From a76f14eabb67bd23cd01bdfbe039c50d8b5b05ba Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 31 May 2016 11:59:56 -0700 Subject: [PATCH] fixed links that had become broken in process of converting from docx to markdown --- windows/keep-secure/audit-detailed-file-share.md | 2 +- windows/keep-secure/audit-directory-service-access.md | 2 +- windows/keep-secure/audit-directory-service-changes.md | 2 +- windows/keep-secure/audit-file-system.md | 2 +- windows/keep-secure/audit-group-membership.md | 2 +- windows/keep-secure/audit-handle-manipulation.md | 2 +- windows/keep-secure/audit-logoff.md | 6 +++--- windows/keep-secure/audit-non-sensitive-privilege-use.md | 6 +++--- windows/keep-secure/audit-process-termination.md | 6 +++--- windows/keep-secure/audit-sensitive-privilege-use.md | 2 +- windows/keep-secure/audit-user-device-claims.md | 2 +- windows/keep-secure/event-1102.md | 2 +- windows/keep-secure/event-4611.md | 2 +- windows/keep-secure/event-4616.md | 2 +- windows/keep-secure/event-4625.md | 2 +- windows/keep-secure/event-4627.md | 4 ++-- windows/keep-secure/event-4634.md | 2 +- windows/keep-secure/event-4647.md | 2 +- windows/keep-secure/event-4648.md | 2 +- windows/keep-secure/event-4656.md | 2 +- windows/keep-secure/event-4657.md | 2 +- windows/keep-secure/event-4658.md | 4 ++-- windows/keep-secure/event-4661.md | 6 +++--- windows/keep-secure/event-4662.md | 2 +- windows/keep-secure/event-4663.md | 2 +- windows/keep-secure/event-4670.md | 2 +- windows/keep-secure/event-4672.md | 2 +- windows/keep-secure/event-4673.md | 2 +- windows/keep-secure/event-4674.md | 2 +- windows/keep-secure/event-4689.md | 2 +- windows/keep-secure/event-4690.md | 4 ++-- windows/keep-secure/event-4692.md | 2 +- windows/keep-secure/event-4693.md | 2 +- windows/keep-secure/event-4697.md | 2 +- windows/keep-secure/event-4698.md | 2 +- windows/keep-secure/event-4699.md | 2 +- windows/keep-secure/event-4700.md | 2 +- windows/keep-secure/event-4701.md | 2 +- windows/keep-secure/event-4702.md | 2 +- windows/keep-secure/event-4720.md | 2 +- windows/keep-secure/event-4722.md | 2 +- windows/keep-secure/event-4723.md | 2 +- windows/keep-secure/event-4724.md | 2 +- windows/keep-secure/event-4725.md | 2 +- windows/keep-secure/event-4726.md | 2 +- windows/keep-secure/event-4731.md | 2 +- windows/keep-secure/event-4734.md | 2 +- windows/keep-secure/event-4735.md | 6 +++--- windows/keep-secure/event-4738.md | 2 +- windows/keep-secure/event-4740.md | 2 +- windows/keep-secure/event-4741.md | 2 +- windows/keep-secure/event-4742.md | 4 ++-- windows/keep-secure/event-4743.md | 2 +- windows/keep-secure/event-4749.md | 2 +- windows/keep-secure/event-4750.md | 6 +++--- windows/keep-secure/event-4753.md | 2 +- windows/keep-secure/event-4764.md | 2 +- windows/keep-secure/event-4767.md | 2 +- windows/keep-secure/event-4781.md | 2 +- windows/keep-secure/event-4793.md | 2 +- windows/keep-secure/event-4798.md | 2 +- windows/keep-secure/event-4799.md | 2 +- windows/keep-secure/event-4800.md | 2 +- windows/keep-secure/event-4801.md | 2 +- windows/keep-secure/event-4802.md | 2 +- windows/keep-secure/event-4803.md | 2 +- windows/keep-secure/event-4818.md | 2 +- windows/keep-secure/event-4819.md | 2 +- windows/keep-secure/event-4826.md | 2 +- windows/keep-secure/event-4904.md | 2 +- windows/keep-secure/event-4905.md | 2 +- windows/keep-secure/event-4907.md | 2 +- windows/keep-secure/event-4911.md | 2 +- windows/keep-secure/event-4913.md | 2 +- windows/keep-secure/event-5058.md | 2 +- windows/keep-secure/event-5059.md | 2 +- windows/keep-secure/event-5061.md | 2 +- windows/keep-secure/event-5136.md | 2 +- windows/keep-secure/event-5137.md | 2 +- windows/keep-secure/event-5138.md | 2 +- windows/keep-secure/event-5139.md | 2 +- windows/keep-secure/event-5140.md | 2 +- windows/keep-secure/event-5141.md | 2 +- windows/keep-secure/event-5142.md | 2 +- windows/keep-secure/event-5143.md | 2 +- windows/keep-secure/event-5144.md | 2 +- windows/keep-secure/event-5145.md | 2 +- windows/keep-secure/event-5168.md | 2 +- windows/keep-secure/event-5376.md | 2 +- windows/keep-secure/event-5377.md | 2 +- windows/keep-secure/event-5378.md | 2 +- windows/keep-secure/event-5888.md | 2 +- windows/keep-secure/event-5889.md | 2 +- windows/keep-secure/event-5890.md | 2 +- windows/keep-secure/event-6416.md | 2 +- windows/keep-secure/event-6419.md | 2 +- windows/keep-secure/event-6420.md | 2 +- windows/keep-secure/event-6421.md | 2 +- windows/keep-secure/event-6422.md | 2 +- windows/keep-secure/event-6423.md | 2 +- 100 files changed, 116 insertions(+), 116 deletions(-) diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index e2197034fc..e3bcefa79b 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -33,7 +33,7 @@ There are no system access control lists (SACLs) for shared folders. If this pol | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. | -| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](#_Audit_File_System) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | +| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | | Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | **Events List:** diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 3d3e81249c..90f32dc571 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -24,7 +24,7 @@ This subcategory allows you to audit when an Active Directory Domain Services (A | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](#_Audit_Directory_Service_1) subcategory. However, [Audit Directory Service Changes](#_Audit_Directory_Service_1) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. | +| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. | | Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | | Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index 6daf567a59..681d62c3bd 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -30,7 +30,7 @@ This subcategory triggers events when an Active Directory object was modified, c | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects.
This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](#_Audit_Directory_Service) subcategory.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects.
This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | | Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 105d63686a..c2067f4580 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -30,7 +30,7 @@ No audit events are generated for the default file system [SACL](https://msdn.mi This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions. -Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](#_Audit_Handle_Manipulation) subcategory (Success auditing must be enabled). All other events generate without any additional configuration. +Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index f7d1211d44..2fbda5d3b5 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -22,7 +22,7 @@ This policy allows you to audit the group membership information in the user's l For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -You must also enable the [Audit Logon](#_Audit_Logon) subcategory. +You must also enable the [Audit Logon](audit-logon.md) subcategory. Multiple events are generated if the group membership information cannot fit in a single security audit event diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index 97abf5e452..5cff0de163 