "Event 5890 S: An object was added to the COM+ Catalog."
href: event-5890.md
- name: Audit Registry
href: audit-registry.md
items:
- name: "Event 4663 S: An attempt was made to access an object."
href: event-4663.md
- name: "Event 4656 S, F: A handle to an object was requested."
href: event-4656.md
- name: "Event 4658 S: The handle to an object was closed."
href: event-4658.md
- name: "Event 4660 S: An object was deleted."
href: event-4660.md
- name: "Event 4657 S: A registry value was modified."
href: event-4657.md
- name: "Event 5039: A registry key was virtualized."
href: event-5039.md
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: Audit Removable Storage
href: audit-removable-storage.md
- name: Audit SAM
href: audit-sam.md
items:
- name: "Event 4661 S, F: A handle to an object was requested."
href: event-4661.md
- name: Audit Central Access Policy Staging
href: audit-central-access-policy-staging.md
items:
- name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy."
href: event-4818.md
- name: Audit Audit Policy Change
href: audit-audit-policy-change.md
items:
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: "Event 4715 S: The audit policy, SACL, on an object was changed."
href: event-4715.md
- name: "Event 4719 S: System audit policy was changed."
href: event-4719.md
- name: "Event 4817 S: Auditing settings on object were changed."
href: event-4817.md
- name: "Event 4902 S: The Per-user audit policy table was created."
href: event-4902.md
- name: "Event 4906 S: The CrashOnAuditFail value has changed."
href: event-4906.md
- name: "Event 4907 S: Auditing settings on object were changed."
href: event-4907.md
- name: "Event 4908 S: Special Groups Logon table modified."
href: event-4908.md
- name: "Event 4912 S: Per User Audit Policy was changed."
href: event-4912.md
- name: "Event 4904 S: An attempt was made to register a security event source."
href: event-4904.md
- name: "Event 4905 S: An attempt was made to unregister a security event source."
href: event-4905.md
- name: Audit Authentication Policy Change
href: audit-authentication-policy-change.md
items:
- name: "Event 4706 S: A new trust was created to a domain."
href: event-4706.md
- name: "Event 4707 S: A trust to a domain was removed."
href: event-4707.md
- name: "Event 4716 S: Trusted domain information was modified."
href: event-4716.md
- name: "Event 4713 S: Kerberos policy was changed."
href: event-4713.md
- name: "Event 4717 S: System security access was granted to an account."
href: event-4717.md
- name: "Event 4718 S: System security access was removed from an account."
href: event-4718.md
- name: "Event 4739 S: Domain Policy was changed."
href: event-4739.md
- name: "Event 4864 S: A namespace collision was detected."
href: event-4864.md
- name: "Event 4865 S: A trusted forest information entry was added."
href: event-4865.md
- name: "Event 4866 S: A trusted forest information entry was removed."
href: event-4866.md
- name: "Event 4867 S: A trusted forest information entry was modified."
href: event-4867.md
- name: Audit Authorization Policy Change
href: audit-authorization-policy-change.md
items:
- name: "Event 4703 S: A user right was adjusted."
href: event-4703.md
- name: "Event 4704 S: A user right was assigned."
href: event-4704.md
- name: "Event 4705 S: A user right was removed."
href: event-4705.md
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: "Event 4911 S: Resource attributes of the object were changed."
href: event-4911.md
- name: "Event 4913 S: Central Access Policy on the object was changed."
href: event-4913.md
- name: Audit Filtering Platform Policy Change
href: audit-filtering-platform-policy-change.md
- name: Audit MPSSVC Rule-Level Policy Change
href: audit-mpssvc-rule-level-policy-change.md
items:
- name: "Event 4944 S: The following policy was active when the Windows Firewall started."
href: event-4944.md
- name: "Event 4945 S: A rule was listed when the Windows Firewall started."
href: event-4945.md
- name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added."
href: event-4946.md
- name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified."
href: event-4947.md
- name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted."
href: event-4948.md
- name: "Event 4949 S: Windows Firewall settings were restored to the default values."
href: event-4949.md
- name: "Event 4950 S: A Windows Firewall setting has changed."
href: event-4950.md
- name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall."
href: event-4951.md
- name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced."
href: event-4952.md
- name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed."
href: event-4953.md
- name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied."
href: event-4954.md
- name: "Event 4956 S: Windows Firewall has changed the active profile."
href: event-4956.md
- name: "Event 4957 F: Windows Firewall did not apply the following rule."
href: event-4957.md
- name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer."
href: event-4958.md
- name: Audit Other Policy Change Events
href: audit-other-policy-change-events.md
items:
- name: "Event 4714 S: Encrypted data recovery policy was changed."
href: event-4714.md
- name: "Event 4819 S: Central Access Policies on the machine have been changed."
href: event-4819.md
- name: "Event 4826 S: Boot Configuration Data loaded."
href: event-4826.md
- name: "Event 4909: The local policy settings for the TBS were changed."
href: event-4909.md
- name: "Event 4910: The group policy settings for the TBS were changed."
href: event-4910.md
- name: "Event 5063 S, F: A cryptographic provider operation was attempted."
href: event-5063.md
- name: "Event 5064 S, F: A cryptographic context operation was attempted."
href: event-5064.md
- name: "Event 5065 S, F: A cryptographic context modification was attempted."
href: event-5065.md
- name: "Event 5066 S, F: A cryptographic function operation was attempted."
href: event-5066.md
- name: "Event 5067 S, F: A cryptographic function modification was attempted."
href: event-5067.md
- name: "Event 5068 S, F: A cryptographic function provider operation was attempted."
href: event-5068.md
- name: "Event 5069 S, F: A cryptographic function property operation was attempted."
href: event-5069.md
- name: "Event 5070 S, F: A cryptographic function property modification was attempted."
href: event-5070.md
- name: "Event 5447 S: A Windows Filtering Platform filter has been changed."
href: event-5447.md
- name: "Event 6144 S: Security policy in the group policy objects has been applied successfully."
href: event-6144.md
- name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects."
href: event-6145.md
- name: Audit Sensitive Privilege Use
href: audit-sensitive-privilege-use.md
items:
- name: "Event 4673 S, F: A privileged service was called."
href: event-4673.md
- name: "Event 4674 S, F: An operation was attempted on a privileged object."
href: event-4674.md
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: Audit Non Sensitive Privilege Use
href: audit-non-sensitive-privilege-use.md
items:
- name: "Event 4673 S, F: A privileged service was called."
href: event-4673.md
- name: "Event 4674 S, F: An operation was attempted on a privileged object."
href: event-4674.md
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: Audit Other Privilege Use Events
href: audit-other-privilege-use-events.md
items:
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: Audit IPsec Driver
href: audit-ipsec-driver.md
- name: Audit Other System Events
href: audit-other-system-events.md
items:
- name: "Event 5024 S: The Windows Firewall Service has started successfully."
href: event-5024.md
- name: "Event 5025 S: The Windows Firewall Service has been stopped."
href: event-5025.md
- name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy."
href: event-5027.md
- name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy."
href: event-5028.md
- name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy."
href: event-5029.md
- name: "Event 5030 F: The Windows Firewall Service failed to start."
href: event-5030.md
- name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network."
href: event-5032.md
- name: "Event 5033 S: The Windows Firewall Driver has started successfully."
href: event-5033.md
- name: "Event 5034 S: The Windows Firewall Driver was stopped."
href: event-5034.md
- name: "Event 5035 F: The Windows Firewall Driver failed to start."
href: event-5035.md
- name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating."
href: event-5037.md
- name: "Event 5058 S, F: Key file operation."
href: event-5058.md
- name: "Event 5059 S, F: Key migration operation."
href: event-5059.md
- name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content."
href: event-6400.md
- name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded."
href: event-6401.md
- name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted."
href: event-6402.md
- name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client."
href: event-6403.md
- name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."
href: event-6404.md
- name: "Event 6405: BranchCache: %2 instances of event id %1 occurred."
href: event-6405.md
- name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2."
href: event-6406.md
- name: "Event 6407: 1%."
href: event-6407.md
- name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."
href: event-6408.md
- name: "Event 6409: BranchCache: A service connection point object could not be parsed."
href: event-6409.md
- name: Audit Security State Change
href: audit-security-state-change.md
items:
- name: "Event 4608 S: Windows is starting up."
href: event-4608.md
- name: "Event 4616 S: The system time was changed."
href: event-4616.md
- name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail."
href: event-4621.md
- name: Audit Security System Extension
href: audit-security-system-extension.md
items:
- name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority."
href: event-4610.md
- name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority."
href: event-4611.md
- name: "Event 4614 S: A notification package has been loaded by the Security Account Manager."
href: event-4614.md
- name: "Event 4622 S: A security package has been loaded by the Local Security Authority."
href: event-4622.md
- name: "Event 4697 S: A service was installed in the system."
href: event-4697.md
- name: Audit System Integrity
href: audit-system-integrity.md
items:
- name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits."
href: event-4612.md
- name: "Event 4615 S: Invalid use of LPC port."
href: event-4615.md
- name: "Event 4618 S: A monitored security event pattern has occurred."
href: event-4618.md
- name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message."
href: event-4816.md
- name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid."
href: event-5038.md
- name: "Event 5056 S: A cryptographic self-test was performed."
href: event-5056.md
- name: "Event 5062 S: A kernel-mode cryptographic self-test was performed."
href: event-5062.md
- name: "Event 5057 F: A cryptographic primitive operation failed."
href: event-5057.md
- name: "Event 5060 F: Verification operation failed."
href: event-5060.md
- name: "Event 5061 S, F: Cryptographic operation."
href: event-5061.md
- name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid."
href: event-6281.md
- name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process."
href: event-6410.md
- name: Other Events
href: other-events.md
items:
- name: "Event 1100 S: The event logging service has shut down."
href: event-1100.md
- name: "Event 1102 S: The audit log was cleared."
href: event-1102.md
- name: "Event 1104 S: The security log is now full."
href: event-1104.md
- name: "Event 1105 S: Event log automatic backup."
href: event-1105.md
- name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1."
href: event-1108.md
- name: "Appendix A: Security monitoring recommendations for many audit events"
href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md
- name: Registry (Global Object Access Auditing)
href: registry-global-object-access-auditing.md
- name: File System (Global Object Access Auditing)
href: file-system-global-object-access-auditing.md
- name: Windows security
href: /windows/security/

174
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -1,174 +0,0 @@
---
title: Advanced security audit policy settings
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Advanced security audit policy settings (Windows 10)
This reference for IT professionals provides information about:
- The advanced audit policy settings available in Windows
- The audit events that these settings generate.
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
- every file and folder
- registry key on a computer
- file share.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
- That are of little or no concern to you
- That create an excessive number of log entries.
In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
## Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, Account Logon settings and events focus on the account database that is used. This category includes the following subcategories:
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Account Logon Events](audit-other-account-logon-events.md)
## Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
- [Audit Application Group Management](audit-application-group-management.md)
- [Audit Computer Account Management](audit-computer-account-management.md)
- [Audit Distribution Group Management](audit-distribution-group-management.md)
- [Audit Other Account Management Events](audit-other-account-management-events.md)
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
## Detailed Tracking
Detailed Tracking security policy settings and audit events can be used for the following purposes:
- To monitor the activities of individual applications and users on that computer
- To understand how a computer is being used.
This category includes the following subcategories:
- [Audit DPAPI Activity](audit-dpapi-activity.md)
- [Audit PNP activity](audit-pnp-activity.md)
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
- [Audit Token Right Adjusted](audit-token-right-adjusted.md)
## DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
- [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
- [Audit Directory Service Access](audit-directory-service-access.md)
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
## Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
- [Audit Account Lockout](audit-account-lockout.md)
- [Audit User/Device Claims](audit-user-device-claims.md)
- [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
- [Audit Group Membership](audit-group-membership.md)
- [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
- [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
- [Audit Logoff](audit-logoff.md)
- [Audit Logon](audit-logon.md)
- [Audit Network Policy Server](audit-network-policy-server.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
## Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
This category includes the following subcategories:
- [Audit Application Generated](audit-application-generated.md)
- [Audit Certification Services](audit-certification-services.md)
- [Audit Detailed File Share](audit-detailed-file-share.md)
- [Audit File Share](audit-file-share.md)
- [Audit File System](audit-file-system.md)
- [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
- [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
- [Audit Handle Manipulation](audit-handle-manipulation.md)
- [Audit Kernel Object](audit-kernel-object.md)
- [Audit Other Object Access Events](audit-other-object-access-events.md)
- [Audit Registry](audit-registry.md)
- [Audit Removable Storage](audit-removable-storage.md)
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
## Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, tracking changes (or its attempts) to these policies is an important aspect of security management for a network. This category includes the following subcategories:
- [Audit Audit Policy Change](audit-audit-policy-change.md)
- [Audit Authentication Policy Change](audit-authentication-policy-change.md)
- [Audit Authorization Policy Change](audit-authorization-policy-change.md)
- [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
## Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
## System
System security policy settings and audit events allow you to track the following types of system-level changes to a computer:
- Not included in other categories
- Have potential security implications.
This category includes the following subcategories:
- [Audit IPsec Driver](audit-ipsec-driver.md)
- [Audit Other System Events](audit-other-system-events.md)
- [Audit Security State Change](audit-security-state-change.md)
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
## Global Object Access Auditing
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
- Setting the Global Object Access Auditing policy to log all the activities for a specific user
- Enabling the policy to track "Access denied" events for the file system or registry can help
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

175
windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
View File

@ -1,175 +0,0 @@
### YamlMime:FAQ
metadata:
title: Advanced security auditing FAQ
description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.topic: faq
ms.date: 05/24/2022
title: Advanced security auditing FAQ
summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
sections:
- name: Ignored
questions:
- question: |
What is Windows security auditing and why might I want to use it?
answer: |
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is the features and services for an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
- question: |
What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
answer: |
The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are several other differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking.
In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows.
- question: |
What is the interaction between basic audit policy settings and advanced audit policy settings?
answer: |
Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied.
> [!Important]
> Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
- question: |
How are audit settings merged by group policy?
answer: |
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing.
The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
| - | - | - | -|
| Detailed File Share Auditing | Success | Failure | Success |
| Process Creation Auditing | Disabled | Success | Disabled |
| Logon Auditing | Failure | Success | Failure |
- question: |
What is the difference between an object DACL and an object SACL?
answer: |
All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
- A system access control list (SACL) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
- question: |
Why are audit policies applied on a per-computer basis rather than per user?
answer: |
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
- question: |
Are there any differences in auditing functionality between versions of Windows?
answer: |
No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings.
- question: |
What is the difference between success and failure events? Is something wrong if I get a failure audit?
answer: |
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully.
The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
- question: |
How can I set an audit policy that affects all objects on a computer?
answer: |
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
- question: |
How do I figure out why someone was able to access a resource?
answer: |
Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
- question: |
How do I know when changes are made to access control settings, by whom, and what the changes were?
answer: |
To track access control changes, you need to enable the following settings, which track changes to DACLs:
- **Audit File System** subcategory: Enable for success, failure, or success and failure
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
- question: |
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
answer: |
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to **Not configured**.
2. Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings won't be restored.
- question: |
How can I monitor if changes are made to audit policy settings?
answer: |
Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
- Permissions and audit settings on the audit policy object are changed
- The system audit policy is changed
- Security event sources are registered or unregistered
- Per-user audit settings are changed
- The value of **CrashOnAuditFail** is modified
- Audit settings on a file or registry key are changed
- A Special Groups list is changed
- question: |
How can I minimize the number of events that are generated?
answer: |
Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
- question: |
What are the best tools to model and manage audit policies?
answer: |
The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies.
On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks.
There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs).
- question: |
Where can I find information about all the possible events that I might receive?
answer: |
Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources:
- [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034)
- [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- question: |
Where can I find more detailed information?
answer: |
To learn more about security audit policies, see the following resources:
- [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
- [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753)
- [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561)

30
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -1,30 +0,0 @@
---
title: Advanced security audit policies
description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/6/2021
---
# Advanced security audit policies
Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently.
When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
## In this section
| Article | Description |
| - | - |
| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies |
| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate.

30
windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
View File

@ -1,30 +0,0 @@
---
title: Appendix A, Security monitoring recommendations for many audit events
description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# Appendix A: Security monitoring recommendations for many audit events
This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the allowlist of accounts. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |

71
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -1,71 +0,0 @@
---
title: Apply a basic audit policy on a file or folder
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.collection:
- highpri
- tier3
ms.topic: reference
ms.date: 09/06/2021
---
# Apply a basic audit policy on a file or folder
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
**To apply or modify auditing policy settings for a local file or folder**
1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
2. Select **Advanced**.
3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
4. Do one of the following tasks:
- To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
- To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
- To view or change auditing for an existing group or user, select its name, and then select **Edit.**
5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
- To audit successful events, select **Success.**
- To audit failure events, select **Fail.**
- To audit all events, select **All.**
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
- **This folder only**
- **This folder, subfolders and files**
- **This folder and subfolders**
- **This folder and files**
- **Subfolders and files only**
- **Subfolders only**
- **Files only**
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
- **List folder contents**
- **Read**
- Additionally, with your selected audit combination, you can select any combination of the following permissions:
- **Full control**
- **Modify**
- **Write**
> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
 
## More considerations
- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
 
 

38
windows/security/threat-protection/auditing/audit-account-lockout.md
View File

@ -1,38 +0,0 @@
---
title: Audit Account Lockout
description: The policy setting, Audit Account Lockout, enables you to audit security events generated by a failed attempt to log on to an account that is locked out.
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Account Lockout
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
**Event volume**: Low.
This subcategory failure logon attempts, when account was already locked out.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
**Events List:**
- [4625](event-4625.md)(F): An account failed to log on.

37
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -1,37 +0,0 @@
---
title: Audit Application Generated
description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Application Generated
Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)).
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
| Workstation | IF | IF | IF | IF | IF if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
**Events List:**
- 4665: An attempt was made to create an application client context.
- 4666: An application attempted an operation.
- 4667: An application client context was deleted.
- 4668: An application was initialized.

49
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -1,49 +0,0 @@
---
title: Audit Application Group Management
description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Application Group Management
Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions.
[Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)).
Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
- 4783(S): A basic application group was created.
- 4784(S): A basic application group was changed.
- 4785(S): A member was added to a basic application group.
- 4786(S): A member was removed from a basic application group.
- 4787(S): A non-member was added to a basic application group.
- 4788(S): A non-member was removed from a basic application group.
- 4789(S): A basic application group was deleted.
- 4790(S): An LDAP query group was created.
- 4791(S): An LDAP query group was changed.
- 4792(S): An LDAP query group was deleted.

80
windows/security/threat-protection/auditing/audit-audit-policy-change.md
View File

@ -1,80 +0,0 @@
---
title: Audit Audit Policy Change
description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Audit Policy Change
Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Changes to audit policy that are audited include:
- Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).
- Changing the system audit policy.
- Registering and unregistering security event sources.
- Changing per-user audit settings.
- Changing the value of CrashOnAuditFail.
- Changing audit settings on an object (for example, modifying the system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) for a file or registry key).
> **Note**&nbsp;&nbsp;[SACL](/windows/win32/secauthz/access-control-lists) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
- Changing anything in the Special Groups list.
The following events will be enabled with Success auditing in this subcategory:
- [4902](event-4902.md)(S): The Per-user audit policy table was created.
- [4907](event-4907.md)(S): Auditing settings on object were changed.
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
**Events List:**
- [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed.
- [4719](event-4719.md)(S): System audit policy was changed.
- [4817](event-4817.md)(S): Auditing settings on object were changed.
- [4902](event-4902.md)(S): The Per-user audit policy table was created.
- [4906](event-4906.md)(S): The CrashOnAuditFail value has changed.
- [4907](event-4907.md)(S): Auditing settings on object were changed.
- [4908](event-4908.md)(S): Special Groups Logon table modified.
- [4912](event-4912.md)(S): Per User Audit Policy was changed.
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.

76
windows/security/threat-protection/auditing/audit-authentication-policy-change.md
View File

@ -1,76 +0,0 @@
---
title: Audit Authentication Policy Change
description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Authentication Policy Change
Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
Changes made to authentication policy include:
- Creation, modification, and removal of forest and domain trusts.
- Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy.
- When any of the following user logon rights is granted to a user or group:
- Access this computer from the network
- Allow logon locally
- Allow logon through Remote Desktop
- Logon as a batch job
- Logon as a service
- Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4670](event-4670.md)(S): Permissions on an object were changed
- [4706](event-4706.md)(S): A new trust was created to a domain.
- [4707](event-4707.md)(S): A trust to a domain was removed.
- [4716](event-4716.md)(S): Trusted domain information was modified.
- [4713](event-4713.md)(S): Kerberos policy was changed.
- [4717](event-4717.md)(S): System security access was granted to an account.
- [4718](event-4718.md)(S): System security access was removed from an account.
- [4739](event-4739.md)(S): Domain Policy was changed.
- [4864](event-4864.md)(S): A namespace collision was detected.
- [4865](event-4865.md)(S): A trusted forest information entry was added.
- [4866](event-4866.md)(S): A trusted forest information entry was removed.
- [4867](event-4867.md)(S): A trusted forest information entry was modified.

42
windows/security/threat-protection/auditing/audit-authorization-policy-change.md
View File

@ -1,42 +0,0 @@
---
title: Audit Authorization Policy Change
description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Authorization Policy Change
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
**Event volume**: Medium to High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4703](event-4703.md)(S): A user right was adjusted.
- [4704](event-4704.md)(S): A user right was assigned.
- [4705](event-4705.md)(S): A user right was removed.
- [4670](event-4670.md)(S): Permissions on an object were changed.
- [4911](event-4911.md)(S): Resource attributes of the object were changed.
- [4913](event-4913.md)(S): Central Access Policy on the object was changed.

39
windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
View File

@ -1,39 +0,0 @@
---
title: Audit Central Access Policy Staging
description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Central Access Policy Staging
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
- Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access.
- Failure audits, when configured, record access attempts when:
- The current central access policy does not grant access, but the proposed policy grants access.
- A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

117
windows/security/threat-protection/auditing/audit-certification-services.md
View File

@ -1,117 +0,0 @@
---
title: Audit Certification Services
description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Certification Services
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
- AD CS starts, shuts down, is backed up, or is restored.
- Certificate revocation list (CRL)-related tasks are performed.
- Certificates are requested, issued, or revoked.
- Certificate manager settings for AD CS are changed.
- The configuration and properties of the certification authority (CA) are changed.
- AD CS templates are modified.
- Certificates are imported.
- A CA certificate is published to Active Directory Domain Services.
- Security permissions for AD CS role services are modified.
- Keys are archived, imported, or retrieved.
- The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
**Event volume: Low to medium on servers that provide AD CS role services.**
Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Workstation | No | No | No | No | [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role cannot be installed on client OS. |
- 4868: The certificate manager denied a pending certificate request.
- 4869: Certificate Services received a resubmitted certificate request.
- 4870: Certificate Services revoked a certificate.
- 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
- 4872: Certificate Services published the certificate revocation list (CRL).
- 4873: A certificate request extension changed.
- 4874: One or more certificate request attributes changed.
- 4875: Certificate Services received a request to shut down.
- 4876: Certificate Services backup started.
- 4877: Certificate Services backup completed.
- 4878: Certificate Services restore started.
- 4879: Certificate Services restore completed.
- 4880: Certificate Services started.
- 4881: Certificate Services stopped.
- 4882: The security permissions for Certificate Services changed.
- 4883: Certificate Services retrieved an archived key.
- 4884: Certificate Services imported a certificate into its database.
- 4885: The audit filter for Certificate Services changed.
- 4886: Certificate Services received a certificate request.
- 4887: Certificate Services approved a certificate request and issued a certificate.
- 4888: Certificate Services denied a certificate request.
- 4889: Certificate Services set the status of a certificate request to pending.
- 4890: The certificate manager settings for Certificate Services changed.
- 4891: A configuration entry changed in Certificate Services.
- 4892: A property of Certificate Services changed.
- 4893: Certificate Services archived a key.
- 4894: Certificate Services imported and archived a key.
- 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
- 4896: One or more rows have been deleted from the certificate database.
- 4897: Role separation enabled.
- 4898: Certificate Services loaded a template.

41
windows/security/threat-protection/auditing/audit-computer-account-management.md
View File

@ -1,41 +0,0 @@
---
title: Audit Computer Account Management
description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Computer Account Management
Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
**Event volume**: Low on domain controllers.
This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.<br>Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:**
- [4741](event-4741.md)(S): A computer account was created.
- [4742](event-4742.md)(S): A computer account was changed.
- [4743](event-4743.md)(S): A computer account was deleted.

53
windows/security/threat-protection/auditing/audit-credential-validation.md
View File

@ -1,53 +0,0 @@
---
title: Audit Credential Validation
description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Credential Validation
Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
- For domain accounts, the domain controller is authoritative.
- For local accounts, the local computer is authoritative.
**Event volume**:
- High on domain controllers.
- Low on member servers and workstations.
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication. <br>IF We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.<br>We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. |
| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
**Events List:**
- [4774](event-4774.md)(S, F): An account was mapped for logon.
- [4775](event-4775.md)(F): An account could not be mapped for logon.
- [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account.
- [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account.

49
windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
View File

@ -1,49 +0,0 @@
---
title: Audit Detailed Directory Service Replication
description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Detailed Directory Service Replication
Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
This audit subcategory can be useful to diagnose replication issues.
**Event volume**: These events can create a very high volume of event data on domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for Active Directory replication troubleshooting. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established.
- [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed.
- [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified.
- [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified.
- [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated.
- [4935](event-4935.md)(F): Replication failure begins.
- [4936](event-4936.md)(S): Replication failure ends.
- [4937](event-4937.md)(S): A lingering object was removed from a replica.

43
windows/security/threat-protection/auditing/audit-detailed-file-share.md
View File

@ -1,43 +0,0 @@
---
title: Audit Detailed File Share
description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Detailed File Share
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
**Event volume**:
- High on file servers.
- High on domain controllers because of SYSVOL network access required by Group Policy.
- Low on member servers and workstations.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume shouldn't be high. You will be able to see who wasn't able to get access to a file or folder on a network share on a computer. |
| Member Server | IF | Yes | IF | Yes | IF If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for member servers shouldn't be high (if they aren't File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
| Workstation | IF | Yes | IF | Yes | IF If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for workstations shouldn't be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
**Events List:**
- [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access.

36
windows/security/threat-protection/auditing/audit-directory-service-access.md
View File

@ -1,36 +0,0 @@
---
title: Audit Directory Service Access
description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed.
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Directory Service Access
Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
**Event volume**: High on servers running AD DS role services.
This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesnt give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4662](event-4662.md)(S, F): An operation was performed on an object.
- [4661](event-4661.md)(S, F): A handle to an object was requested.

48
windows/security/threat-protection/auditing/audit-directory-service-changes.md
View File

@ -1,48 +0,0 @@
---
title: Audit Directory Service Changes
description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Directory Service Changes
Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.
Audit events are generated only for objects with configured system access control lists ([SACLs](/windows/win32/secauthz/access-control-lists)), and only when they are accessed in a manner that matches their [SACL](/windows/win32/secauthz/access-control-lists) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
This subcategory only logs events on domain controllers.
**Event volume**: High on domain controllers.
This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) container or Domain Admins group objects. <br>This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [5136](event-5136.md)(S): A directory service object was modified.
- [5137](event-5137.md)(S): A directory service object was created.
- [5138](event-5138.md)(S): A directory service object was undeleted.
- [5139](event-5139.md)(S): A directory service object was moved.
- [5141](event-5141.md)(S): A directory service object was deleted.

35
windows/security/threat-protection/auditing/audit-directory-service-replication.md
View File

@ -1,35 +0,0 @@
---
title: Audit Directory Service Replication
description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends.
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Directory Service Replication
Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
**Event volume**: Medium on domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for Active Directory replication troubleshooting. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun.
- [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended.

70
windows/security/threat-protection/auditing/audit-distribution-group-management.md
View File

@ -1,70 +0,0 @@
---
title: Audit Distribution Group Management
description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks.
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Distribution Group Management
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
This subcategory generates events only on domain controllers.
**Event volume**: Low on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
- Distribution group is created, changed, or deleted.
- Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A groups type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | No | IF | No | IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically, volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:**
- [4749](event-4749.md)(S): A security-disabled global group was created.
- [4750](event-4750.md)(S): A security-disabled global group was changed.
- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
- [4753](event-4753.md)(S): A security-disabled global group was deleted.
- 4759(S): A security-disabled universal group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4759 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4760(S): A security-disabled universal group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4760 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4761(S): A member was added to a security-disabled universal group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4761 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4762(S): A member was removed from a security-disabled universal group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4762 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4763(S): A security-disabled universal group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4763 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4744(S): A security-disabled local group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4744 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4745(S): A security-disabled local group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4745 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4746(S): A member was added to a security-disabled local group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4746 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4747(S): A member was removed from a security-disabled local group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4747 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4748(S): A security-disabled local group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4748 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

38
windows/security/threat-protection/auditing/audit-dpapi-activity.md
View File

@ -1,38 +0,0 @@
---
title: Audit DPAPI Activity
description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls to the data protection application interface (DPAPI) generate audit events.
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit DPAPI Activity
Audit [DPAPI](/previous-versions/ms995355(v=msdn.10)) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](/previous-versions/ms995355(v=msdn.10))).
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for DPAPI troubleshooting. |
| Member Server | IF | IF | IF | IF | IF Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for DPAPI troubleshooting. |
| Workstation | IF | IF | IF | IF | IF Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for DPAPI troubleshooting. |
**Events List:**
- [4692](event-4692.md)(S, F): Backup of data protection master key was attempted.
- [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted.
- [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted.
- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.

51
windows/security/threat-protection/auditing/audit-file-share.md
View File

@ -1,51 +0,0 @@
---
title: Audit File Share
description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit File Share
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks.
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
**Event volume**:
- High on file servers.
- High on domain controllers because of SYSVOL network access required by Group Policy.
- Low on member servers and workstations.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing for domain controllers, because its important to track deletion, creation, and modification events for network shares.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
**Events List:**
- [5140](event-5140.md)(S, F): A network share object was accessed.
- [5142](event-5142.md)(S): A network share object was added.
- [5143](event-5143.md)(S): A network share object was modified.
- [5144](event-5144.md)(S): A network share object was deleted.
- [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed.

61
windows/security/threat-protection/auditing/audit-file-system.md
View File

@ -1,61 +0,0 @@
---
title: Audit File System
description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit File System
> [!NOTE]
> For more details about applicability on older operating system versions, read the article [Audit File System](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
Audit events are generated only for objects that have configured system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](/windows/win32/secauthz/access-control-lists).
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
**Event volume**: Varies, depending on how file system [SACL](/windows/win32/secauthz/access-control-lists)s are configured.
No audit events are generated for the default file system [SACL](/windows/win32/secauthz/access-control-lists)s.
This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.
Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific file system objects.<br>Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
| Member Server | IF | IF | IF | IF | |
| Workstation | IF | IF | IF | IF | |
**Events List:**
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4660](event-4660.md)(S): An object was deleted.
- [4663](event-4663.md)(S): An attempt was made to access an object.
- [4664](event-4664.md)(S): An attempt was made to create a hard link.
- [4985](event-4985.md)(S): The state of a transaction has changed.
- [5051](event-5051.md)(-): A file was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.

52
windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
View File

@ -1,52 +0,0 @@
---
title: Audit Filtering Platform Connection
description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Filtering Platform Connection
Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Member Server | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Workstation | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
**Events List:**
- [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
- [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet.
- [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
- [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
- [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection.
- [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection.
- [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port.
- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.

38
windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
View File

@ -1,38 +0,0 @@
---
title: Audit Filtering Platform Packet Drop
description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform.
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Filtering Platform Packet Drop
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
| Member Server | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
| Workstation | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
**Events List:**
- [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet.
- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.

110
windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
View File

@ -1,110 +0,0 @@
---
title: Audit Filtering Platform Policy Change
description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions.
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Filtering Platform Policy Change
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following:
- IPsec services status.
- Changes to IPsec policy settings.
- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
- Changes to WFP providers and engine.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
- 4709(S): IPsec Services was started.
- 4710(S): IPsec Services was disabled.
- 4711(S): May contain any one of the following:
- 4712(F): IPsec Services encountered a potentially serious failure.
- 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
- 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
- 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
- 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
- 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
- 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
- 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
- 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
- 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
- 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
- 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
- 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
- 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
- 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
- 5446(S): A Windows Filtering Platform callout has been changed.
- 5448(S): A Windows Filtering Platform provider has been changed.
- 5449(S): A Windows Filtering Platform provider context has been changed.
- 5450(S): A Windows Filtering Platform sub-layer has been changed.
- 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
- 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
- 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
- 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
- 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
- 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
- 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
- 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
- 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
- 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
- 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
- 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
- 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
- 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
- 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
- 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
- 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
- 5477(F): PAStore Engine failed to add quick mode filter.

45
windows/security/threat-protection/auditing/audit-group-membership.md
View File

@ -1,45 +0,0 @@
---
title: Audit Group Membership
description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Group Membership
By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
You must also enable the [Audit Logon](audit-logon.md) subcategory.
Multiple events are generated if the group membership information cannot fit in a single security audit event
**Event volume**:
- Low on a client computer.
- Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
| Workstation | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
**Events List:**
- [4627](event-4627.md)(S): Group membership information.

36
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -1,36 +0,0 @@
---
title: Audit Handle Manipulation
description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Handle Manipulation
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
**Events List:**
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
- 4658(S): The handle to an object was closed. For a description of the event, see _[4658](event-4658.md)(S): The handle to an object was closed._ in the Audit File System subcategory. This event doesnt generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.

70
windows/security/threat-protection/auditing/audit-ipsec-driver.md
View File

@ -1,70 +0,0 @@
---
title: Audit IPsec Driver
description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit IPsec Driver
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
- Startup and shutdown of the IPsec services.
- Network packets dropped due to integrity check failure.
- Network packets dropped due to replay check failure.
- Network packets dropped due to being in plaintext.
- Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated.
- Inability to process IPsec filters.
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. This subcategory is outside the scope of this document.
**Event volume:** Medium
**Default:** Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
**Events List:**
- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
- 5478(S): IPsec Services has started successfully.
- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

42
windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
View File

@ -1,42 +0,0 @@
---
title: Audit IPsec Extended Mode
description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit IPsec Extended Mode
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
- 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 4979(S): IPsec Main Mode and Extended Mode security associations were established.
- 4980(S): IPsec Main Mode and Extended Mode security associations were established.
- 4981(S): IPsec Main Mode and Extended Mode security associations were established.
- 4982(S): IPsec Main Mode and Extended Mode security associations were established.
- 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

46
windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
View File

@ -1,46 +0,0 @@
---
title: Audit IPsec Main Mode
description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations.
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit IPsec Main Mode
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
- 4646(S): Security ID: %1
- 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
- 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
- 4652(F): An IPsec Main Mode negotiation failed.
- 4653(F): An IPsec Main Mode negotiation failed.
- 4655(S): An IPsec Main Mode security association ended.
- 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 5049(S): An IPsec Security Association was deleted.
- 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

34
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -1,34 +0,0 @@
---
title: Audit IPsec Quick Mode
description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit IPsec Quick Mode
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
- 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
- 5451(S): An IPsec Quick Mode security association was established.
- 5452(S): An IPsec Quick Mode security association ended.

41
windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
View File

@ -1,41 +0,0 @@
---
title: Audit Kerberos Authentication Service
description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Kerberos Authentication Service
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
**Event volume**: High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the users password has expired.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.<br>We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts. <br>Expected volume is high on domain controllers. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested.
- [4771](event-4771.md)(F): Kerberos pre-authentication failed.
- [4772](event-4772.md)(F): A Kerberos authentication ticket request failed.

40
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -1,40 +0,0 @@
---
title: Audit Kerberos Service Ticket Operations
description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Kerberos Service Ticket Operations
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
**Event volume**: Very High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGSs and failed TGS requests.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).<br /><br />We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4769](event-4769.md)(S, F): A Kerberos service ticket was requested.
- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
- [4773](event-4773.md)(F): A Kerberos service ticket request failed.

44
windows/security/threat-protection/auditing/audit-kernel-object.md
View File

@ -1,44 +0,0 @@
---
title: Audit Kernel Object
description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Kernel Object
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) generate security audit events. The audits generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
The “[Audit: Audit the access of global system objects](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852233(v=ws.11))” policy setting controls the default SACL of kernel objects.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
| Member Server | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
| Workstation | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
**Events List:**
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4660](event-4660.md)(S): An object was deleted.
- [4663](event-4663.md)(S): An attempt was made to access an object.

43
windows/security/threat-protection/auditing/audit-logoff.md
View File

@ -1,43 +0,0 @@
---
title: Audit Logoff
description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Logoff
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to.
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
**Event volume**: High.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4634](event-4634.md)(S): An account was logged off.
- [4647](event-4647.md)(S): User initiated logoff.

55
windows/security/threat-protection/auditing/audit-logon.md
View File

@ -1,55 +0,0 @@
---
title: Audit Logon
description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Logon
Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
- Logon success and failure.
- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command.
- Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
**Event volume**:
- Low on a client computer.
- Medium on a domain controllers or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
| Member Server | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
| Workstation | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
**Events List:**
- [4624](event-4624.md)(S): An account was successfully logged on.
- [4625](event-4625.md)(F): An account failed to log on.
- [4648](event-4648.md)(S): A logon was attempted using explicit credentials.
- [4675](event-4675.md)(S): SIDs were filtered.

75
windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
View File

@ -1,75 +0,0 @@
---
title: Audit MPSSVC Rule-Level Policy Change
description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit MPSSVC Rule-Level Policy Change
Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computers threat protection against malware. The tracked activities include:
- Active policies when the Windows Firewall service starts.
- Changes to Windows Firewall rules.
- Changes to the Windows Firewall exception list.
- Changes to Windows Firewall settings.
- Rules ignored or not applied by the Windows Firewall service.
- Changes to Windows Firewall Group Policy settings.
Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
**Event volume**: Medium.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
| Member Server | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
| Workstation | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
**Events List:**
- [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started.
- [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started.
- [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added.
- [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified.
- [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted.
- [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values.
- [4950](event-4950.md)(S): A Windows Firewall setting has changed.
- [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
- [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
- [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule.
- [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
- [4956](event-4956.md)(S): Windows Firewall has changed the active profile.
- [4957](event-4957.md)(F): Windows Firewall did not apply the following rule:
- [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

54
windows/security/threat-protection/auditing/audit-network-policy-server.md
View File

@ -1,54 +0,0 @@
---
title: Audit Network Policy Server
description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests.
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Network Policy Server
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
This subcategory generates events only if NAS or IAS role is installed on the server.
NAP events can be used to help understand the overall health of the network.
**Event volume**: Medium to High on servers that are running [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS).
Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Workstation | No | No | No | No | [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role cannot be installed on client OS. |
- 6272: Network Policy Server granted access to a user.
- 6273: Network Policy Server denied access to a user.
- 6274: Network Policy Server discarded the request for a user.
- 6275: Network Policy Server discarded the accounting request for a user.
- 6276: Network Policy Server quarantined a user.
- 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
- 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
- 6280: Network Policy Server unlocked the user account.

85
windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
View File

@ -1,85 +0,0 @@
---
title: Audit Non-Sensitive Privilege Use
description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Non-Sensitive Privilege Use
Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
- Access Credential Manager as a trusted caller
- Add workstations to domain
- Adjust memory quotas for a process
- Bypass traverse checking
- Change the system time
- Change the time zone
- Create a page file
- Create global objects
- Create permanent shared objects
- Create symbolic links
- Force shutdown from a remote system
- Increase a process working set
- Increase scheduling priority
- Lock pages in memory
- Modify an object label
- Perform volume maintenance tasks
- Profile single process
- Profile system performance
- Remove computer from docking station
- Shut down the system
- Synchronize directory service data
This subcategory also contains informational events from filesystem Transaction Manager.
If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
**Event volume**: Very High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
**Events List:**
- [4673](event-4673.md)(S, F): A privileged service was called.
- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
- [4985](event-4985.md)(S): The state of a transaction has changed.

28
windows/security/threat-protection/auditing/audit-other-account-logon-events.md
View File

@ -1,28 +0,0 @@
---
title: Audit Other Account Logon Events
description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Other Account Logon Events
**General Subcategory Information:**
This auditing subcategory does not contain any events. It is intended for future use.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |
| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. |

41
windows/security/threat-protection/auditing/audit-other-account-management-events.md
View File

@ -1,41 +0,0 @@
---
title: Audit Other Account Management Events
description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Other Account Management Events
Audit Other Account Management Events determines whether the operating system generates user account management audit events.
**Event volume:** Typically Low on all types of computers.
This subcategory allows you to audit next events:
- The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration.
- The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4782](event-4782.md)(S): The password hash of an account was accessed.
- [4793](event-4793.md)(S): The Password Policy Checking API was called.

66
windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
View File

@ -1,66 +0,0 @@
---
title: Audit Other Logon/Logoff Events
description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Other Logon/Logoff Events
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
These other logon or logoff events include:
- A Remote Desktop session connects or disconnects.
- A workstation is locked or unlocked.
- A screen saver is invoked or dismissed.
- A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
- A user is granted access to a wireless network. It can be either a user account or the computer account.
- A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.
Logon events are essential to understanding user activity and detecting potential attacks.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
**Events List:**
- [4649](event-4649.md)(S): A replay attack was detected.
- [4778](event-4778.md)(S): A session was reconnected to a Window Station.
- [4779](event-4779.md)(S): A session was disconnected from a Window Station.
- [4800](event-4800.md)(S): The workstation was locked.
- [4801](event-4801.md)(S): The workstation was unlocked.
- [4802](event-4802.md)(S): The screen saver was invoked.
- [4803](event-4803.md)(S): The screen saver was dismissed.
- [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy.
- [5632](event-5632.md)(S): A request was made to authenticate to a wireless network.
- [5633](event-5633.md)(S): A request was made to authenticate to a wired network.

55
windows/security/threat-protection/auditing/audit-other-object-access-events.md
View File

@ -1,55 +0,0 @@
---
title: Audit Other Object Access Events
description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Other Object Access Events
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICMP DoS attack. |
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICMP DoS attack. |
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICMP DoS attack. |
**Events List:**
- [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS.
- [4691](event-4691.md)(S): Indirect access to an object was requested.
- [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
- [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed.
- [4698](event-4698.md)(S): A scheduled task was created.
- [4699](event-4699.md)(S): A scheduled task was deleted.
- [4700](event-4700.md)(S): A scheduled task was enabled.
- [4701](event-4701.md)(S): A scheduled task was disabled.
- [4702](event-4702.md)(S): A scheduled task was updated.
- [5888](event-5888.md)(S): An object in the COM+ Catalog was modified.
- [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog.
- [5890](event-5890.md)(S): An object was added to the COM+ Catalog.

63
windows/security/threat-protection/auditing/audit-other-policy-change-events.md
View File

@ -1,63 +0,0 @@
---
title: Audit Other Policy Change Events
description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Other Policy Change Events
Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
| Member Server | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
| Workstation | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
**Events List:**
- [4714](event-4714.md)(S): Encrypted data recovery policy was changed.
- [4819](event-4819.md)(S): Central Access Policies on the machine have been changed.
- [4826](event-4826.md)(S): Boot Configuration Data loaded.
- [4909](event-4909.md)(-): The local policy settings for the TBS were changed.
- [4910](event-4910.md)(-): The group policy settings for the TBS were changed.
- [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted.
- [5064](event-5064.md)(S, F): A cryptographic context operation was attempted.
- [5065](event-5065.md)(S, F): A cryptographic context modification was attempted.
- [5066](event-5066.md)(S, F): A cryptographic function operation was attempted.
- [5067](event-5067.md)(S, F): A cryptographic function modification was attempted.
- [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted.
- [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted.
- [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted.
- [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed.
- [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully.
- [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects.

32
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -1,32 +0,0 @@
---
title: Audit Other Privilege Use Events
description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Other Privilege Use Events
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
| Domain Controller | No | No | No | No | This auditing subcategory doesnt have any informative events inside. |
| Member Server | No | No | No | No | This auditing subcategory doesnt have any informative events inside. |
| Workstation | No | No | No | No | This auditing subcategory doesnt have any informative events inside. |
**Events List:**
- [4985](event-4985.md)(S): The state of a transaction has changed.

89
windows/security/threat-protection/auditing/audit-other-system-events.md
View File

@ -1,89 +0,0 @@
---
title: Audit Other System Events
description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Other System Events
Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
Audit Other System Events determines whether the operating system audits various system events.
The system events in this category include:
- Startup and shutdown of the Windows Firewall service and driver.
- Security policy processing by the Windows Firewall service.
- Cryptography key file and migration operations.
- BranchCache events.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
| Member Server | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
| Workstation | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
**Events List:**
- [5024](event-5024.md)(S): The Windows Firewall Service has started successfully.
- [5025](event-5025.md)(S): The Windows Firewall Service has been stopped.
- [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
- [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
- [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
- [5030](event-5030.md)(F): The Windows Firewall Service failed to start.
- [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
- [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully.
- [5034](event-5034.md)(S): The Windows Firewall Driver was stopped.
- [5035](event-5035.md)(F): The Windows Firewall Driver failed to start.
- [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating.
- [5058](event-5058.md)(S, F): Key file operation.
- [5059](event-5059.md)(S, F): Key migration operation.
- [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
- [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded.
- [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
- [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
- [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
- [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred.
- [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2
- [6407](event-6407.md)(-): 1%
- [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2
- [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed.

47
windows/security/threat-protection/auditing/audit-pnp-activity.md
View File

@ -1,47 +0,0 @@
---
title: Audit PNP Activity
description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit PNP Activity
Audit PNP Activity determines when Plug and Play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
**Event volume**: Varies, depending on how the computer is used. Typically Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [6416](event-6416.md)(S): A new external device was recognized by the System
- [6419](event-6419.md)(S): A request was made to disable a device
- [6420](event-6420.md)(S): A device was disabled.
- [6421](event-6421.md)(S): A request was made to enable a device.
- [6422](event-6422.md)(S): A device was enabled.
- [6423](event-6423.md)(S): The installation of this device is forbidden by system policy.
- [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy.

39
windows/security/threat-protection/auditing/audit-process-creation.md
View File

@ -1,39 +0,0 @@
---
title: Audit Process Creation
description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts).
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 03/16/2022
ms.topic: reference
---
# Audit Process Creation
Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
**Event volume**: Medium to High, depending on the process activity on the computer.
This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4688](event-4688.md)(S): A new process has been created.
- [4696](event-4696.md)(S): A primary token was assigned to process.

37
windows/security/threat-protection/auditing/audit-process-termination.md
View File

@ -1,37 +0,0 @@
---
title: Audit Process Termination
description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process.
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Process Termination
Audit Process Termination determines whether the operating system generates audit events when process has exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
This policy setting can help you track user activity and understand how the computer is used.
**Event volume**: Low to Medium, depending on system usage.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4689](event-4689.md)(S): A process has exited.

52
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -1,52 +0,0 @@
---
title: Audit Registry
description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects.
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 01/05/2021
ms.topic: reference
---
# Audit Registry
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
**Event volume**: Low to Medium, depending on how registry SACLs are configured.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific registry objects.<br>Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
| Member Server | IF | IF | IF | IF | |
| Workstation | IF | IF | IF | IF | |
**Events List:**
- [4663](event-4663.md)(S): An attempt was made to access an object.
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4660](event-4660.md)(S): An object was deleted.
- [4657](event-4657.md)(S): A registry value was modified.
- [5039](event-5039.md)(-): A registry key was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.
> [!NOTE]
> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behavior is expected only on later versions of the operating system (Windows 11, Windows Server 2022, and later). On previous versions, 4656 events are not generated during subkey creation.
>
> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.

34
windows/security/threat-protection/auditing/audit-removable-storage.md
View File

@ -1,34 +0,0 @@
---
title: Audit Removable Storage
description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive.
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Removable Storage
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on objects [SACL](/windows/win32/secauthz/access-control-lists).
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | This subcategory will help identify when and which files or folders were accessed or modified on removable devices.<br>It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.<br>You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed. <br>We recommend Failure auditing to track failed access attempts. |
| Member Server | Yes | Yes | Yes | Yes | |
| Workstation | Yes | Yes | Yes | Yes | |
**Events List:**
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4663](event-4663.md)(S): An attempt was made to access an object.

31
windows/security/threat-protection/auditing/audit-rpc-events.md
View File

@ -1,31 +0,0 @@
---
title: Audit RPC Events
description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made.
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit RPC Events
Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------|
| Domain Controller | No | No | No | No | Events in this subcategory occur rarely. |
| Member Server | No | No | No | No | Events in this subcategory occur rarely. |
| Workstation | No | No | No | No | Events in this subcategory occur rarely. |
**Events List:**
- [5712](event-5712.md)(S): A Remote Procedure Call (RPC) was attempted.

52
windows/security/threat-protection/auditing/audit-sam.md
View File

@ -1,52 +0,0 @@
---
title: Audit SAM
description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit SAM
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
- SAM objects include the following:
- SAM\_ALIAS: A local group
- SAM\_GROUP: A group that is not a local group
- SAM\_USER: A user account
- SAM\_DOMAIN: A domain
- SAM\_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
Only a [SACL](/windows/win32/secauthz/access-control-lists) for SAM\_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
**Event volume**: High on domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
**Events List:**
- [4661](event-4661.md)(S, F): A handle to an object was requested.

102
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -1,102 +0,0 @@
---
title: Audit Security Group Management
description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed.
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Security Group Management
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
**Event volume**: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
- Security group is created, changed, or deleted.
- Member is added or removed from a security group.
- Group type is changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4731](event-4731.md)(S): A security-enabled local group was created.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4764](event-4764.md)(S): A groups type was changed.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
- 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
- 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
- 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
- 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
- 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
- 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
- 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
- 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
> [!IMPORTANT]
> Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
- 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
>[!IMPORTANT]
> Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.

40
windows/security/threat-protection/auditing/audit-security-state-change.md
View File

@ -1,40 +0,0 @@
---
title: Audit Security State Change
description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Security State Change
Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4608](event-4608.md)(S): Windows is starting up.
- [4616](event-4616.md)(S): The system time was changed.
- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
>[!NOTE]
>Event **4609(S): Windows is shutting down** doesn't currently generate. It is a defined event, but it is never invoked by the operating system.

49
windows/security/threat-protection/auditing/audit-security-system-extension.md
View File

@ -1,49 +0,0 @@
---
title: Audit Security System Extension
description: The Advanced Security Audit policy setting, Audit Security System Extension, determines if audit events related to security system extensions are generated.
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Security System Extension
Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
Changes to security system extensions in the operating system include the following activities:
- Security extension code is loaded (for example, an authentication, notification, or security package). Security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
- A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4610](event-4610.md)(S): An authentication package has been loaded by the Local Security Authority.
- [4611](event-4611.md)(S): A trusted logon process has been registered with the Local Security Authority.
- [4614](event-4614.md)(S): A notification package has been loaded by the Security Account Manager.
- [4622](event-4622.md)(S): A security package has been loaded by the Local Security Authority.
- [4697](event-4697.md)(S): A service was installed in the system.

71
windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
View File

@ -1,71 +0,0 @@
---
title: Audit Sensitive Privilege Use
description: The policy setting, Audit Sensitive Privilege Use, determines if the operating system generates audit events when sensitive privileges (user rights) are used.
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Sensitive Privilege Use
Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
- Act as part of the operating system
- Back up files and directories
- Restore files and directories
- Create a token object
- Debug programs
- Enable computer and user accounts to be trusted for delegation
- Generate security audits
- Impersonate a client after authentication
- Load and unload device drivers
- Manage auditing and security log
- Modify firmware environment values
- Replace a process-level token
- Take ownership of files or other objects
The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852206(v=ws.11))” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.
This subcategory also contains informational events from the file system Transaction Manager.
If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
| Member Server | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
| Workstation | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
**Events List:**
- [4673](event-4673.md)(S, F): A privileged service was called.
- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
- [4985](event-4985.md)(S): The state of a transaction has changed.
>[!NOTE]
> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.

45
windows/security/threat-protection/auditing/audit-special-logon.md
View File

@ -1,45 +0,0 @@
---
title: Audit Special Logon
description: The Advanced Security Audit policy setting, Audit Special Logon, determines if audit events are generated under special sign in (or logon) circumstances.
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Special Logon
Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
This subcategory allows you to audit events generated by special logons such as the following:
- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
**Event volume**:
- Low on a client computer.
- Medium on a domain controllers or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4964](event-4964.md)(S): Special groups have been assigned to a new logon.
- [4672](event-4672.md)(S): Special privileges assigned to new logon.

68
windows/security/threat-protection/auditing/audit-system-integrity.md
View File

@ -1,68 +0,0 @@
---
title: Audit System Integrity
description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem.
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit System Integrity
Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
Activities that violate the integrity of the security subsystem include the following:
- Audited events are lost due to a failure of the auditing system.
- A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
- A remote procedure call (RPC) integrity violation is detected.
- A code integrity violation with an invalid hash value of an executable file is detected.
- Cryptographic tasks are performed.
Violations of security subsystem integrity are critical and could indicate a potential security attack.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
**Events List:**
- [4612](event-4612.md)(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
- [4615](event-4615.md)(S): Invalid use of LPC port.
- [4618](event-4618.md)(S): A monitored security event pattern has occurred.
- [4816](event-4816.md)(S): RPC detected an integrity violation while decrypting an incoming message.
- [5038](event-5038.md)(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
- [5056](event-5056.md)(S): A cryptographic self-test was performed.
- [5062](event-5062.md)(S): A kernel-mode cryptographic self-test was performed.
- [5057](event-5057.md)(F): A cryptographic primitive operation failed.
- [5060](event-5060.md)(F): Verification operation failed.
- [5061](event-5061.md)(S, F): Cryptographic operation.
- [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
- [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process.

29
windows/security/threat-protection/auditing/audit-token-right-adjusted.md
View File

@ -1,29 +0,0 @@
---
title: Audit Token Right Adjusted
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
ms.pagetype: security
ms.date: 12/31/2017
ms.topic: reference
---
# Audit Token Right Adjusted
Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation).
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4703](event-4703.md)(S): A user right was adjusted.
**Event volume**: High.

83
windows/security/threat-protection/auditing/audit-user-account-management.md
View File

@ -1,83 +0,0 @@
---
title: Audit User Account Management
description: Audit User Account Management is an audit policy setting that determines if the operating system generates audit events when certain tasks are performed.
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit User Account Management
Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
**Event volume**: Low.
This policy setting allows you to audit changes to user accounts. Events include the following:
- A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
- A user accounts password is set or changed.
- A security identifier (SID) is added to the SID History of a user account, or fails to be added.
- The Directory Services Restore Mode password is configured.
- Permissions on administrative user accounts are changed.
- A user's local group membership was enumerated.
- Credential Manager credentials are backed up or restored.
Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer accounts.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for domain accounts, DSRM account password change failures, and failed SID History add attempts. |
| Member Server | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. |
| Workstation | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. |
**Events List:**
- [4720](event-4720.md)(S): A user account was created.
- [4722](event-4722.md)(S): A user account was enabled.
- [4723](event-4723.md)(S, F): An attempt was made to change an account's password.
- [4724](event-4724.md)(S, F): An attempt was made to reset an account's password.
- [4725](event-4725.md)(S): A user account was disabled.
- [4726](event-4726.md)(S): A user account was deleted.
- [4738](event-4738.md)(S): A user account was changed.
- [4740](event-4740.md)(S): A user account was locked out.
- [4765](event-4765.md)(S): SID History was added to an account.
- [4766](event-4766.md)(F): An attempt to add SID History to an account failed.
- [4767](event-4767.md)(S): A user account was unlocked.
- [4780](event-4780.md)(S): The ACL was set on accounts which are members of administrators groups.
- [4781](event-4781.md)(S): The name of an account was changed.
- [4794](event-4794.md)(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
- [4798](event-4798.md)(S): A user's local group membership was enumerated.
- [5376](event-5376.md)(S): Credential Manager credentials were backed up.
- [5377](event-5377.md)(S): Credential Manager credentials were restored from a backup.

41
windows/security/threat-protection/auditing/audit-user-device-claims.md
View File

@ -1,41 +0,0 @@
---
title: Audit User/Device Claims
description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit User/Device Claims
Audit User/Device Claims allows you to audit user and device claims information in the accounts logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
**Event volume**:
- Low on a client computer.
- Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4626](event-4626.md)(S): User/Device claims information.

51
windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
View File

@ -1,51 +0,0 @@
---
title: Audit account logon events
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit account logon events
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default**: Success
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Logon events | Description |
|--------------|--------------------------------------------------------------------------------------------------------------------------------------|
| 672 | An authentication service (AS) ticket was successfully issued and validated. |
| 673 | A ticket granting service (TGS) ticket was granted. |
| 674 | A security principal renewed an AS ticket or TGS ticket. |
| 675 | Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password. |
| 676 | Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 677 | A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 678 | An account was successfully mapped to a domain account. |
| 681 | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

92
windows/security/threat-protection/auditing/basic-audit-account-management.md
View File

@ -1,92 +0,0 @@
---
title: Audit account management
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit account management
Determines whether to audit each event of account management on a device.
Examples of account management events include:
- A user account or group is created, changed, or deleted.
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Account management events | Description |
| :-----------------------: | :---------- |
| 4720 | A user account was created. |
| 4723 | A user password was changed. |
| 4724 | A user password was set. |
| 4726 | A user account was deleted. |
| 4727 | A global group was created. |
| 4728 | A member was added to a global group. |
| 4729 | A member was removed from a global group. |
| 4730 | A global group was deleted. |
| 4731 | A new local group was created. |
| 4732 | A member was added to a local group. |
| 4733 | A member was removed from a local group. |
| 4734 | A local group was deleted. |
| 4735 | A local group account was changed. |
| 4737 | A global group account was changed. |
| 4738 | A user account was changed. |
| 4739 | A domain policy was modified. |
| 4740 | A user account was auto locked. |
| 4741 | A computer account was created. |
| 4742 | A computer account was changed. |
| 4743 | A computer account was deleted. |
| 4744 | A local security group with security disabled was created.<br> **Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks |
| 4745 | A local security group with security disabled was changed. |
| 4746 | A member was added to a security-disabled local security group. |
| 4747 | A member was removed from a security-disabled local security group. |
| 4748 | A security-disabled local group was deleted. |
| 4749 | A security-disabled global group was created. |
| 4750 | A security-disabled global group was changed. |
| 4751 | A member was added to a security-disabled global group. |
| 4752 | A member was removed from a security-disabled global group. |
| 4753 | A security-disabled global group was deleted. |
| 4754 | A security-enabled universal group was created. |
| 4755 | A security-enabled universal group was changed. |
| 4756 | A member was added to a security-enabled universal group. |
| 4757 | A member was removed from a security-enabled universal group. |
| 4758 | A security-enabled universal group was deleted. |
| 4759 | A security-disabled universal group was created. |
| 4760 | A security-disabled universal group was changed. |
| 4761 | A member was added to a security-disabled universal group. |
| 4762 | A member was removed from a security-disabled universal group. |
| 4763 | A security-disabled universal group was deleted. |
| 4764 | A group type was changed. |
| 4780 | Set the security descriptor of members of administrative groups. |
| 685 | Set the security descriptor of members of administrative groups.<br> **Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

47
windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
View File

@ -1,47 +0,0 @@
---
title: Basic audit directory service access
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit directory service access
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
> **Note:**  You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
**Default:**
- Success on domain controllers.
- Undefined for a member server.
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
There is only one directory service access event, which is identical to the Object Access security event message 566.
| Directory service access events | Description |
|---------------------------------|----------------------------------------|
| 566 | A generic object operation took place. |
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

66
windows/security/threat-protection/auditing/basic-audit-logon-events.md
View File

@ -1,66 +0,0 @@
---
title: Audit logon events
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.collection:
- highpri
- tier3
ms.topic: reference
ms.date: 09/06/2021
---
# Audit logon events
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more info about account logon events, see [Audit account logon events](basic-audit-account-logon-events.md).
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
For information about advanced security policy settings for logon events, see the [Logon/logoff](advanced-security-audit-policy-settings.md#logonlogoff) section in [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Logon events | Description |
| - | - |
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type.
| Logon type | Logon title | Description |
| - | - | - |
| 2 | Interactive | A user logged on to this computer.|
| 3 | Network | A user or computer logged on to this computer from the network.|
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.|
| 5 | Service | A service was started by the Service Control Manager.|
| 7 | Unlock | This workstation was unlocked.|
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

85
windows/security/threat-protection/auditing/basic-audit-object-access.md
View File

@ -1,85 +0,0 @@
---
title: Audit object access
description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit object access
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
> [!NOTE]
> You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
**Default:** No auditing.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Object access events | Description |
|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 560 | Access was granted to an already existing object. |
| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.<br>**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). |
| 564 | A protected object was deleted. |
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.<br>**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
| 568 | An attempt was made to create a hard link to a file that is being audited. |
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.<br>**Note:** An event will be generated for every attempted operation on the object. |
| 571 | The client context was deleted by the Authorization Manager application. |
| 572 | The administrator manager initialized the application. |
| 772 | The certificate manager denied a pending certificate request. |
| 773 | Certificate Services received a resubmitted certificate request. |
| 774 | Certificate Services revoked a certificate. |
| 775 | Certificate Services received a request to publish the certificate revocation list (CRL). |
| 776 | Certificate Services published the certificate revocation list (CRL). |
| 777 | A certificate request extension was made. |
| 778 | One or more certificate request attributes changed. |
| 779 | Certificate Services received a request to shutdown. |
| 780 | Certificate Services backup started. |
| 781 | Certificate Services backup completed |
| 782 | Certificate Services restore started. |
| 783 | Certificate Services restore completed. |
| 784 | Certificate Services started. |
| 785 | Certificate Services stopped. |
| 786 | The security permissions for Certificate Services changed. |
| 787 | Certificate Services retrieved an archived key. |
| 788 | Certificate Services imported a certificate into its database. |
| 789 | The audit filter for Certificate Services changed. |
| 790 | Certificate Services received a certificate request. |
| 791 | Certificate Services approved a certificate request and issued a certificate. |
| 792 | Certificate Services denied a certificate request. |
| 793 | Certificate Services set the status of a certificate request to pending. |
| 794 | The certificate manager settings for Certificate Services changed. |
| 795 | A configuration entry changed in Certificate Services. |
| 796 | A property of Certificate Services changed. |
| 797 | Certificate Services archived a key. |
| 798 | Certificate Services imported and archived a key. |
| 799 | Certificate Services published the CA certificate to Active Directory. |
| 800 | One or more rows have been deleted from the certificate database. |
| 801 | Role separation enabled. |
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

64
windows/security/threat-protection/auditing/basic-audit-policy-change.md
View File

@ -1,64 +0,0 @@
---
title: Audit policy change
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit policy change
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Policy change events | Description |
| - | - |
| 608 | A user right was assigned.|
| 609 | A user right was removed. |
| 610 | A trust relationship with another domain was created.|
| 611 | A trust relationship with another domain was removed.|
| 612 | An audit policy was changed.|
| 613 | An Internet Protocol security (IPSec) policy agent started.|
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
| 616 | An IPSec policy agent encountered a potentially serious failure.|
| 617 | A Kerberos policy changed. |
| 618 | Encrypted Data Recovery policy changed.|
| 620 | A trust relationship with another domain was modified.|
| 621 | System access was granted to an account. |
| 622 | System access was removed from an account.|
| 623 | Per user auditing policy was set for a user.|
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.<br>**Note**  When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
| 769 | Trusted forest information was added.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 770 | Trusted forest information was deleted.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 771 | Trusted forest information was modified.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 805 | The event log service read the security log configuration for a session.
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

53
windows/security/threat-protection/auditing/basic-audit-privilege-use.md
View File

@ -1,53 +0,0 @@
---
title: Audit privilege use
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit privilege use
Determines whether to audit each instance of a user exercising a user right.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:** No auditing.
Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for **Audit privilege use**. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the **FullPrivilegeAuditing** registry key.
- Bypass traverse checking
- Debug programs
- Create a token object
- Replace process level token
- Generate security audits
- Back up files and directories
- Restore files and directories
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Privilege use events | Description |
| - | - |
| 576 | Specified privileges were added to a user's access token.<br>**Note:**  This event is generated when the user logs on.|
| 577 | A user attempted to perform a privileged system service operation. |
| 578 | Privileges were used on an already open handle to a protected object. |
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

51
windows/security/threat-protection/auditing/basic-audit-process-tracking.md
View File

@ -1,51 +0,0 @@
---
title: Audit process tracking
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit process tracking
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:** No auditing.
## Configure this security setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Process tracking events | Description |
| - | - |
| 592 | A new process was created.|
| 593 | A process exited. |
| 594 | A handle to an object was duplicated.|
| 595 | Indirect access to an object was obtained.|
| 596 | A data protection master key was backed up.<br>**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
| 597 | A data protection master key was recovered from a recovery server.|
| 598 | Auditable data was protected. |
| 599 | Auditable data was unprotected.|
| 600 | A process was assigned a primary token.|
| 601 | A user attempted to install a service. |
| 602 | A scheduler job was created. |
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

52
windows/security/threat-protection/auditing/basic-audit-system-events.md
View File

@ -1,52 +0,0 @@
---
title: Audit system events
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Audit system events
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Logon events | Description |
| - | - |
| 512 | Windows is starting up. |
| 513 | Windows is shutting down. |
| 514 | An authentication package was loaded by the Local Security Authority.|
| 515 | A trusted logon process has registered with the Local Security Authority.|
| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
| 517 | The audit log was cleared. |
| 518 | A notification package was loaded by the Security Accounts Manager.|
| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
| 520 | The system time was changed.<br>**Note:**  This audit normally appears twice.|
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

46
windows/security/threat-protection/auditing/basic-security-audit-policies.md
View File

@ -1,46 +0,0 @@
---
title: Basic security audit policies
description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Basic security audit policies
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
The event categories that you can choose to audit are:
- Audit account logon events
- Audit account management
- Audit directory service access
- Audit logon events
- Audit object access
- Audit policy change
- Audit privilege use
- Audit process tracking
- Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category, for auditing objects on a domain controller, or the audit object access category, for auditing objects on a member server or workstation. After you enable the object access category, you can specify the types of access you want to audit for each group or user.
## In this section
| Article | Description |
| - | - |
| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful or failed access attempts in the security log. |
| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|

41
windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
View File

@ -1,41 +0,0 @@
---
title: Basic security audit policy settings
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Basic security audit policy settings
Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
## In this section
| Topic | Description |
| - | - |
| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)

54
windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
View File

@ -1,54 +0,0 @@
---
title: Create a basic audit policy for an event category
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/07/2021
---
# Create a basic audit policy for an event category
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.
To complete this procedure, you must be logged on as a member of the built-in Administrators group.
**To define or modify auditing policy settings for an event category for your local computer**
1. Open the Local Security Policy snap-in (secpol.msc), and then click **Local Policies**.
2. Click **Audit Policy**.
3. In the results pane, double-click an event category that you want to change the auditing policy settings for.
4. Do one or both of the following, and then click **OK.**
- To audit successful attempts, select the **Success** check box.
- To audit unsuccessful attempts, select the **Failure** check box.
To complete this procedure, you must be logged on as a member of the Domain Admins group.
**To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain**
1. Open the Group Policy Management Console (GPMC).
2. In the console tree, double-click **Group Policy objects** in the forest and domain containing the **Default Domain Policy** Group Policy object (GPO) that you want to edit.
3. Right-click the **Default Domain Policy** GPO, and then click **Edit**.
4. In the GPMC, go to **Computer Configuration**, **Windows Settings**, **Security Settings**, and then click **Audit Policy**.
5. In the results pane, double-click an event category that you want to change the auditing policy settings for.
6. If you are defining auditing policy settings for this event category for the first time, select the **Define these policy settings** check box.
7. Do one or both of the following, and then click **OK.**
- To audit successful attempts, select the **Success** check box.
- To audit unsuccessful attempts, select the **Failure** check box.
## Additional considerations
- To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object.
- After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events.
- The default auditing policy setting for domain controllers is **No Auditing**. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.

74
windows/security/threat-protection/auditing/event-1100.md
View File

@ -1,74 +0,0 @@
---
title: 1100(S) The event logging service has shut down.
description: Describes security event 1100(S) The event logging service has shut down.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 1100(S): The event logging service has shut down.
<img src="images/event-1100.png" alt="Event 1100 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows Event Log service has shut down.
It also generates during normal system shutdown.
This event doesnt generate during emergency system reset.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1100</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>103</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-15T07:02:20.010585400Z" />
<EventRecordID>1048124</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
<ServiceShutdown xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog" />
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 1100(S): The event logging service has shut down.
- With this event, you can track system shutdowns and restarts.
- This event also can be a sign of malicious action when someone tried to shut down the Log Service to cover his or her activity.

99
windows/security/threat-protection/auditing/event-1102.md
View File

@ -1,99 +0,0 @@
---
title: 1102(S) The audit log was cleared.
description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S).
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 1102(S): The audit log was cleared.
<img src="images/event-1102.png" alt="Event 1102 illustration" width="449" height="336" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows Security audit log was cleared.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" />
<EventRecordID>1087729</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="2644" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid>
<SubjectUserName>dadmin</SubjectUserName>
<SubjectDomainName>CONTOSO</SubjectDomainName>
<SubjectLogonId>0x55cd1d</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that cleared the system security audit log. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that cleared the system security audit log.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
## Security Monitoring Recommendations
For 1102(S): The audit log was cleared.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Typically you should not see this event. There is no need to manually clear the Security event log in most cases. We recommend monitoring this event and investigating why this action was performed.

67
windows/security/threat-protection/auditing/event-1104.md
View File

@ -1,67 +0,0 @@
---
title: 1104(S) The security log is now full.
description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 1104(S): The security log is now full.
<img src="images/event-1104.png" alt="Event 1104 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows security log becomes full.
This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1104</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-15T23:36:50.479431200Z" />
<EventRecordID>1087728</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="4224" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
<FileIsFull xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog" />
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it.

98
windows/security/threat-protection/auditing/event-1105.md
View File

@ -1,98 +0,0 @@
---
title: 1105(S) Event log automatic backup.
description: This event generates every time Windows security log becomes full and new event log file was created.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 1105(S): Event log automatic backup
<img src="images/event-1105.png" alt="Event 1105 illustration" width="572" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows security log becomes full and new event log file was created.
This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11))”.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1105</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>105</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:50:12.715302700Z" />
<EventRecordID>1128551</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="3660" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <AutoBackup xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<Channel>Security</Channel>
<BackupPath>C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2015-10-16-00-50-12-621.evtx</BackupPath>
</AutoBackup>
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
**File**: \[Type = FILETIME\]: full path and filename of archived log file.
The format of archived log file name is: “Archive-LOG\_FILE\_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx”. Where:
- LOG\_FILE\_NAME the name of archived file.
- Y years.
- M months.
- D days.
- h hours.
- m minutes.
- s seconds.
- n fractional seconds.
The time in this event is always in ***GMT+0/UTC+0*** time zone.
## Security Monitoring Recommendations
For 1105(S): Event log automatic backup.
- Typically its an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11)), then this event will be a sign that some settings are not set to baseline settings or were changed.

83
windows/security/threat-protection/auditing/event-1108.md
View File

@ -1,83 +0,0 @@
---
title: The event logging service encountered an error
description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
<img src="images/event-1108.png" alt="Event 1108 illustration" width="613" height="429" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates when event logging service encountered an error while processing an incoming event.
It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
<img src="images/event-4703-partial.png" alt="Event 4703, partial illustration" width="438" height="588" hspace="10" align="left" />
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1108</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T20:59:47.431979300Z" />
<EventRecordID>5599</EventRecordID>
<Correlation />
<Execution ProcessID="972" ThreadID="1320" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <EventProcessingFailure xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<Error Code="15005" />
<EventID>0</EventID>
<PublisherID>Microsoft-Windows-Security-Auditing</PublisherID>
</EventProcessingFailure>
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
***Event Versions:*** 0.
***Field Descriptions:***
**%1** \[Type = UnicodeString\]: the name of [security event source](/windows/win32/eventlog/event-sources) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
<img src="images/subkeys-under-security-key.png" alt="Subkeys under Security key illustration" width="236" height="246" />
## Security Monitoring Recommendations
For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
- We recommend monitoring for all events of this type and checking what the cause of the error was.

69
windows/security/threat-protection/auditing/event-4608.md
View File

@ -1,69 +0,0 @@
---
title: 4608(S) Windows is starting up.
description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4608(S): Windows is starting up.
<img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="top" />
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
***Event Description:***
This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
It typically generates during operating system startup process.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4608</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-09T05:25:38.222242500Z" />
<EventRecordID>1101704</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="512" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData />
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 4608(S): Windows is starting up.
- With this event, you can track system startup events.

77
windows/security/threat-protection/auditing/event-4610.md
View File

@ -1,77 +0,0 @@
---
title: 4610(S) An authentication package has been loaded by the Local Security Authority.
description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4610(S): An authentication package has been loaded by the Local Security Authority.
<img src="images/event-4610.png" alt="Event 4610 illustration" width="656" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event generates every time [Authentication Package](/windows/win32/secauthn/authentication-packages) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4610</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:36:41.391489300Z" />
<EventRecordID>1048138</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AuthenticationPackageName">C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](/windows/win32/secauthn/authentication-packages). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME.
By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](/windows/win32/secauthn/msv1-0-authentication-package)”.
## Security Monitoring Recommendations
For 4610(S): An authentication package has been loaded by the Local Security Authority.
- Report all “**Authentication Package Name**” not equals “C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0”, because by default this is the only Authentication Package loaded by Windows 10.
- Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “**Authentication Package Name”** is in your defined list.

