diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index ee6728c7e9..24b3237fcd 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -368,368 +368,369 @@
 ### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
 
 ### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+
 ### [Security auditing](auditing/security-auditing-overview.md)
 
-### [Basic security audit policies](auditing/basic-security-audit-policies.md)
-#### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
-#### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
-#### [View the security event log](auditing/view-the-security-event-log.md)
+#### [Basic security audit policies](auditing/basic-security-audit-policies.md)
+##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
+##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
+##### [View the security event log](auditing/view-the-security-event-log.md)
 
-#### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
-##### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
-##### [Audit account management](auditing/basic-audit-account-management.md)
-##### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
-##### [Audit logon events](auditing/basic-audit-logon-events.md)
-##### [Audit object access](auditing/basic-audit-object-access.md)
-##### [Audit policy change](auditing/basic-audit-policy-change.md)
-##### [Audit privilege use](auditing/basic-audit-privilege-use.md)
-##### [Audit process tracking](auditing/basic-audit-process-tracking.md)
-##### [Audit system events](auditing/basic-audit-system-events.md)
+##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
+###### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
+###### [Audit account management](auditing/basic-audit-account-management.md)
+###### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
+###### [Audit logon events](auditing/basic-audit-logon-events.md)
+###### [Audit object access](auditing/basic-audit-object-access.md)
+###### [Audit policy change](auditing/basic-audit-policy-change.md)
+###### [Audit privilege use](auditing/basic-audit-privilege-use.md)
+###### [Audit process tracking](auditing/basic-audit-process-tracking.md)
+###### [Audit system events](auditing/basic-audit-system-events.md)
+
+##### [Advanced security audit policies](auditing/advanced-security-auditing.md)
+###### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
+###### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
+####### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+
+###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
+####### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
+####### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
+####### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
+####### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
+####### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
+####### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
+####### [Monitor claim types](auditing/monitor-claim-types.md)
+
+###### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
+####### [Audit Credential Validation](auditing/audit-credential-validation.md)
+####### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
+####### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
+####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
+####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
+###### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
+####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
+####### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
+####### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
+###### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
+####### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
+####### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
+####### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
+###### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
+###### [Audit Application Group Management](auditing/audit-application-group-management.md)
+###### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
+####### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
+####### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
+####### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
+###### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
+####### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
+####### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
+####### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
+####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
+####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
+###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
+####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
+####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
+###### [Audit Security Group Management](auditing/audit-security-group-management.md)
+####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
+####### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
+####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
+####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
+####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
+####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
+####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
+###### [Audit User Account Management](auditing/audit-user-account-management.md)
+####### [Event 4720 S: A user account was created.](auditing/event-4720.md)
+####### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
+####### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
+####### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
+####### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
+####### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
+####### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
+####### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
+####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
+####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
+####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
+####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
+####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
+####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
+####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
+####### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
+####### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
+###### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
+####### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
+####### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
+####### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
+####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
+###### [Audit PNP Activity](auditing/audit-pnp-activity.md)
+####### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
+####### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
+####### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
+####### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
+####### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
+####### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
+####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
+###### [Audit Process Creation](auditing/audit-process-creation.md)
+####### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
+####### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
+###### [Audit Process Termination](auditing/audit-process-termination.md)
+####### [Event 4689 S: A process has exited.](auditing/event-4689.md)
+###### [Audit RPC Events](auditing/audit-rpc-events.md)
+####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
+####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
+####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
+####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
+####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
+####### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
+####### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
+####### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
+####### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
+###### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
+####### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
+####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+###### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
+####### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
+####### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
+####### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
+####### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
+####### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
+###### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
+####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
+####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
+###### [Audit Account Lockout](auditing/audit-account-lockout.md)
+####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+###### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
+####### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
+###### [Audit Group Membership](auditing/audit-group-membership.md)
+####### [Event 4627 S: Group membership information.](auditing/event-4627.md)
+###### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
+###### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
+###### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
+###### [Audit Logoff](auditing/audit-logoff.md)
+####### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
+####### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
+###### [Audit Logon](auditing/audit-logon.md)
+####### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
+####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+####### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
+####### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
+###### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
+###### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
+####### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
+####### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
+####### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
+####### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
+####### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
+####### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
+####### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
+####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
+####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