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -16,7 +16,7 @@ author: Mir0sh - Windows Server 2016 -Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](#_Audit_File_System), [Audit Kernel Object](#_Audit_Kernel_Object), [Audit Registry](#_Audit_Registry), [Audit Removable Storage](#_Audit_Removable_Storage) and [Audit SAM](#_Audit_SAM) subcategories, and shows object’s handle duplication and close actions. +Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions. **Event volume**: High. diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index a4e81b17b2..66730b6282 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -30,9 +30,9 @@ This subcategory allows you to audit events generated by the closing of a logon | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](#_Audit_Logon) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](#_Audit_Logon) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](#_Audit_Logon) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](#_Audit_Logon) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](#_Audit_Logon) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](#_Audit_Logon) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index 567f2d150b..a6052e4d5d 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -68,9 +68,9 @@ If you configure this policy setting, an audit event is generated when a non-sen | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](#_Audit_Sensitive_Privilege) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | -| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](#_Audit_Sensitive_Privilege) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | -| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](#_Audit_Sensitive_Privilege) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | +| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | +| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | +| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | **Events List:** diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index 2dde0beac1..9c526efce5 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -26,9 +26,9 @@ This policy setting can help you track user activity and understand how the comp | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](#_Audit_Process_Creation) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](#_Audit_Process_Creation) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](#_Audit_Process_Creation) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index b016f5876f..051c87dd73 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -66,6 +66,6 @@ If you configure this policy setting, an audit event is generated when sensitive - [4985](event-4985.md)(S): The state of a transaction has changed. ->**Note**  For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](#_Audit_File_System) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](#_Audit_File_System) subcategory. +>**Note**  For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory. diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index 80103703ec..3624a64b1e 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -20,7 +20,7 @@ Audit User/Device Claims allows you to audit user and device claims information For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -***Important***: [Audit Logon](#_Audit_Logon) subcategory must also be enabled in order to get events from this subcategory. +***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory. **Event volume**: diff --git a/windows/keep-secure/event-1102.md b/windows/keep-secure/event-1102.md index f7a20193be..eb7b13ca41 100644 --- a/windows/keep-secure/event-1102.md +++ b/windows/keep-secure/event-1102.md @@ -92,7 +92,7 @@ This event generates every time Windows Security audit log was cleared. For 1102(S): The audit log was cleared. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically you should not see this event. There is no need to manually clear the Security event log in most cases. We recommend monitoring this event and investigating why this action was performed. diff --git a/windows/keep-secure/event-4611.md b/windows/keep-secure/event-4611.md index 4d44c1c181..ccb63e2c97 100644 --- a/windows/keep-secure/event-4611.md +++ b/windows/keep-secure/event-4611.md @@ -99,7 +99,7 @@ You typically see these events during operating system startup or user logon and For 4611(S): A trusted logon process has been registered with the Local Security Authority. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-4616.md b/windows/keep-secure/event-4616.md index df2061daa7..b2ba578b7c 100644 --- a/windows/keep-secure/event-4616.md +++ b/windows/keep-secure/event-4616.md @@ -156,7 +156,7 @@ You will typically see these events with “**Subject\\Security ID**” = “**L For 4616(S): The system time was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service. diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md index ca7b373bd8..5a700e58fb 100644 --- a/windows/keep-secure/event-4625.md +++ b/windows/keep-secure/event-4625.md @@ -237,7 +237,7 @@ More information: For 4625(F): An account failed to log on. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. diff --git a/windows/keep-secure/event-4627.md b/windows/keep-secure/event-4627.md index bd10bc1fc7..33f1daae58 100644 --- a/windows/keep-secure/event-4627.md +++ b/windows/keep-secure/event-4627.md @@ -23,7 +23,7 @@ author: Mir0sh This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to. -You must also enable the Success audit for [Audit Logon](#_Audit_Logon) subcategory to get this event. +You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event. Multiple events are generated if the group membership information cannot fit in a single security audit event. @@ -142,7 +142,7 @@ Multiple events are generated if the group membership information cannot fit in For 4627(S): Group membership information. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”. diff --git a/windows/keep-secure/event-4634.md b/windows/keep-secure/event-4634.md index b718e1e41e..46ecf743dc 100644 --- a/windows/keep-secure/event-4634.md +++ b/windows/keep-secure/event-4634.md @@ -111,7 +111,7 @@ It may be positively correlated with a “[4624](event-4624.md): An account was For 4634(S): An account was logged off. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If a particular **Logon Type** should not be used by a particular account (for example if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor this event for such actions. diff --git a/windows/keep-secure/event-4647.md b/windows/keep-secure/event-4647.md index 298fb9dd5b..73b26c7c01 100644 --- a/windows/keep-secure/event-4647.md +++ b/windows/keep-secure/event-4647.md @@ -96,5 +96,5 @@ It may be positively correlated with a “[4624](event-4624.md): An account was For 4647(S): User initiated logoff. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). diff --git a/windows/keep-secure/event-4648.md b/windows/keep-secure/event-4648.md index 47f6b45234..9cb907dcb0 100644 --- a/windows/keep-secure/event-4648.md +++ b/windows/keep-secure/event-4648.md @@ -166,7 +166,7 @@ It is also a routine event which periodically occurs during normal operating sys For 4648(S): A logon was attempted using explicit credentials. -The following table is similar to the table in [General recommendations for security auditing and monitoring for Windows 10](#GeneralRecommendations), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**” +The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**” | **Type of monitoring required** | **Recommendation** | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/windows/keep-secure/event-4656.md b/windows/keep-secure/event-4656.md index 0850e450ef..8447c8fd0e 100644 --- a/windows/keep-secure/event-4656.md +++ b/windows/keep-secure/event-4656.md @@ -241,7 +241,7 @@ For kernel objects, this event and other auditing events have little to no secur For other types of objects, the following recommendations apply. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. diff --git a/windows/keep-secure/event-4657.md b/windows/keep-secure/event-4657.md index 09981c4f71..f4795e4e3e 100644 --- a/windows/keep-secure/event-4657.md +++ b/windows/keep-secure/event-4657.md @@ -163,7 +163,7 @@ This event generates only if “Set Value" auditing is set in registry key’s [ For 4657(S): A registry value was modified. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. diff --git a/windows/keep-secure/event-4658.md b/windows/keep-secure/event-4658.md index ab95bd98e1..41f3978e7d 100644 --- a/windows/keep-secure/event-4658.md +++ b/windows/keep-secure/event-4658.md @@ -23,7 +23,7 @@ author: Mir0sh This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. -This event generates only if Success auditing is enabled for [Audit Handle Manipulation](#_Audit_Handle_Manipulation) subcategory. +This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory. Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance. @@ -116,7 +116,7 @@ Typically this event is needed if you need to know how long the handle to the ob For 4658(S): The handle to an object was closed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it. diff --git a/windows/keep-secure/event-4661.md b/windows/keep-secure/event-4661.md index 274376f908..9f60b5fbab 100644 --- a/windows/keep-secure/event-4661.md +++ b/windows/keep-secure/event-4661.md @@ -25,7 +25,7 @@ This event indicates that a handle was requested for either an Active Directory If access was declined, then Failure event is generated. -This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](#_Audit_Handle_Manipulation) subcategory. +This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -204,7 +204,7 @@ This event generates only if Success auditing is enabled for the [Audit Handle M | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | | SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | -- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](#_Audit_SAM) subcategory. +- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory. - **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. @@ -212,7 +212,7 @@ This event generates only if Success auditing is enabled for the [Audit Handle M For 4661(S, F): A handle to an object was requested. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. diff --git a/windows/keep-secure/event-4662.md b/windows/keep-secure/event-4662.md index f47df40b75..2137b547fe 100644 --- a/windows/keep-secure/event-4662.md +++ b/windows/keep-secure/event-4662.md @@ -222,7 +222,7 @@ Here is an example of decoding of **Properties** field: For 4662(S, F): An operation was performed on an object. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor operations attempts to specific Active Directory classes, monitor for **Object Type** field with specific class name. For example, we recommend that you monitor all operations attempts to **domainDNS** class. diff --git a/windows/keep-secure/event-4663.md b/windows/keep-secure/event-4663.md index e9dfeec5a8..73acf9d590 100644 --- a/windows/keep-secure/event-4663.md +++ b/windows/keep-secure/event-4663.md @@ -183,7 +183,7 @@ For kernel objects, this event and other auditing events have little to no secur For other types of objects, the following recommendations apply. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have critical file system objects for which you need to monitor all access attempts, monitor this event for **Object Name**. diff --git a/windows/keep-secure/event-4670.md b/windows/keep-secure/event-4670.md index 9a4966ac95..5702cf1f4d 100644 --- a/windows/keep-secure/event-4670.md +++ b/windows/keep-secure/event-4670.md @@ -258,7 +258,7 @@ For token objects, this is typically an informational event, and at the same tim For file system and registry objects, the following recommendations apply. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. diff --git a/windows/keep-secure/event-4672.md b/windows/keep-secure/event-4672.md index 3713661deb..2d0ec716c2 100644 --- a/windows/keep-secure/event-4672.md +++ b/windows/keep-secure/event-4672.md @@ -137,7 +137,7 @@ You typically will see many of these events in the event log, because every logo For 4672(S): Special privileges assigned to new logon. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. diff --git a/windows/keep-secure/event-4673.md b/windows/keep-secure/event-4673.md index a85717ca1c..2816879567 100644 --- a/windows/keep-secure/event-4673.md +++ b/windows/keep-secure/event-4673.md @@ -170,7 +170,7 @@ Failure event generates when service call attempt fails. For 4673(S, F): A privileged service was called. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. diff --git a/windows/keep-secure/event-4674.md b/windows/keep-secure/event-4674.md index c9014ad06b..3693ca894f 100644 --- a/windows/keep-secure/event-4674.md +++ b/windows/keep-secure/event-4674.md @@ -194,7 +194,7 @@ Failure event generates when operation attempt fails. For 4674(S, F): An operation was attempted on a privileged object. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. diff --git a/windows/keep-secure/event-4689.md b/windows/keep-secure/event-4689.md index d9b1e14dda..9acfebcd83 100644 --- a/windows/keep-secure/event-4689.md +++ b/windows/keep-secure/event-4689.md @@ -107,7 +107,7 @@ This event generates every time a process has exited. For 4689(S): A process has exited. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. diff --git a/windows/keep-secure/event-4690.md b/windows/keep-secure/event-4690.md index 90e88e674a..c96c508880 100644 --- a/windows/keep-secure/event-4690.md +++ b/windows/keep-secure/event-4690.md @@ -92,7 +92,7 @@ This event generates if an attempt was made to duplicate a handle to an object. **Source Handle Information:** -- **Source Handle ID** \[Type = Pointer\]: hexadecimal value of a handle which was duplicated. This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](#_Audit_File_System), [Audit Kernel Object](#_Audit_Kernel_Object), [Audit Registry](#_Audit_Registry), [Audit Removable Storage](#_Audit_Removable_Storage) or [Audit SAM](#_Audit_SAM) subcategories. +- **Source Handle ID** \[Type = Pointer\]: hexadecimal value of a handle which was duplicated. This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories. - **Source Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Source Handle ID** before it was duplicated. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): @@ -104,7 +104,7 @@ This event generates if an attempt was made to duplicate a handle to an object. **New Handle Information:** -- **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](#_Audit_File_System), [Audit Kernel Object](#_Audit_Kernel_Object), [Audit Registry](#_Audit_Registry), [Audit Removable Storage](#_Audit_Removable_Storage) or [Audit SAM](#_Audit_SAM) subcategories. +- **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories. - **Target Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Target Handle ID**. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field. diff --git a/windows/keep-secure/event-4692.md b/windows/keep-secure/event-4692.md index 31a3736999..a298a2a73e 100644 --- a/windows/keep-secure/event-4692.md +++ b/windows/keep-secure/event-4692.md @@ -122,5 +122,5 @@ For 4692(S, F): Backup of data protection master key was attempted. - This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). diff --git a/windows/keep-secure/event-4693.md b/windows/keep-secure/event-4693.md index 4b40332642..21b507d0f4 100644 --- a/windows/keep-secure/event-4693.md +++ b/windows/keep-secure/event-4693.md @@ -123,5 +123,5 @@ For 4693(S, F): Recovery of data protection master key was attempted. - For domain joined computers, **Recovery Reason** should typically be a domain controller DNS name. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). diff --git a/windows/keep-secure/event-4697.md b/windows/keep-secure/event-4697.md index 5b5408fe90..b5bd6dc109 100644 --- a/windows/keep-secure/event-4697.md +++ b/windows/keep-secure/event-4697.md @@ -138,7 +138,7 @@ Most services installed are configured to **Auto Load**, so that they start auto For 4697(S): A service was installed in the system. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - We recommend monitoring for this event, especially on high value assets or computers, because a new service installation should be planned and expected. Unexpected service installation should trigger an alert. diff --git a/windows/keep-secure/event-4698.md b/windows/keep-secure/event-4698.md index 12e8ffe2ca..c7cb6abd76 100644 --- a/windows/keep-secure/event-4698.md +++ b/windows/keep-secure/event-4698.md @@ -100,7 +100,7 @@ This event generates every time a new scheduled task is created. For 4698(S): A scheduled task was created. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions. diff --git a/windows/keep-secure/event-4699.md b/windows/keep-secure/event-4699.md index ee6de2cc6e..243eb7f7b2 100644 --- a/windows/keep-secure/event-4699.md +++ b/windows/keep-secure/event-4699.md @@ -100,7 +100,7 @@ This event generates every time a scheduled task was deleted. For 4699(S): A scheduled task was deleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - We recommend monitoring all scheduled task deletion events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions. However, this event does not often happen. diff --git a/windows/keep-secure/event-4700.md b/windows/keep-secure/event-4700.md index 70e2da922d..ea4e2ba1a3 100644 --- a/windows/keep-secure/event-4700.md +++ b/windows/keep-secure/event-4700.md @@ -100,7 +100,7 @@ This event generates every time a scheduled task is enabled. For 4700(S): A scheduled task was enabled. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**. diff --git a/windows/keep-secure/event-4701.md b/windows/keep-secure/event-4701.md index fe6794fdca..338b498477 100644 --- a/windows/keep-secure/event-4701.md +++ b/windows/keep-secure/event-4701.md @@ -100,7 +100,7 @@ This event generates every time a scheduled task is disabled. For 4701(S): A scheduled task was disabled. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**. diff --git a/windows/keep-secure/event-4702.md b/windows/keep-secure/event-4702.md index d5f7aefa93..46d2817337 100644 --- a/windows/keep-secure/event-4702.md +++ b/windows/keep-secure/event-4702.md @@ -100,7 +100,7 @@ This event generates every time scheduled task was updated/changed. For 4702(S): A scheduled task was updated. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Monitor for updated scheduled tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node. diff --git a/windows/keep-secure/event-4720.md b/windows/keep-secure/event-4720.md index 19325e2d8f..7ef1a7b270 100644 --- a/windows/keep-secure/event-4720.md +++ b/windows/keep-secure/event-4720.md @@ -256,7 +256,7 @@ For new, manually created, domain or local user accounts typical flags are: For 4720(S): A user account was created. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Some organizations monitor every [4720](event-4720.md) event. diff --git a/windows/keep-secure/event-4722.md b/windows/keep-secure/event-4722.md index dd7d097f34..aaf7fa9ca4 100644 --- a/windows/keep-secure/event-4722.md +++ b/windows/keep-secure/event-4722.md @@ -113,7 +113,7 @@ For computer accounts, this event generates only on domain controllers. For 4722(S): A user account was enabled. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a high-value domain or local account for which you need to monitor every change, monitor all [4722](event-4722.md) events with the **“Target Account\\Security ID”** that corresponds to the account. diff --git a/windows/keep-secure/event-4723.md b/windows/keep-secure/event-4723.md index 0299ea0053..f59314b77b 100644 --- a/windows/keep-secure/event-4723.md +++ b/windows/keep-secure/event-4723.md @@ -124,7 +124,7 @@ Typically you will see 4723 events with the same **Subject\\Security ID** and ** For 4723(S, F): An attempt was made to change an account's password. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a high-value domain or local user account for which you need to monitor every password change attempt, monitor all [4723](event-4723.md) events with the **“Target Account\\Security ID”** that corresponds to the account. diff --git a/windows/keep-secure/event-4724.md b/windows/keep-secure/event-4724.md index a6c5ac0241..b71a0364cc 100644 --- a/windows/keep-secure/event-4724.md +++ b/windows/keep-secure/event-4724.md @@ -119,7 +119,7 @@ For local accounts, a Failure event generates if the new password fails to meet For 4724(S, F): An attempt was made to reset an account's password. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a high-value domain or local user account for which you need to monitor every password reset attempt, monitor all [4724](event-4724.md) events with the **“Target Account\\Security ID”** that corresponds to the account. diff --git a/windows/keep-secure/event-4725.md b/windows/keep-secure/event-4725.md index 5425a290e0..e9e4393343 100644 --- a/windows/keep-secure/event-4725.md +++ b/windows/keep-secure/event-4725.md @@ -113,7 +113,7 @@ For computer accounts, this event generates only on domain controllers. For 4725(S): A user account was disabled. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a high-value domain or local account for which you need to monitor every change, monitor all [4725](event-4725.md) events with the **“Target Account\\Security ID”** that corresponds to the account. diff --git a/windows/keep-secure/event-4726.md b/windows/keep-secure/event-4726.md index fc8386440d..605e5be4b1 100644 --- a/windows/keep-secure/event-4726.md +++ b/windows/keep-secure/event-4726.md @@ -116,7 +116,7 @@ This event generates on domain controllers, member servers, and workstations. For 4726(S): A user account was deleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a high-value domain or local account for which you need to monitor every change (or deletion), monitor all [4726](event-4726.md) events with the **“Target Account\\Security ID”** that corresponds to the account. diff --git a/windows/keep-secure/event-4731.md b/windows/keep-secure/event-4731.md index 04da534e77..3edf72933e 100644 --- a/windows/keep-secure/event-4731.md +++ b/windows/keep-secure/event-4731.md @@ -124,7 +124,7 @@ This event generates on domain controllers, member servers, and workstations. For 4731(S): A security-enabled local group was created. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor each time a new security group is created, to see who created the group and when, monitor this event. diff --git a/windows/keep-secure/event-4734.md b/windows/keep-secure/event-4734.md index 475aa0df94..5ee0ad8db7 100644 --- a/windows/keep-secure/event-4734.md +++ b/windows/keep-secure/event-4734.md @@ -118,7 +118,7 @@ This event generates on domain controllers, member servers, and workstations. For 4734(S): A security-enabled local group was deleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical local or domain security groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. diff --git a/windows/keep-secure/event-4735.md b/windows/keep-secure/event-4735.md index a4a781b93d..56b28b5e54 100644 --- a/windows/keep-secure/event-4735.md +++ b/windows/keep-secure/event-4735.md @@ -27,9 +27,9 @@ This event generates on domain controllers, member servers, and workstations. Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in group account properties. -If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](#_Audit_User_Account)” subcategory success auditing is enabled. +If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled. -If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](#_Audit_Security_Group)” subcategory success auditing must be enabled. +If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled. From 4735 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed. @@ -142,7 +142,7 @@ You might see a 4735 event without any changes inside, that is, where all Change For 4735(S): A security-enabled local group was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for any change, monitor events with the “**Group\\Group Name”** values that correspond to the critical local or domain security groups. diff --git a/windows/keep-secure/event-4738.md b/windows/keep-secure/event-4738.md index e3df4bdd8a..4eeb20f066 100644 --- a/windows/keep-secure/event-4738.md +++ b/windows/keep-secure/event-4738.md @@ -247,7 +247,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT For 4738(S): A user account was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Some organizations monitor every [4738](event-4738.md) event. diff --git a/windows/keep-secure/event-4740.md b/windows/keep-secure/event-4740.md index 3e2242fedd..813f534ba7 100644 --- a/windows/keep-secure/event-4740.md +++ b/windows/keep-secure/event-4740.md @@ -105,7 +105,7 @@ For user accounts, this event generates on domain controllers, member servers, a For 4740(S): A user account was locked out. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-4741.md b/windows/keep-secure/event-4741.md index a991ec66a9..46734b980b 100644 --- a/windows/keep-secure/event-4741.md +++ b/windows/keep-secure/event-4741.md @@ -296,7 +296,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT For 4741(S): A computer account was created. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If your information security monitoring policy requires you to monitor computer account creation, monitor this event. diff --git a/windows/keep-secure/event-4742.md b/windows/keep-secure/event-4742.md index 5c8c1bda82..43b86b8649 100644 --- a/windows/keep-secure/event-4742.md +++ b/windows/keep-secure/event-4742.md @@ -33,7 +33,7 @@ Some changes do not invoke a 4742 event, for example, changes made using Active You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“. -***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](#_Audit_User_Account) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects. +***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -259,7 +259,7 @@ TERMSRV/Win81.contoso.local For 4742(S): A computer account was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have critical domain computer accounts (database servers, domain controllers, administration workstations, and so on) for which you need to monitor each change, monitor this event with the **“Computer Account That Was Changed\\Security ID”** that corresponds to the high-value account or accounts. diff --git a/windows/keep-secure/event-4743.md b/windows/keep-secure/event-4743.md index 5c470716b0..69365e69e6 100644 --- a/windows/keep-secure/event-4743.md +++ b/windows/keep-secure/event-4743.md @@ -112,7 +112,7 @@ This event generates only on domain controllers. For 4743(S): A computer account was deleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have critical domain computer accounts (database servers, domain controllers, administration workstations, and so on) for which you need to monitor each action (especially deletion), monitor this event with the **“Target Computer\\Security ID”** or “**Target Computer\\Account Name**” that corresponds to the high-value account or accounts. diff --git a/windows/keep-secure/event-4749.md b/windows/keep-secure/event-4749.md index 83dd9994e6..ebf569aae3 100644 --- a/windows/keep-secure/event-4749.md +++ b/windows/keep-secure/event-4749.md @@ -120,7 +120,7 @@ This event generates only on domain controllers. For 4749(S): A security-disabled global group was created. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor each time a new distribution group is created, to see who created the group and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed. diff --git a/windows/keep-secure/event-4750.md b/windows/keep-secure/event-4750.md index 929af144f1..5feebeb1f2 100644 --- a/windows/keep-secure/event-4750.md +++ b/windows/keep-secure/event-4750.md @@ -27,9 +27,9 @@ This event generates only on domain controllers. Some changes do not invoke a 4750 event, for example, changes made using the Active Directory Users and Computers management console in **Managed By** tab in group account properties. -If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](#_Audit_User_Account)” subcategory success auditing is enabled. +If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled. -If you change the group type, you get a change event from the new group type auditing subcategory instead of 4750. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](#_Audit_Security_Group)” subcategory success auditing must be enabled. +If you change the group type, you get a change event from the new group type auditing subcategory instead of 4750. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled. From 4750 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed. @@ -138,7 +138,7 @@ From 4750 event you can get information about changes of **sAMAccountName** and For 4750(S): A security-disabled global group was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups. diff --git a/windows/keep-secure/event-4753.md b/windows/keep-secure/event-4753.md index 63126bac5f..4aeb373191 100644 --- a/windows/keep-secure/event-4753.md +++ b/windows/keep-secure/event-4753.md @@ -114,7 +114,7 @@ This event generates only on domain controllers. For 4753(S): A security-disabled global group was deleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups. diff --git a/windows/keep-secure/event-4764.md b/windows/keep-secure/event-4764.md index bf231465ff..0fc3fa9b1c 100644 --- a/windows/keep-secure/event-4764.md +++ b/windows/keep-secure/event-4764.md @@ -134,7 +134,7 @@ This event generates only on domain controllers. For 4764(S): A group’s type was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a list of critical local or domain groups in the organization, and need to specifically monitor these groups for any change, especially group type change, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, critical distribution groups, and so on. diff --git a/windows/keep-secure/event-4767.md b/windows/keep-secure/event-4767.md index 56e48f1693..bad7f26588 100644 --- a/windows/keep-secure/event-4767.md +++ b/windows/keep-secure/event-4767.md @@ -111,7 +111,7 @@ For user accounts, this event generates on domain controllers, member servers, a For 4767(S): A user account was unlocked. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - We recommend monitoring all [4767](event-4767.md) events for local accounts. diff --git a/windows/keep-secure/event-4781.md b/windows/keep-secure/event-4781.md index 5c84fbbc9d..ae172e368c 100644 --- a/windows/keep-secure/event-4781.md +++ b/windows/keep-secure/event-4781.md @@ -121,7 +121,7 @@ For computer accounts, this event generates only on domain controllers. For 4781(S): The name of an account was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have high-value user or computer accounts (or local user accounts) for which you need to monitor each change to the accounts, monitor this event with the **“Target Account\\Security ID”** that corresponds to the high-value accounts. diff --git a/windows/keep-secure/event-4793.md b/windows/keep-secure/event-4793.md index 6488631eb5..8776180dca 100644 --- a/windows/keep-secure/event-4793.md +++ b/windows/keep-secure/event-4793.md @@ -109,7 +109,7 @@ Note that starting with Microsoft SQL Server 2005, the “SQL Server password po For 4793(S): The Password Policy Checking API was called. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this is an informational event, and can give you information about when Password Policy Checking APIs were invoked, and who invoked them. The **Provided Account Name** does not always have a value—sometimes it’s not really possible to determine for which account the password policy check was performed. diff --git a/windows/keep-secure/event-4798.md b/windows/keep-secure/event-4798.md index 744ecfa494..8468f10240 100644 --- a/windows/keep-secure/event-4798.md +++ b/windows/keep-secure/event-4798.md @@ -123,7 +123,7 @@ You can also correlate this process ID with a process ID in other events, for ex For 4798(S): A user's local group membership was enumerated. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have high value domain or local accounts for which you need to monitor each enumeration of their group membership, or any access attempt, monitor events with the **“Subject\\Security ID”** that corresponds to the high value account or accounts. diff --git a/windows/keep-secure/event-4799.md b/windows/keep-secure/event-4799.md index b1d842372f..7673abf0a6 100644 --- a/windows/keep-secure/event-4799.md +++ b/windows/keep-secure/event-4799.md @@ -127,7 +127,7 @@ You can also correlate this process ID with a process ID in other events, for ex For 4799(S): A security-enabled local group membership was enumerated. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a list of critical local security groups in the organization, and need to specifically monitor these groups for any access (in this case, enumeration of group membership), monitor events with the “**Group\\Group Name”** values that correspond to the critical local security groups. Examples of critical local groups are built-in local administrators, built-in backup operators, and so on. diff --git a/windows/keep-secure/event-4800.md b/windows/keep-secure/event-4800.md index 494b426399..bba6681e18 100644 --- a/windows/keep-secure/event-4800.md +++ b/windows/keep-secure/event-4800.md @@ -95,7 +95,7 @@ This event is generated when a workstation was locked. For 4800(S): The workstation was locked. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this is an informational event, and can give you information about when a machine was locked, and which account was used to lock it. diff --git a/windows/keep-secure/event-4801.md b/windows/keep-secure/event-4801.md index af58881813..28e2f207b6 100644 --- a/windows/keep-secure/event-4801.md +++ b/windows/keep-secure/event-4801.md @@ -95,7 +95,7 @@ This event is generated when workstation was unlocked. For 4801(S): The workstation was unlocked. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this is an informational event, and can give you information about when a machine was unlocked, and which account was used to unlock it. diff --git a/windows/keep-secure/event-4802.md b/windows/keep-secure/event-4802.md index 248252575b..c4b49527e7 100644 --- a/windows/keep-secure/event-4802.md +++ b/windows/keep-secure/event-4802.md @@ -95,7 +95,7 @@ This event is generated when screen saver was invoked. For 4802(S): The screen saver was invoked. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this is an informational event, and can give you information about when a screen saver was invoked on a machine, and which account invoked it. diff --git a/windows/keep-secure/event-4803.md b/windows/keep-secure/event-4803.md index 19d5e2053b..118d94f09a 100644 --- a/windows/keep-secure/event-4803.md +++ b/windows/keep-secure/event-4803.md @@ -95,7 +95,7 @@ This event is generated when screen saver was dismissed. For 4803(S): The screen saver was dismissed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Typically this is an informational event, and can give you information about when a screen saver was dismissed on a machine, and which account dismissed it. diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md index 18c000ebb0..e274c09dd1 100644 --- a/windows/keep-secure/event-4818.md +++ b/windows/keep-secure/event-4818.md @@ -172,7 +172,7 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy - User Right name, for example SeSecurityPrivilege. - - The [Security Descriptor Definition Language](#SDDL) (SDDL) value for the Access Control Entry (ACE) that granted or denied access. + - The [Security Descriptor Definition Language](event-5145.md#sddl-values-for-access-control-entry) (SDDL) value for the Access Control Entry (ACE) that granted or denied access. **Proposed Central Access Policy results that differ from the current Central Access Policy results:** diff --git a/windows/keep-secure/event-4819.md b/windows/keep-secure/event-4819.md index 50d46e6d7e..14613c4b7a 100644 --- a/windows/keep-secure/event-4819.md +++ b/windows/keep-secure/event-4819.md @@ -125,7 +125,7 @@ For example, it generates when a new [Central Access Policy](https://technet.mic For 4819(S): Central Access Policies on the machine have been changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-4826.md b/windows/keep-secure/event-4826.md index 38a0dc8a8d..655602c5d7 100644 --- a/windows/keep-secure/event-4826.md +++ b/windows/keep-secure/event-4826.md @@ -126,7 +126,7 @@ This event is always logged regardless of the "Audit Other Policy Change Events" For 4826(S): Boot Configuration Data loaded. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-4904.md b/windows/keep-secure/event-4904.md index a83c21c676..5f46d6c131 100644 --- a/windows/keep-secure/event-4904.md +++ b/windows/keep-secure/event-4904.md @@ -116,7 +116,7 @@ You can typically see this event during system startup, if specific roles (Inter For 4904(S): An attempt was made to register a security event source. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-4905.md b/windows/keep-secure/event-4905.md index ebf7c5563a..222fd0f263 100644 --- a/windows/keep-secure/event-4905.md +++ b/windows/keep-secure/event-4905.md @@ -116,7 +116,7 @@ You typically see this event if specific roles were removed, for example, Intern For 4905(S): An attempt was made to unregister a security event source. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-4907.md b/windows/keep-secure/event-4907.md index 488a6f4cbe..b3339c3ace 100644 --- a/windows/keep-secure/event-4907.md +++ b/windows/keep-secure/event-4907.md @@ -271,7 +271,7 @@ For more information about SDDL syntax, see these articles: **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.” diff --git a/windows/keep-secure/event-4911.md b/windows/keep-secure/event-4911.md index f8e32627ec..39d00ba5ee 100644 --- a/windows/keep-secure/event-4911.md +++ b/windows/keep-secure/event-4911.md @@ -264,7 +264,7 @@ For more information about SDDL syntax, see these articles: **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.” diff --git a/windows/keep-secure/event-4913.md b/windows/keep-secure/event-4913.md index fc2b131c36..b34355d236 100644 --- a/windows/keep-secure/event-4913.md +++ b/windows/keep-secure/event-4913.md @@ -268,7 +268,7 @@ For more information about SDDL syntax, see these articles: **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.” diff --git a/windows/keep-secure/event-5058.md b/windows/keep-secure/event-5058.md index 0b64aa37c4..b7fb73f686 100644 --- a/windows/keep-secure/event-5058.md +++ b/windows/keep-secure/event-5058.md @@ -157,5 +157,5 @@ For 5058(S, F): Key file operation. - Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”**) or a specific **“Operation”**, such as **“Delete key file”**, create monitoring rules and use this event as an information source. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). diff --git a/windows/keep-secure/event-5059.md b/windows/keep-secure/event-5059.md index 4c10c1251a..1e5424b033 100644 --- a/windows/keep-secure/event-5059.md +++ b/windows/keep-secure/event-5059.md @@ -150,7 +150,7 @@ For 5059(S, F): Key migration operation. - Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Export of persistent cryptographic key”**, create monitoring rules and use this event as an information source. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - diff --git a/windows/keep-secure/event-5061.md b/windows/keep-secure/event-5061.md index 9d06330e57..ecba2fb27f 100644 --- a/windows/keep-secure/event-5061.md +++ b/windows/keep-secure/event-5061.md @@ -162,5 +162,5 @@ For 5061(S, F): Cryptographic operation. - Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Delete Key”**, create monitoring rules and use this event as an information source. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). diff --git a/windows/keep-secure/event-5136.md b/windows/keep-secure/event-5136.md index 317251a26c..1bc1202256 100644 --- a/windows/keep-secure/event-5136.md +++ b/windows/keep-secure/event-5136.md @@ -226,7 +226,7 @@ For a change operation you will typically see two 5136 events for one action, wi For 5136(S): A directory service object was modified. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor modifications to specific Active Directory objects, monitor for **DN** field with specific object name. For example, we recommend that you monitor all modifications to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object. diff --git a/windows/keep-secure/event-5137.md b/windows/keep-secure/event-5137.md index 8e34016259..d164e1fa1a 100644 --- a/windows/keep-secure/event-5137.md +++ b/windows/keep-secure/event-5137.md @@ -177,7 +177,7 @@ This event only generates if the parent object has a particular entry in its [SA For 5137(S): A directory service object was created. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class. diff --git a/windows/keep-secure/event-5138.md b/windows/keep-secure/event-5138.md index e99e8b5b20..846ee2eef9 100644 --- a/windows/keep-secure/event-5138.md +++ b/windows/keep-secure/event-5138.md @@ -180,7 +180,7 @@ This event only generates if the container to which the Active Directory object For 5138(S): A directory service object was undeleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name. diff --git a/windows/keep-secure/event-5139.md b/windows/keep-secure/event-5139.md index 2391db6ebc..192a1c890f 100644 --- a/windows/keep-secure/event-5139.md +++ b/windows/keep-secure/event-5139.md @@ -180,7 +180,7 @@ This event only generates if the destination object has a particular entry in it For 5139(S): A directory service object was moved. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name. diff --git a/windows/keep-secure/event-5140.md b/windows/keep-secure/event-5140.md index 455dbb953f..bb6cf5f7aa 100644 --- a/windows/keep-secure/event-5140.md +++ b/windows/keep-secure/event-5140.md @@ -139,7 +139,7 @@ This event generates once per session, when first access attempt was made. For 5140(S, F): A network share object was accessed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event**.** For example, you could monitor share **C$** on domain controllers. diff --git a/windows/keep-secure/event-5141.md b/windows/keep-secure/event-5141.md index 8c93617b97..994302f871 100644 --- a/windows/keep-secure/event-5141.md +++ b/windows/keep-secure/event-5141.md @@ -188,7 +188,7 @@ This event only generates if the deleted object has a particular entry in its [S For 5141(S): A directory service object was deleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class. diff --git a/windows/keep-secure/event-5142.md b/windows/keep-secure/event-5142.md index 4fe36ea85d..291378d2ee 100644 --- a/windows/keep-secure/event-5142.md +++ b/windows/keep-secure/event-5142.md @@ -98,7 +98,7 @@ This event generates every time network share object was added. For 5142(S): A network share object was added. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have high-value computers for which you need to monitor creation of new file shares, monitor this event**.** For example, you could monitor domain controllers. diff --git a/windows/keep-secure/event-5143.md b/windows/keep-secure/event-5143.md index 726649ba3e..3a1fbd38b1 100644 --- a/windows/keep-secure/event-5143.md +++ b/windows/keep-secure/event-5143.md @@ -253,7 +253,7 @@ For more information about SDDL syntax, see these articles: **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event**.** For example, you could monitor all changes to the SYSVOL share on domain controllers. diff --git a/windows/keep-secure/event-5144.md b/windows/keep-secure/event-5144.md index b32c889667..18df4dd0df 100644 --- a/windows/keep-secure/event-5144.md +++ b/windows/keep-secure/event-5144.md @@ -98,7 +98,7 @@ This event generates every time a network share object is deleted. For 5144(S): A network share object was deleted. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.** diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md index cc96df0ac9..5d0b69b45d 100644 --- a/windows/keep-secure/event-5145.md +++ b/windows/keep-secure/event-5145.md @@ -289,7 +289,7 @@ For more information about SDDL syntax, see these articles: **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Monitor this event if the **Network Information\\Source Address** is not from your internal IP range. diff --git a/windows/keep-secure/event-5168.md b/windows/keep-secure/event-5168.md index d7141192db..f9f2941bb6 100644 --- a/windows/keep-secure/event-5168.md +++ b/windows/keep-secure/event-5168.md @@ -113,7 +113,7 @@ It often happens because of NTLMv1 or LM protocols usage from client side when For 5168(F): SPN check for SMB/SMB2 failed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - We recommend monitoring for any [5168](event-5168.md) event, because it can be a sign of a configuration issue or a malicious authentication attempt. diff --git a/windows/keep-secure/event-5376.md b/windows/keep-secure/event-5376.md index 9a09639402..abf37d856d 100644 --- a/windows/keep-secure/event-5376.md +++ b/windows/keep-secure/event-5376.md @@ -94,7 +94,7 @@ This event generates on domain controllers, member servers, and workstations. For 5376(S): Credential Manager credentials were backed up. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Every [5376](event-5376.md) event should be recorded for all local and domain accounts, because this action (back up Credential Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity. diff --git a/windows/keep-secure/event-5377.md b/windows/keep-secure/event-5377.md index 94e06f170e..7984897329 100644 --- a/windows/keep-secure/event-5377.md +++ b/windows/keep-secure/event-5377.md @@ -94,7 +94,7 @@ This event generates on domain controllers, member servers, and workstations. For 5377(S): Credential Manager credentials were restored from a backup. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Every [5377](event-5377.md) event should be recorded for all local and domain accounts, because this action (restore Credential Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or malicious activity. diff --git a/windows/keep-secure/event-5378.md b/windows/keep-secure/event-5378.md index eee6d5b900..2de862ac9c 100644 --- a/windows/keep-secure/event-5378.md +++ b/windows/keep-secure/event-5378.md @@ -114,7 +114,7 @@ It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc22 For 5378(F): The requested credentials delegation was disallowed by policy. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have defined CredSSP delegation policy, then this event will show you policy violations. We recommend collecting these events and investigating every policy violation. diff --git a/windows/keep-secure/event-5888.md b/windows/keep-secure/event-5888.md index 7e9db0a2fb..edf33acd92 100644 --- a/windows/keep-secure/event-5888.md +++ b/windows/keep-secure/event-5888.md @@ -151,7 +151,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su For 5888(S): An object in the COM+ Catalog was modified. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a specific COM+ object for which you need to monitor all modifications, monitor all [5888](event-5888.md) events with the corresponding **Object Name**. diff --git a/windows/keep-secure/event-5889.md b/windows/keep-secure/event-5889.md index ba979d4cc0..88eacdbca6 100644 --- a/windows/keep-secure/event-5889.md +++ b/windows/keep-secure/event-5889.md @@ -151,7 +151,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su For 5889(S): An object was deleted from the COM+ Catalog. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a specific COM+ object for which you need to monitor all modifications (especially delete operations), monitor all [5889](event-5889.md) events with the corresponding **Object Name**. diff --git a/windows/keep-secure/event-5890.md b/windows/keep-secure/event-5890.md index 77e76500fe..2e41087f62 100644 --- a/windows/keep-secure/event-5890.md +++ b/windows/keep-secure/event-5890.md @@ -151,7 +151,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su For 5890(S): An object was added to the COM+ Catalog. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all [5890](event-5890.md) events with the corresponding **COM+ Catalog Collection** field value. diff --git a/windows/keep-secure/event-6416.md b/windows/keep-secure/event-6416.md index 22a376d84d..18237f7cc4 100644 --- a/windows/keep-secure/event-6416.md +++ b/windows/keep-secure/event-6416.md @@ -137,7 +137,7 @@ This event generates, for example, when a new external device is connected or en For 6416(S): A new external device was recognized by the System. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-6419.md b/windows/keep-secure/event-6419.md index 45508402bc..c34be4a0ec 100644 --- a/windows/keep-secure/event-6419.md +++ b/windows/keep-secure/event-6419.md @@ -127,7 +127,7 @@ This event doesn’t mean that device was disabled. For 6419(S): A request was made to disable a device. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - You can use this event to track the events and event information shown in the following table by using the listed fields: diff --git a/windows/keep-secure/event-6420.md b/windows/keep-secure/event-6420.md index d56ddfab25..cc5ae0a245 100644 --- a/windows/keep-secure/event-6420.md +++ b/windows/keep-secure/event-6420.md @@ -125,7 +125,7 @@ This event generates every time specific device was disabled. For 6420(S): A device was disabled. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - You can use this event to track the events and event information shown in the following table by using the listed fields: diff --git a/windows/keep-secure/event-6421.md b/windows/keep-secure/event-6421.md index d28ef25519..ec9290968a 100644 --- a/windows/keep-secure/event-6421.md +++ b/windows/keep-secure/event-6421.md @@ -127,7 +127,7 @@ This event doesn’t mean that device was enabled. For 6421(S): A request was made to enable a device. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - You can use this event to track the events and event information shown in the following table by using the listed fields: diff --git a/windows/keep-secure/event-6422.md b/windows/keep-secure/event-6422.md index 4e093ccb16..c001a3c903 100644 --- a/windows/keep-secure/event-6422.md +++ b/windows/keep-secure/event-6422.md @@ -125,7 +125,7 @@ This event generates every time specific device was enabled. For 6422(S): A device was enabled. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. diff --git a/windows/keep-secure/event-6423.md b/windows/keep-secure/event-6423.md index b9461022dd..1145307d13 100644 --- a/windows/keep-secure/event-6423.md +++ b/windows/keep-secure/event-6423.md @@ -127,7 +127,7 @@ Device installation restriction group policies are located here: **\\Computer Co For 6423(S): The installation of this device is forbidden by system policy. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](#GeneralRecommendations). +> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you want to track device installation policy violations then you need to track every event of this type.