109
windows/security/threat-protection/auditing/event-4611.md
View File

@ -1,109 +0,0 @@
---
title: 4611(S) A trusted logon process has been registered with the Local Security Authority.
description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
<img src="images/event-4611.png" alt="Event 4611 illustration" width="449" height="393" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event indicates that a logon process has registered with the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)). Also, logon requests will now be accepted from this source.
At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
You typically see these events during operating system startup or user logon and authentication actions.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4611</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:43:29.604031000Z" />
<EventRecordID>1048175</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="LogonProcessName">Winlogon</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that registered the trusted logon process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the trusted logon process.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Logon Process Name** \[Type = UnicodeString\]**:** the name of registered logon process.
## Security Monitoring Recommendations
For 4611(S): A trusted logon process has been registered with the Local Security Authority.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
- Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the allow list or not.
-

44
windows/security/threat-protection/auditing/event-4612.md
View File

@ -1,44 +0,0 @@
---
title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
This event doesn't generate when the event log service is stopped or event log is full and events retention is disabled.
There is no example of this event in this document.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
***Event Schema:***
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.*
*Number of audit messages discarded: %1*
*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- This event can be a sign of hardware issues or lack of system resources (for example, RAM). We recommend monitoring this event and investigating the reason for the condition.

77
windows/security/threat-protection/auditing/event-4614.md
View File

@ -1,77 +0,0 @@
---
title: 4614(S) A notification package has been loaded by the Security Account Manager.
description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4614(S): A notification package has been loaded by the Security Account Manager.
<img src="images/event-4614.png" alt="Event 4614 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event generates every time a Notification Package has been loaded by the [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)).
In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](/windows/win32/secmgmt/password-filters).
Password Filters are DLLs that are loaded or called when passwords are set or changed.
Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4614</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:36:43.073484900Z" />
<EventRecordID>1048140</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="NotificationPackageName">WDIGEST</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Notification Package Name** \[Type = UnicodeString\]**:** the name of loaded Notification Package.
## Security Monitoring Recommendations
For 4614(S): A notification package has been loaded by the Security Account Manager.
- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the allow list or not.

58
windows/security/threat-protection/auditing/event-4615.md
View File

@ -1,58 +0,0 @@
---
title: 4615(S) Invalid use of LPC port.
description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4615(S): Invalid use of LPC port.
It appears that this event never occurs.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
***Event Schema:***
*Invalid use of LPC port.*
*Subject:*
> *Security ID%1*
>
> *Account Name:%2*
>
> *Account Domain:%3*
>
> *Logon ID:%4*
*Process Information:*
> *PID:%7*
>
> *Name:%8*
*Invalid Use:%5*
*LPC Server Port Name:%6*
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSAs use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."*
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.

176
windows/security/threat-protection/auditing/event-4616.md
View File

@ -1,176 +0,0 @@
---
title: 4616(S) The system time was changed.
description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4616(S): The system time was changed.
<img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="top" />
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
***Event Description:***
This event generates every time system time was changed.
This event is always logged regardless of the "Audit Security State Change" sub-category setting.
You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4616</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-09T05:04:29.995794600Z" />
<EventRecordID>1101699</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="148" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x48f29</Data>
<Data Name="PreviousTime">2015-10-09T05:04:30.000941900Z</Data>
<Data Name="NewTime">2015-10-09T05:04:30.000000000Z</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:***
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2008 R2, Windows 7.
- Added “Process Information” section.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Process Information** \[Version 1\]**:**
- **Process ID** \[Type = Pointer\] \[Version 1\]: hexadecimal Process ID of the process that changed the system time. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Name** \[Type = UnicodeString\] \[Version 1\]**:** full path and the name of the executable for the process.
**Previous Time** \[Type = FILETIME\]: previous time in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
- Y - years
- M - months
- D - days
- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
- h - hours
- m - minutes
- s - seconds
- n - fractional seconds
- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
**New Time** \[Type = FILETIME\]: new time that was set in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
- Y - years
- M - months
- D - days
- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
- h - hours
- m - minutes
- s - seconds
- n - fractional seconds
- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
## Security Monitoring Recommendations
For 4616(S): The system time was changed.
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made by Windows Time service.
- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made by Windows Time service.
<!-- -->
- <span id="Reccomendations_Process_Name" class="anchor"></span>If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”

98
windows/security/threat-protection/auditing/event-4618.md
View File

@ -1,98 +0,0 @@
---
title: 4618(S) A monitored security event pattern has occurred.
description: Describes security event 4618(S) A monitored security event pattern has occurred.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4618(S): A monitored security event pattern has occurred.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
This event can be generated (invoked) only externally using the following command:
**%windir%\\system32\\rundll32 %windir%\\system32\\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount Duration**
Account must have **SeAuditPrivilege** (Generate security audits) to be able to generate this event.
- **UserSid** is resolved when viewing the event in event viewer.
- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
- If a field doesnt match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
- Parameters are space delimited, even if a parameter is enclosed in double-quotes.
- Here are the expected data types for the parameters:
| Parameter | Expected Data Type |
|--------------|--------------------------------------------------|
| OrgEventID | Ulong |
| ComputerName | String |
| UserSid | SID (in string format) |
| UserName | String |
| UserDomain | String |
| UserLogonID | Luid (a ULongLong converted to Hex in the event) |
| EventCount | Ulong |
| Duration | String |
<img src="images/event-4618.png" alt="Event 4618 illustration" width="449" height="494" hspace="10" align="left" />
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4618</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T21:42:33.264246700Z" />
<EventRecordID>1198759</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="EventId">4624</Data>
<Data Name="ComputerName">DC01.contoso.local</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetUserDomain">CONTOSO</Data>
<Data Name="TargetLogonId">0x1</Data>
<Data Name="EventCount">10</Data>
<Data Name="Duration">“Hour"</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 4618(S): A monitored security event pattern has occurred.
- This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it.

44
windows/security/threat-protection/auditing/event-4621.md
View File

@ -1,44 +0,0 @@
---
title: 4621(S) Administrator recovered system from CrashOnAuditFail.
description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4621(S): Administrator recovered system from CrashOnAuditFail.
This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
There is no example of this event in this document.
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
***Event Schema:***
*Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.*
*Value of CrashOnAuditFail:%1*
*This event is logged after a system reboots following CrashOnAuditFail.*
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396).
- If your computers dont have the [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.

99
windows/security/threat-protection/auditing/event-4622.md
View File

@ -1,99 +0,0 @@
---
title: 4622(S) A security package has been loaded by the Local Security Authority.
description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4622(S): A security package has been loaded by the Local Security Authority.
<img src="images/event-4622.png" alt="Event 4622 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event generates every time [Security Package](/windows/win32/secauthn/ssp-aps-versus-ssps) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
It is also possible to add security package dynamically using [AddSecurityPackage](/windows/win32/api/sspi/nf-sspi-addsecuritypackagea) function, not only during system startup process.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4622</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:36:41.359331100Z" />
<EventRecordID>1048131</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SecurityPackageName">C:\\Windows\\system32\\kerberos.DLL : Kerberos</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Security Package Name** \[Type = UnicodeString\]**:** the name of loaded Security Package. The format is: DLL\_PATH\_AND\_NAME: SECURITY\_PACKAGE\_NAME.
These are some Security Package DLLs loaded by default in Windows 10:
- C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider
- C:\\Windows\\system32\\schannel.DLL : Schannel
- C:\\Windows\\system32\\cloudAP.DLL : CloudAP
- C:\\Windows\\system32\\wdigest.DLL : WDigest
- C:\\Windows\\system32\\pku2u.DLL : pku2u
- C:\\Windows\\system32\\tspkg.DLL : TSSSP
- C:\\Windows\\system32\\msv1\_0.DLL : NTLM
- C:\\Windows\\system32\\kerberos.DLL : Kerberos
- C:\\Windows\\system32\\negoexts.DLL : NegoExtender
- C:\\Windows\\system32\\lsasrv.dll : Negotiate
## Security Monitoring Recommendations
For 4622(S): A security package has been loaded by the Local Security Authority.
- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not.

322
windows/security/threat-protection/auditing/event-4624.md
View File

@ -1,322 +0,0 @@
---
title: 4624(S) An account was successfully logged on.
description: Describes security event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.collection: tier3
ms.topic: reference
---
# 4624(S): An account was successfully logged on.
<img src="images/event-4624.png" alt="Event 4624 illustration" width="438" height="668" hspace="10" />
***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
***Event Description:***
This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```xml
<?xml version="1.0"?>
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z"/>
<EventRecordID>211</EventRecordID>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}"/>
<Execution ProcessID="716" ThreadID="760"/>
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security/>
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:***
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2012, Windows 8.
- Added "Impersonation Level" field.
- 2 - Windows 10.
- Added "Logon Information:" section.
- **Logon Type** moved to "Logon Information:" section.
- Added "Restricted Admin Mode" field.
- Added "Virtual Account" field.
- Added "Elevated Token" field.
- Added "Linked Logon ID" field.
- Added "Network Account Name" field.
- Added "Network Account Domain" field.
***Field Descriptions:***
**Subject:**
- **Security ID** [Type = SID]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
This field can also contain no subject user information, but the NULL Sid "S-1-0-0" and no user or domain information.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon.
- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following information:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- For local user accounts, this field contains the name of the computer or device that this account belongs to, for example: `Win81`.
- **Logon ID** [Type = HexInt64]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4672](event-4672.md)(S): Special privileges assigned to new logon."
**Logon Information** [Version 2]**:**
- **Logon Type** [Version 0, 1, 2] [Type = UInt32]**:** the type of logon that happened. The following table contains the list of possible values for this field.
## Logon types and descriptions
| Logon Type | Logon Title | Description |
|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `0` | `System` | Used only by the System account, for example at system startup. |
| `2` | `Interactive` | A user logged on to this computer. |
| `3` | `Network` | A user or computer logged on to this computer from the network. |
| `4` | `Batch` | Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention. |
| `5` | `Service` | The Service Control Manager started a service. |
| `7` | `Unlock` | This workstation was unlocked. |
| `8` | `NetworkCleartext` | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext). |
| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller wasn't contacted to verify the credentials. |
| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This type is used for internal auditing. |
| `13` | `CachedUnlock` | Workstation logon. |
- **Restricted Admin Mode** [Version 2] [Type = UnicodeString]**:** Only populated for **RemoteInteractive** logon type sessions. This value is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Windows 8.1 and Windows Server 2012 R2, but this flag was added to the event in Windows 10.
Reference: <https://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx>.
If not a **RemoteInteractive** logon, then this value is the string: `-`
- **Virtual Account** [Version 2] [Type = UnicodeString]**:** a "Yes" or "No" flag, which indicates if the account is a virtual account (for example, "[Managed Service Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560633(v=ws.10))"), which was introduced in Windows 7 and Windows Server 2008 R2 to identify the account that a given Service uses, instead of just using "NetworkService".
- **Elevated Token** [Version 2] [Type = UnicodeString]**:** a "Yes" or "No" flag. If "Yes", then the session this event represents is elevated and has administrator privileges.
**Impersonation Level** [Version 1, 2] [Type = UnicodeString]: can have one of these four values:
- SecurityAnonymous (displayed as **empty string**): The server process can't obtain identification information about the client, and it can't impersonate the client. It's defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.
- SecurityIdentification (displayed as "**Identification**"): The server process can obtain information about the client, such as security identifiers and privileges, but it can't impersonate the client. This value is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
- SecurityImpersonation (displayed as "**Impersonation**"): The server process can impersonate the client's security context on its local system. The server can't impersonate the client on remote systems. This type is the most common.
- SecurityDelegation (displayed as "**Delegation**"): The server process can impersonate the client's security context on remote systems.
**New Logon:**
- **Security ID** [Type = SID]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed.
- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following information:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- For local user accounts, this field contains the name of the computer or device that this account belongs to, for example: `Win81`.
- **Logon ID** [Type = HexInt64]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4672](event-4672.md)(S): Special privileges assigned to new logon."
- **Linked Logon ID** [Version 2] [Type = HexInt64]**:** A hexadecimal value of the paired logon session. If there's no other logon session associated with this logon session, then the value is "**0x0**".
- **Network Account Name** [Version 2] [Type = UnicodeString]**:** User name that's used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
If not **NewCredentials** logon, then this value will be the string: `-`
- **Network Account Domain** [Version 2] [Type = UnicodeString]**:** Domain for the user that's used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
If not **NewCredentials** logon, then this value will be the string: `-`
- **Logon GUID** [Type = GUID]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, "[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4624 event and several other events (on the same computer) that can contain the same **Logon GUID**, "[4648](event-4648.md)(S): A logon was attempted using explicit credentials" and "[4964](event-4964.md)(S): Special groups have been assigned to a new logon."
This parameter might not be captured in the event, and in that case appears as "{00000000-0000-0000-0000-000000000000}".
> [!NOTE]
> **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities, or instances.
**Process Information:**
- **Process ID** [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
- **Process Name** [Type = UnicodeString]**:** full path and the name of the executable for the process.
**Network Information:**
- **Workstation Name** [Type = UnicodeString]**:** machine name from which a logon attempt was performed.
- **Source Network Address** [Type = UnicodeString]**:** IP address of machine from which logon attempt was performed.
- IPv6 address or IPv4 address of a client.
- `::1` or `127.0.0.1` means localhost.
- **Source Port** [Type = UnicodeString]: The source port that was used for logon attempt from remote machine.
- 0 for interactive logons.
> [!NOTE]
> The fields for IP address/port and workstation name are populated depending on the authentication context and protocol used. LSASS will audit the information the authenticating service shares with LSASS. For example, network logons with Kerberos likely have no workstation information, and NTLM logons have no TCP/IP details.
**Detailed Authentication Information:**
- **Logon Process** [Type = UnicodeString]**:** the name of the trusted logon process that was used for the logon. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
- **Authentication Package** [Type = UnicodeString]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** - NTLM-family Authentication
- **Kerberos** - Kerberos authentication.
- **Negotiate** - the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it can't be used by one of the systems involved in the authentication or the calling application didn't provide sufficient information to use Kerberos.
- **Transited Services** [Type = UnicodeString] [Kerberos-only]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/library/cc246072.aspx>
- **Package Name (NTLM only)** [Type = UnicodeString]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during logon. Possible values are:
- "NTLM V1"
- "NTLM V2"
- "LM"
Only populated if "**Authentication Package" = "NTLM"**.
- **Key Length** [Type = UInt32]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically it has 128-bit or 56-bit length. This parameter is always 0 if "**Authentication Package" = "Kerberos"**, because it isn't applicable for Kerberos protocol. This field also has a `0` value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations
For 4624(S): An account was successfully logged on.
| Type of monitoring required | Recommendation |
|-----------------------------|-------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have nonactive, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. |
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an "allowlist-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allowlist. |
| **Accounts of different types**: Make sure that certain actions run only by certain account types. For example, local or domain account, machine or user account, or vendor or employee account. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that aren't allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) shouldn't typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you're concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. |
- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** isn't SYSTEM.
- If "**Restricted Admin**" mode must be used for logons by certain accounts, use this event to monitor logons by "**New Logon\\Security ID**" in relation to "**Logon Type**"=10 and "**Restricted Admin Mode**"="Yes". If "**Restricted Admin Mode**"="No" for these accounts, trigger an alert.
- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with "**Elevated Token**"="Yes".
- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with "**Virtual Account**"="Yes".
- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
- If the user account **"New Logon\\Security ID"** should never be used to log on from the specific **Computer:**.
- If **New Logon\\Security ID** credentials shouldn't be used from **Workstation Name** or **Source Network Address**.
- If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
- If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** doesn't equal **NTLM V2**.
- If NTLM isn't used in your organization, or shouldn't be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
- If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
- If you monitor for potentially malicious software, or software that isn't authorized to request logon actions, monitor this event for **Process Name**.
- If you have a trusted logon processes list, monitor for a **Logon Process** that isn't from the list.