+####### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
+###### [Audit Special Logon](auditing/audit-special-logon.md)
+####### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
+####### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
+###### [Audit Application Generated](auditing/audit-application-generated.md)
+###### [Audit Certification Services](auditing/audit-certification-services.md)
+###### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
+####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
+###### [Audit File Share](auditing/audit-file-share.md)
+####### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
+####### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
+####### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
+####### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
+####### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
+###### [Audit File System](auditing/audit-file-system.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+####### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+####### [Event 5051: A file was virtualized.](auditing/event-5051.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
+####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
+####### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
+####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
+####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
+####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
+####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
+####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
+####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
+####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
+###### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
+####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
+####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
+###### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
+####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
+###### [Audit Kernel Object](auditing/audit-kernel-object.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+###### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
+####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
+####### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
+####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
+####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
+####### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
+####### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
+####### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
+####### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
+####### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
+####### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
+####### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
+####### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
+###### [Audit Registry](auditing/audit-registry.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
+####### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Audit Removable Storage](auditing/audit-removable-storage.md)
+###### [Audit SAM](auditing/audit-sam.md)
+####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+###### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
+####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
+###### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+####### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
+####### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
+####### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
+####### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
+####### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
+####### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
+####### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
+####### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
+####### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
+####### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
+###### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
+####### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
+####### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
+####### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
+####### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
+####### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
+####### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
+####### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
+####### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
+####### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
+####### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
+####### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
+###### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
+####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
+####### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
+####### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+####### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
+####### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
+###### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
+###### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
+####### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
+####### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
+####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
+####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
+####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
+####### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
+####### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
+####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
+####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
+####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
+####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
+####### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
+####### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
+####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
+###### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
+####### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
+####### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
+####### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
+####### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
+####### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
+####### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
+####### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
+####### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
+####### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
+####### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
+####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
+####### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
+####### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
+####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
+####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
+####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
+###### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
+###### [Audit Other System Events](auditing/audit-other-system-events.md)
+####### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
+####### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
+####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
+####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
+####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
+####### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
+####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
+####### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
+####### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
+####### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
+####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
+####### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
+####### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
+####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
+####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
+####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
+####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
+####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
+####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
+####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
+####### [Event 6407: 1%.](auditing/event-6407.md)
+####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
+####### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
+###### [Audit Security State Change](auditing/audit-security-state-change.md)
+####### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
+####### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
+####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
+###### [Audit Security System Extension](auditing/audit-security-system-extension.md)
+####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
+####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
+####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
+####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
+####### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
+###### [Audit System Integrity](auditing/audit-system-integrity.md)
+####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
+####### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
+####### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
+####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
+####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
+####### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
+####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
+####### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
+####### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
+####### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
+####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
+####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
+###### [Other Events](auditing/other-events.md)
+####### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
+####### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
+####### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
+####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
+####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
+###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
+###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
+###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+ 
 
