deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4488 from martyav/martyav-format-audit-pages

Browse Source 
formatted event sections for consistency
This commit is contained in:
Marty Hernandez Avedon 2019-07-18 15:52:16 -04:00 committed by GitHub
commit 6b17dce897
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 200 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -20,24 +20,22 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx). Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx).
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012. Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. | | Domain Controller | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. | | Member Server | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
| Workstation | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. | | Workstation | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. |
**Events List:** **Events List:**
## 4665: An attempt was made to create an application client context. - 4665: An attempt was made to create an application client context.
## 4666: An application attempted an operation. - 4666: An application attempted an operation.
## 4667: An application client context was deleted. - 4667: An application client context was deleted.
## 4668: An application was initialized.
- 4668: An application was initialized.

22
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions. Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.
[Application groups](https://technet.microsoft.com/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx). [Application groups](https://technet.microsoft.com/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx).
@ -33,23 +32,22 @@ Audit Application Group Management subcategory is out of scope of this document,
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. | | Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. | | Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
## 4783(S): A basic application group was created. - 4783(S): A basic application group was created.
## 4784(S): A basic application group was changed. - 4784(S): A basic application group was changed.
## 4785(S): A member was added to a basic application group. - 4785(S): A member was added to a basic application group.
## 4786(S): A member was removed from a basic application group. - 4786(S): A member was removed from a basic application group.
## 4787(S): A non-member was added to a basic application group. - 4787(S): A non-member was added to a basic application group.
## 4788(S): A non-member was removed from a basic application group. - 4788(S): A non-member was removed from a basic application group.
## 4789(S): A basic application group was deleted. - 4789(S): A basic application group was deleted.
## 4790(S): An LDAP query group was created. - 4790(S): An LDAP query group was created.
## 4791(S): An LDAP query group was changed. - 4791(S): An LDAP query group was changed.
## 4792(S): An LDAP query group was deleted.
- 4792(S): An LDAP query group was deleted.

64
windows/security/threat-protection/auditing/audit-certification-services.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include: Examples of AD CS operations include:
@ -59,65 +58,64 @@ Role-specific subcategories are outside the scope of this document.
| Member Server | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | | Member Server | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. | | Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. |
## 4868: The certificate manager denied a pending certificate request. - 4868: The certificate manager denied a pending certificate request.
## 4869: Certificate Services received a resubmitted certificate request. - 4869: Certificate Services received a resubmitted certificate request.
## 4870: Certificate Services revoked a certificate. - 4870: Certificate Services revoked a certificate.
## 4871: Certificate Services received a request to publish the certificate revocation list (CRL). - 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
## 4872: Certificate Services published the certificate revocation list (CRL). - 4872: Certificate Services published the certificate revocation list (CRL).
## 4873: A certificate request extension changed. - 4873: A certificate request extension changed.
## 4874: One or more certificate request attributes changed. - 4874: One or more certificate request attributes changed.
## 4875: Certificate Services received a request to shut down. - 4875: Certificate Services received a request to shut down.
## 4876: Certificate Services backup started. - 4876: Certificate Services backup started.
## 4877: Certificate Services backup completed. - 4877: Certificate Services backup completed.
## 4878: Certificate Services restore started. - 4878: Certificate Services restore started.
## 4879: Certificate Services restore completed. - 4879: Certificate Services restore completed.
## 4880: Certificate Services started. - 4880: Certificate Services started.
## 4881: Certificate Services stopped. - 4881: Certificate Services stopped.
## 4882: The security permissions for Certificate Services changed. - 4882: The security permissions for Certificate Services changed.
## 4883: Certificate Services retrieved an archived key. - 4883: Certificate Services retrieved an archived key.
## 4884: Certificate Services imported a certificate into its database. - 4884: Certificate Services imported a certificate into its database.
## 4885: The audit filter for Certificate Services changed. - 4885: The audit filter for Certificate Services changed.
## 4886: Certificate Services received a certificate request. - 4886: Certificate Services received a certificate request.
## 4887: Certificate Services approved a certificate request and issued a certificate. - 4887: Certificate Services approved a certificate request and issued a certificate.
## 4888: Certificate Services denied a certificate request. - 4888: Certificate Services denied a certificate request.
## 4889: Certificate Services set the status of a certificate request to pending. - 4889: Certificate Services set the status of a certificate request to pending.
## 4890: The certificate manager settings for Certificate Services changed. - 4890: The certificate manager settings for Certificate Services changed.
## 4891: A configuration entry changed in Certificate Services. - 4891: A configuration entry changed in Certificate Services.
## 4892: A property of Certificate Services changed. - 4892: A property of Certificate Services changed.
## 4893: Certificate Services archived a key. - 4893: Certificate Services archived a key.
## 4894: Certificate Services imported and archived a key. - 4894: Certificate Services imported and archived a key.
## 4895: Certificate Services published the CA certificate to Active Directory Domain Services. - 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
## 4896: One or more rows have been deleted from the certificate database. - 4896: One or more rows have been deleted from the certificate database.
## 4897: Role separation enabled. - 4897: Role separation enabled.
## 4898: Certificate Services loaded a template.
- 4898: Certificate Services loaded a template.

46
windows/security/threat-protection/auditing/audit-distribution-group-management.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks. Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
This subcategory generates events only on domain controllers. This subcategory generates events only on domain controllers.
@ -29,47 +28,46 @@ This subcategory generates events only on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following: This subcategory allows you to audit events generated by changes to distribution groups such as the following:
- Distribution group is created, changed, or deleted. - Distribution group is created, changed, or deleted.
- Member is added or removed from a distribution group. - Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A groups type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled. If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A groups type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Domain Controller | IF | No | IF | No | IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically, volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. | | Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. | | Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:** **Events List:**
- [4749](event-4749.md)(S): A security-disabled global group was created. - [4749](event-4749.md)(S): A security-disabled global group was created.
- [4750](event-4750.md)(S): A security-disabled global group was changed. - [4750](event-4750.md)(S): A security-disabled global group was changed.
- [4751](event-4751.md)(S): A member was added to a security-disabled global group. - [4751](event-4751.md)(S): A member was added to a security-disabled global group.
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group. - [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
- [4753](event-4753.md)(S): A security-disabled global group was deleted. - [4753](event-4753.md)(S): A security-disabled global group was deleted.
**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4759(S): A security-disabled universal group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4759 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4760(S): A security-disabled universal group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4760 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4761(S): A member was added to a security-disabled universal group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4761 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4762(S): A member was removed from a security-disabled universal group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4762 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4763(S): A security-disabled universal group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4763 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4744(S): A security-disabled local group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4744 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4745(S): A security-disabled local group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4745 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4746(S): A member was added to a security-disabled local group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4746 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4747(S): A member was removed from a security-disabled local group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4747 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- 4748(S): A security-disabled local group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4748 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

90
windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
View File

@ -20,16 +20,15 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following: Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
- IPsec services status. - IPsec services status.
- Changes to IPsec policy settings. - Changes to IPsec policy settings.
- Changes to Windows Filtering Platform Base Filtering Engine policy settings. - Changes to Windows Filtering Platform Base Filtering Engine policy settings.
- Changes to WFP providers and engine. - Changes to WFP providers and engine.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
@ -41,83 +40,82 @@ This subcategory is outside the scope of this document.
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. | | Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. | | Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
## 4709(S): IPsec Services was started. - 4709(S): IPsec Services was started.
## 4710(S): IPsec Services was disabled. - 4710(S): IPsec Services was disabled.
## 4711(S): May contain any one of the following: - 4711(S): May contain any one of the following:
## 4712(F): IPsec Services encountered a potentially serious failure. - 4712(F): IPsec Services encountered a potentially serious failure.
## 5040(S): A change has been made to IPsec settings. An Authentication Set was added. - 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified. - 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted. - 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added. - 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified. - 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted. - 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
## 5046(S): A change has been made to IPsec settings. A Crypto Set was added. - 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified. - 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted. - 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started. - 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started. - 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started. - 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. - 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. - 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
## 5446(S): A Windows Filtering Platform callout has been changed. - 5446(S): A Windows Filtering Platform callout has been changed.
## 5448(S): A Windows Filtering Platform provider has been changed. - 5448(S): A Windows Filtering Platform provider has been changed.
## 5449(S): A Windows Filtering Platform provider context has been changed. - 5449(S): A Windows Filtering Platform provider context has been changed.
## 5450(S): A Windows Filtering Platform sub-layer has been changed. - 5450(S): A Windows Filtering Platform sub-layer has been changed.
## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer. - 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. - 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. - 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. - 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer. - 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer. - 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. - 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes. - 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. - 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. - 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. - 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. - 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. - 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer. - 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer. - 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer. - 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer. - 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
## 5477(F): PAStore Engine failed to add quick mode filter.
- 5477(F): PAStore Engine failed to add quick mode filter.