270
windows/security/threat-protection/auditing/event-4625.md
View File

@ -1,270 +0,0 @@
---
title: 4625(F) An account failed to log on.
description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 01/03/2022
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.collection:
- highpri
- tier3
ms.topic: reference
---
# 4625(F): An account failed to log on.
<img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="top" />
***Subcategories:***&nbsp;[Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
***Event Description:***
This event is logged for any logon failure.
It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation.
This event generates on domain controllers, member servers, and workstations.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field.
<span id="_Ref433822321" class="anchor"></span>**Table 11: Windows Logon Types**
| <span id="Windows_Logon_Types" class="anchor"></span>Logon Type | Logon Title | Description |
|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
**Account For Which Logon Failed:**
- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Failure Information:**
- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value.
- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value.
- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure.
> [!NOTE]
> For more information about various Status or Sub Status codes, see [NTSTATUS Values](/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55).
**Process Information:**
- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):<br/><br/>
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Network Information:**
- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
- IPv6 address or ::ffff:IPv4 address of a client.
- ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source port that was used for logon attempt from remote machine.
- 0 for interactive logons.
**Detailed Authentication Information:**
- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** NTLM-family Authentication
- **Kerberos** Kerberos authentication.
- **Negotiate** the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/library/cc246072.aspx>
- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during the logon attempt. Possible values are:
- "NTLM V1"
- "NTLM V2"
- "LM"
Only populated if "**Authentication Package" = "NTLM"**.
- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations
For 4625(F): An account failed to log on.
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
- You can monitor to see if "**Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
- If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**.
- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **"Subject\\Security ID"** that corresponds to the account.
- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
- If the **"Account For Which Logon Failed \\Security ID"** should never be used to log on from the specific **Network Information\\Workstation Name**.
- If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
- If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
- If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
- If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
- If **Logon Process** is not from a trusted logon processes list.
- Monitor for all events with the fields and values in the following table:
| Field | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E "There are currently no logon servers available to service the logon request." <br>This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 "User logon with misspelled or bad user account". <br>Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A "User logon with misspelled or bad password" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D "This is either due to a bad username or authentication information" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F "User logon outside authorized hours". |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 "User logon from unauthorized workstation". |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 "User logon to account disabled by administrator". |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B "The user has not been granted the requested logon type (aka logon right) at this machine". |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 "An attempt was made to logon, but the Netlogon service was not started". <br>This issue is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 "User logon with expired account". |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine". |

181
windows/security/threat-protection/auditing/event-4626.md
View File

@ -1,181 +0,0 @@
---
title: 4626(S) User/Device claims information.
description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4626(S): User/Device claims information.
<img src="images/event-4626.png" alt="Event 4626 illustration" width="549" height="771" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit User/Device Claims](audit-user-device-claims.md)
***Event Description:***
This event generates for new account logons and contains user/device claims which were associated with a new logon session.
This event does not generate if the user/device doesnt have claims.
For computer account logons you will also see device claims listed in the “**User Claims**” field.
You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4626</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12553</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T00:12:02.243396300Z" />
<EventRecordID>232648</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x136f7b</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="UserClaims">ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b <%%1818> : "IT"</Data>
<Data Name="DeviceClaims">-</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2012, Windows 8.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that reported information about claims. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about claims.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
**New Logon:**
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all claims, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
**User Claims** \[Type = UnicodeString\]**:** list of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in. Here is an example how to parse the entrance of this field:
- ad://ext/cn:88d2b96fdb2b4c49 &lt;String&gt; : “dadmin”
- cn claim display name.
- 88d2b96fdb2b4c49 unique claim ID.
- &lt;String&gt; - claim type.
- “dadmin” claim value.
**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value<b>.</b> For computer accounts this field has device claims listed.
## Security Monitoring Recommendations
For 4626(S): User/Device claims information.
- <span id="Reccomendations_Subject_NULLSID" class="anchor"></span>Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
- If you need to monitor account logons with specific claims, you can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
- If you have specific requirements, such as:
- Users with specific claims should not access specific computers;
- Computer account should not have specific claims;
- User account should not have specific claims;
- Claim should not be empty
- And so on…
You can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
- If you need to monitor computer/user logon attempts only and you dont need information about claims, then it is better to monitor “[4624](event-4624.md): An account was successfully logged on.”

158
windows/security/threat-protection/auditing/event-4627.md
View File

@ -1,158 +0,0 @@
---
title: 4627(S) Group membership information.
description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4627(S): Group membership information.
<img src="images/event-4627.png" alt="Event 4627 illustration" width="554" height="896" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Group Membership](audit-group-membership.md)
***Event Description:***
This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
Multiple events are generated if the group membership information cannot fit in a single security audit event.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4627</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12554</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:51:25.843673000Z" />
<EventRecordID>3081</EventRecordID>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Execution ProcessID="736" ThreadID="808" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x569860</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="GroupMembership">%{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2016, Windows 10.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
**New Logon:**
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all groups, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
**Group Membership** \[Type = UnicodeString\]**:** the list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
## Security Monitoring Recommendations
For 4627(S): Group membership information.
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
<!-- -->
- If you need to track that a member of a specific group logged on to a computer, check the “**Group Membership**” field.

118
windows/security/threat-protection/auditing/event-4634.md
View File

@ -1,118 +0,0 @@
---
title: 4634(S) An account was logged off.
description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4634(S): An account was logged off.
<img src="images/event-4634.png" alt="Event 4634 illustration" width="449" height="431" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Logoff](audit-logoff.md)
***Event Description:***
This event shows that logon session was terminated and no longer exists.
The main difference between “[4647](event-4647.md): User initiated logoff.” and 4634 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T02:27:57.877205900Z" />
<EventRecordID>230019</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="832" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-90-1</Data>
<Data Name="TargetUserName">DWM-1</Data>
<Data Name="TargetDomainName">Window Manager</Data>
<Data Name="TargetLogonId">0x1a0992</Data>
<Data Name="LogonType">2</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that was logged off. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was logged off.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Logon Type** \[Type = UInt32\]**:** the type of logon which was used. The table below contains the list of possible values for this field:
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
## Security Monitoring Recommendations
For 4634(S): An account was logged off.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If a particular **Logon Type** should not be used by a particular account (for example if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor this event for such actions.

101
windows/security/threat-protection/auditing/event-4647.md
View File

@ -1,101 +0,0 @@
---
title: 4647(S) User initiated logoff.
description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4647(S): User initiated logoff.
<img src="images/event-4647.png" alt="Event 4647 illustration" width="449" height="392" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Logoff](audit-logoff.md)
***Event Description:***
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4647</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T03:08:39.126890800Z" />
<EventRecordID>230200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3864" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x29b379</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “logoff” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “logoff” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
## Security Monitoring Recommendations
For 4647(S): User initiated logoff.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).

195
windows/security/threat-protection/auditing/event-4648.md
View File

@ -1,195 +0,0 @@
---
title: 4648(S) A logon was attempted using explicit credentials.
description: Describes security event 4648(S) A logon was attempted using explicit credentials.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/07/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4648(S): A logon was attempted using explicit credentials.
<img src="images/event-4648.png" alt="Event 4648 illustration" width="486" height="663" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
***Event Description:***
This event is generated when a process attempts an account logon by explicitly specifying that accounts credentials.
This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
It is also a routine event which periodically occurs during normal operating system activity.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T02:54:50.771459000Z" />
<EventRecordID>233200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1116" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31844</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonGuid">{0887F1E4-39EA-D53C-804F-31D568A06274}</Data>
<Data Name="TargetServerName">localhost</Data>
<Data Name="TargetInfo">localhost</Data>
<Data Name="ProcessId">0x368</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the new logon session with explicit credentials. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the new logon session with explicit credentials.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
**Account Whose Credentials Were Used:**
- **Account Name** \[Type = UnicodeString\]**:** the name of the account whose credentials were used.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
**Target Server:**
- **Target Server Name** \[Type = UnicodeString\]**:** the name of the server on which the new process was run. Has “**localhost**” value if the process was run locally.
- **Additional Information** \[Type = UnicodeString\]**:** there is no detailed information about this field in this document.
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was run using explicit credentials. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Network Information:**
- **Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
- IPv6 address or ::ffff:IPv4 address of a client.
- ::1 or 127.0.0.1 means localhost.
- **Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
- 0 for interactive logons.
## Security Monitoring Recommendations
For 4648(S): A logon was attempted using explicit credentials.
The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**”
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.<br>Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. |
| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.<br>For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that dont comply with naming conventions. |
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If **Subject\\Security ID** should not know or use credentials for **Account Whose Credentials Were Used\\Account Name**, monitor this event.
- If credentials for **Account Whose Credentials Were Used\\Account Name** should not be used from **Network Information\\Network Address**, monitor this event.
- Check that **Network Information\\Network Address** is from internal IP address list. For example, if you know that a specific account (for example, a service account) should be used only from specific IP addresses, you can monitor for all events where **Network Information\\Network Address** is not one of the allowed IP addresses.

Some files were not shown because too many files have changed in this diff Show More