 
-### [Advanced security audit policies](auditing/advanced-security-auditing.md)
-#### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
 
 
-#### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
-##### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-
-
-#### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-##### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
-##### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
-##### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
-##### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
-##### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
-##### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
-##### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
-##### [Monitor claim types](auditing/monitor-claim-types.md)
-
-#### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
-##### [Audit Credential Validation](auditing/audit-credential-validation.md)
-###### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
-###### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
-###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
-###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
-##### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
-###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
-###### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
-###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
-##### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
-###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
-###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
-###### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
-##### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
-##### [Audit Application Group Management](auditing/audit-application-group-management.md)
-##### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
-###### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
-###### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
-###### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
-##### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
-###### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
-###### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
-###### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
-###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
-###### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
-##### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
-###### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
-###### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
-##### [Audit Security Group Management](auditing/audit-security-group-management.md)
-###### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
-###### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
-###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
-###### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
-###### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
-###### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
-###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
-##### [Audit User Account Management](auditing/audit-user-account-management.md)
-###### [Event 4720 S: A user account was created.](auditing/event-4720.md)
-###### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
-###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
-###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
-###### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
-###### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
-###### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
-###### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
-###### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
-###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
-###### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
-###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
-###### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
-###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
-###### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
-###### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
-###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
-##### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
-###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
-###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
-###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
-###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
-##### [Audit PNP Activity](auditing/audit-pnp-activity.md)
-###### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
-###### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
-###### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
-###### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
-###### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
-###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
-###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
-##### [Audit Process Creation](auditing/audit-process-creation.md)
-###### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
-###### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
-##### [Audit Process Termination](auditing/audit-process-termination.md)
-###### [Event 4689 S: A process has exited.](auditing/event-4689.md)
-##### [Audit RPC Events](auditing/audit-rpc-events.md)
-###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
-##### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
-###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
-###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
-###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
-###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
-###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
-###### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
-###### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
-###### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
-##### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
-###### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-##### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
-###### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
-###### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
-###### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
-###### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
-###### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
-##### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
-###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
-###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
-##### [Audit Account Lockout](auditing/audit-account-lockout.md)
-###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-##### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
-###### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
-##### [Audit Group Membership](auditing/audit-group-membership.md)
-###### [Event 4627 S: Group membership information.](auditing/event-4627.md)
-##### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
-##### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
-##### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
-##### [Audit Logoff](auditing/audit-logoff.md)
-###### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
-###### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
-##### [Audit Logon](auditing/audit-logon.md)
-###### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
-###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
-###### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
-##### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
-##### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
-###### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
-###### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
-###### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
-###### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
-###### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
-###### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
-###### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
-###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
-###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
-###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
-##### [Audit Special Logon](auditing/audit-special-logon.md)
-###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
-###### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
-##### [Audit Application Generated](auditing/audit-application-generated.md)
-##### [Audit Certification Services](auditing/audit-certification-services.md)
-##### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
-###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
-##### [Audit File Share](auditing/audit-file-share.md)
-###### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
-###### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
-###### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
-###### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
-###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
-##### [Audit File System](auditing/audit-file-system.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-###### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-###### [Event 5051: A file was virtualized.](auditing/event-5051.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-##### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
-###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
-###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
-###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
-###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
-###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
-###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
-###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
-###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
-###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
-##### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
-###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
-###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
-##### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
-###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
-##### [Audit Kernel Object](auditing/audit-kernel-object.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-##### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
-###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
-###### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
-###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
-###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
-###### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
-###### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
-###### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
-###### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
-###### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
-###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
-###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
-###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
-##### [Audit Registry](auditing/audit-registry.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
-###### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-##### [Audit Removable Storage](auditing/audit-removable-storage.md)
-##### [Audit SAM](auditing/audit-sam.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-##### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
-###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
-##### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
-###### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
-###### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
-###### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
-###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
-###### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
-###### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
-###### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
-###### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
-###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
-##### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
-###### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
-###### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
-###### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
-###### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
-###### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
-###### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
-###### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
-###### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
-###### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
-###### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
-###### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
-##### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
-###### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
-###### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
-###### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
-###### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
-##### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
-##### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
-###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
-###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
-###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
-###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
-###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
-###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
-###### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
-###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
-###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
-###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
-###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
-###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
-###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
-###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
-##### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
-###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
-###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
-###### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
-###### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
-###### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
-###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
-###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
-###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
-###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
-###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
-###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
-###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
-###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
-###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
-###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
-###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
-##### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
-##### [Audit Other System Events](auditing/audit-other-system-events.md)
-###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
-###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
-###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
-###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
-###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
-###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
-###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
-###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
-###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
-###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
-###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
-###### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
-###### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
-###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
-###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
-###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
-###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
-###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
-###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
-###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
-###### [Event 6407: 1%.](auditing/event-6407.md)
-###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
-###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
-##### [Audit Security State Change](auditing/audit-security-state-change.md)
-###### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
-###### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
-###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
-##### [Audit Security System Extension](auditing/audit-security-system-extension.md)
-###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
-###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
-###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
-###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
-###### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
-##### [Audit System Integrity](auditing/audit-system-integrity.md)
-###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
-###### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
-###### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
-###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
-###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
-###### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
-###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
-###### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
-###### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
-###### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
-###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
-###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
-##### [Other Events](auditing/other-events.md)
-###### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
-###### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
-###### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
-###### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
-###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
-##### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-##### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
-##### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
-
 ### [Security policy settings](security-policy-settings/security-policy-settings.md)
 ### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
 #### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)