From d29087941e78ec690a71d11fac277e54a6144aeb Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Fri, 17 Feb 2023 20:42:35 +0530 Subject: [PATCH] Update event-5136.md Added decription for %%14674 and %%14675 under operation type fixes#https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11308 --- windows/security/threat-protection/auditing/event-5136.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index 97c0977a60..e935d656d9 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -212,9 +212,9 @@ For a change operation, you'll typically see two 5136 events for one action, wit - **Type** \[Type = UnicodeString\]**:** type of performed operation. - - **Value Added** – new value added. + - **Value Added** – new value added ('%%14674') - - **Value Deleted** – value deleted (typically “Value Deleted” is a part of change operation). + - **Value Deleted** – value deleted ('%%14675', typically “Value Deleted” is a part of change operation). @@ -236,4 +236,5 @@ For 5136(S): A directory service object was modified. - If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name. -- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. \ No newline at end of file +- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value. +