14
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -20,24 +20,20 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions. Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions.
**Event volume**: High. **Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. | | Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. | | Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. | | Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
**Events List:** **Events List:**
- [4658](event-4658.md)(S): The handle to an object was closed. - [4658](event-4658.md)(S): The handle to an object was closed.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object. - [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
## 4658(S): The handle to an object was closed.
This event doesnt generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
- 4658(S): The handle to an object was closed. For a description of the event, see _[4658](event-4658.md)(S): The handle to an object was closed._ in the Audit File System subcategory. This event doesnt generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.

19
windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
View File

@ -25,23 +25,22 @@ Audit IPsec Extended Mode allows you to audit events generated by Internet Key E
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting. Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | | Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
## 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. - 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 4979(S): IPsec Main Mode and Extended Mode security associations were established. - 4979(S): IPsec Main Mode and Extended Mode security associations were established.
## 4980(S): IPsec Main Mode and Extended Mode security associations were established. - 4980(S): IPsec Main Mode and Extended Mode security associations were established.
## 4981(S): IPsec Main Mode and Extended Mode security associations were established. - 4981(S): IPsec Main Mode and Extended Mode security associations were established.
## 4982(S): IPsec Main Mode and Extended Mode security associations were established. - 4982(S): IPsec Main Mode and Extended Mode security associations were established.
## 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. - 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
## 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

24
windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
View File

@ -20,32 +20,30 @@ ms.date: 10/02/2018
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting. Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | | Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
## 4646(S): Security ID: %1 - 4646(S): Security ID: %1
## 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. - 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
## 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. - 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
## 4652(F): An IPsec Main Mode negotiation failed. - 4652(F): An IPsec Main Mode negotiation failed.
## 4653(F): An IPsec Main Mode negotiation failed. - 4653(F): An IPsec Main Mode negotiation failed.
## 4655(S): An IPsec Main Mode security association ended. - 4655(S): An IPsec Main Mode security association ended.
## 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. - 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5049(S): An IPsec Security Association was deleted. - 5049(S): An IPsec Security Association was deleted.
## 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
- 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

12
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -20,20 +20,18 @@ ms.date: 10/02/2018
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting. Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | | Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
## 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. - 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5451(S): An IPsec Quick Mode security association was established. - 5451(S): An IPsec Quick Mode security association was established.
## 5452(S): An IPsec Quick Mode security association ended.
- 5452(S): An IPsec Quick Mode security association ended.

26
windows/security/threat-protection/auditing/audit-network-policy-server.md
View File

@ -20,7 +20,6 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request. If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
@ -33,27 +32,26 @@ NAP events can be used to help understand the overall health of the network.
Role-specific subcategories are outside the scope of this document. Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | | Domain Controller | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | | Member Server | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. | | Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
## 6272: Network Policy Server granted access to a user. - 6272: Network Policy Server granted access to a user.
## 6273: Network Policy Server denied access to a user. - 6273: Network Policy Server denied access to a user.
## 6274: Network Policy Server discarded the request for a user. - 6274: Network Policy Server discarded the request for a user.
## 6275: Network Policy Server discarded the accounting request for a user. - 6275: Network Policy Server discarded the accounting request for a user.
## 6276: Network Policy Server quarantined a user. - 6276: Network Policy Server quarantined a user.
## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. - 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
## 6278: Network Policy Server granted full access to a user because the host met the defined health policy. - 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts. - 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
## 6280: Network Policy Server unlocked the user account.
- 6280: Network Policy Server unlocked the user account.

82
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -20,78 +20,86 @@ ms.date: 02/28/2019
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed. Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
**Event volume**: Low. **Event volume**: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following: This subcategory allows you to audit events generated by changes to security groups such as the following:
- Security group is created, changed, or deleted. - Security group is created, changed, or deleted.
- Member is added or removed from a security group. - Member is added or removed from a security group.
- Group type is changed. - Group type is changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.| | Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.| | Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.| | Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:** **Events List:**
- [4731](event-4731.md)(S): A security-enabled local group was created. - [4731](event-4731.md)(S): A security-enabled local group was created.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group. - [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group. - [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4734](event-4734.md)(S): A security-enabled local group was deleted. - [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4735](event-4735.md)(S): A security-enabled local group was changed. - [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4764](event-4764.md)(S): A groups type was changed. - [4764](event-4764.md)(S): A groups type was changed.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated. - [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
**4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.” Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply. > [!IMPORTANT]
> Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.” Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. > [!IMPORTANT]
> Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.” Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply. > [!IMPORTANT]
> Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply. > [!IMPORTANT]
> Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.” Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply. > [!IMPORTANT]
> Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
**4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply. > [!IMPORTANT]
> Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. > [!IMPORTANT]
> Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply. > [!IMPORTANT]
> Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply. > [!IMPORTANT]
> Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
>[!IMPORTANT]
> Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.