diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md
index fd0c6ff848..882c481177 100644
--- a/windows/keep-secure/event-4625.md
+++ b/windows/keep-secure/event-4625.md
@@ -273,33 +273,17 @@ For 4625(F): An account failed to log on.
- Monitor for all events with the fields and values in the following table:
-| **Field** | Value to monitor for |
-|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
- This is typically not a security issue but it can be an infrastructure or availability issue. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
- Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
- Especially watch for a number of such events in a row. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
- Especially watch for a number of such events in a row. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
- This is typically not a security issue but it can be an infrastructure or availability issue. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
-| **Failure Information\\Status** or
- **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
+| **Field** | Value to monitor for |
+|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
+| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
diff --git a/windows/keep-secure/event-4768.md b/windows/keep-secure/event-4768.md
index 57c6aa3340..f8b4558198 100644
--- a/windows/keep-secure/event-4768.md
+++ b/windows/keep-secure/event-4768.md
@@ -285,11 +285,11 @@ The most common values:
**Certificate Information:**
-> **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate.
->
-> **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate.
->
-> **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate.
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate.
+
+- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate.
+
+- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate.
## Security Monitoring Recommendations
diff --git a/windows/keep-secure/event-4769.md b/windows/keep-secure/event-4769.md
index ca3f5fef7f..20c430fa33 100644
--- a/windows/keep-secure/event-4769.md
+++ b/windows/keep-secure/event-4769.md
@@ -35,8 +35,37 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
***Event XML:***
```
-- - 4769 0 0 14337 0 0x8020000000000000 166746 Security DC01.contoso.local - dadmin@CONTOSO.LOCAL CONTOSO.LOCAL WIN2008R2$ S-1-5-21-3457937927-2839227994-823803824-2102 0x40810000 0x12 ::ffff:10.0.0.12 49272 0x0 {F85C455E-C66E-205C-6B39-F6C60A7FE453} -
-
+-
+-
+
+4769
+0
+0
+14337
+0
+0x8020000000000000
+
+166746
+
+
+Security
+DC01.contoso.local
+
+
+-
+dadmin@CONTOSO.LOCAL
+CONTOSO.LOCAL
+WIN2008R2$
+S-1-5-21-3457937927-2839227994-823803824-2102
+0x40810000
+0x12
+::ffff:10.0.0.12
+49272
+0x0
+{F85C455E-C66E-205C-6B39-F6C60A7FE453}
+-
+
+
```
***Required Server Roles:*** Active Directory domain controller.
diff --git a/windows/keep-secure/event-4771.md b/windows/keep-secure/event-4771.md
index a7729a39b3..ec327a9f1f 100644
--- a/windows/keep-secure/event-4771.md
+++ b/windows/keep-secure/event-4771.md
@@ -188,11 +188,11 @@ The most common values:
**Certificate Information:**
-> **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
->
-> **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
->
-> **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
+
+- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
+
+- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
## Security Monitoring Recommendations
diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md
index d656ffb3a9..fa2b05b2e4 100644
--- a/windows/keep-secure/event-4818.md
+++ b/windows/keep-secure/event-4818.md
@@ -130,11 +130,12 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy
**Current Central Access Policy results:**
-- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:
+- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:
+REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS.
-> REQUSTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS.
+The possible REQUESTED\_ACCESS values are listed in the table below.
-- REQUSTED\_ACCESS – the name of requested access. See the possible REQUSTED\_ACCESS values in the table below:
+## Table of file access codes
| Access | Hexadecimal Value | Description |
|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -176,11 +177,11 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy
**Proposed Central Access Policy results that differ from the current Central Access Policy results:**
-- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:
+- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:
-> REQUSTED\_ACCESS: NOT Granted by RULE\_NAME Rule.
+REQUESTED\_ACCESS: NOT Granted by RULE\_NAME Rule.
-- REQUSTED\_ACCESS – the name of requested access. See the possible REQUSTED\_ACCESS values in the table below:
+The possible REQUESTED\_ACCESS values are listed in the table below:
| Access | Hexadecimal Value | Description |
|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md
index b03081c706..2eb14cec90 100644
--- a/windows/keep-secure/event-5145.md
+++ b/windows/keep-secure/event-5145.md
@@ -137,6 +137,8 @@ This event generates every time network share object (file or folder) was access
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
+## Table of file access codes
+
| Access | Hexadecimal Value | Description |
|-----------------------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. |
@@ -157,11 +159,11 @@ This event generates every time network share object (file or folder) was access
> Table 13. File access codes.
-**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:
+**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:
-REQUSTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
+REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
-- REQUSTED\_ACCESS – the name of requested access (see “Table 13. File access codes.”).
+- REQUESTED\_ACCESS – the name of requested access. See [Table of file access codes](#table-of-file-access-codes), earlier in this topic.
- RESULT: