You can use the event IDs in this list to search for suspicious activities. Monitor windows security events and send alerts, protect your windows domain, create insights and reports on active directory audit events with one single tool. Protect windows servers and monitor security risks.
To learn more about XpoLog go to our feature tour. Contact Support. This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies. We use cookies to ensure you have the best browsing experience. You can change some of your preferences, note that blocking some types of cookies may impact your experience on our websites and the personalized services we are able to offer.
We use cookies to let us know when you visit our websites and how you interact with us. Click on the different category headings to find out more. These cookies collect information that is used to help us customize our website and application for you in order to enhance your experience. These cookies also help us understand how our website is being used or how effective our marketing campaigns are.
Protect windows servers and monitor security risks Download XpoLog for Windows Server and Active Directory monitoring — out-of-the-box. Event ID What it means Successful account log on Failed account log on An account logged off A logon attempt was made with explicit credentials System audit policy was changed.
This can relate to a potential attack A user account was created A user account was enabled An attempt was made to change the password of an account A user account was disabled A user was added to a privileged global group A user was added to a privileged local group A user was added to a privileged universal group A user account was changed A user account was locked out A user account was unlocked A privileged local group was modified A privileged global group was modified A privileged universal group was modified A Kerberos authentication ticket request failed The domain controller failed to validate the credentials of an account.
This event is generated every time a user, computer, or group is added to a security group with global scope. A security-disabled local group was created. This event is generated every time a user creates a distribution group with domain local scope. A security-disabled local group was changed. This event is generated every time a user modifies a distribution group with domain local scope. A member was added to a security-disabled local group. This event is generated every time a user, computer, or group is added to a distribution group with domain local scope.
A member was removed from a security-disabled local group. This event is generated every time a user, computer, or group is removed from a distribution group with domain local scope. A security-disabled local group was deleted. This event is generated every time a distribution group with domain local scope is deleted. A security-disabled global group was created. This event is generated every time a user creates a distribution group with global scope. A security-disabled global group was changed.
This event is generated every time a user modifies a distribution group with global scope. A member was added to a security-disabled global group. This event is generated every time a user, computer, or group is added to a distribution group with global scope. A member was removed from a security-disabled global group. This event is generated every time a user, computer, or group is removed from a distribution group with global scope.
A security-disabled global group was deleted. This event is generated every time a distribution group with global scope is deleted. The screen saver was dismissed. This event is generated every time a user dismisses their screen saver. A handle to an object was requested. This event is generated every time specific access is requested for an object.
The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. An object was deleted. This event is generated every time an Active Directory object is deleted. An attempt was made to access an object. This event is generated every time an Active Directory object is accessed, and it logs the type of access used.
Permissions on an object were changed. This event is generated every time a user modifies the access control list of an Active Directory object.
Auditing settings on an object were changed. This event is generated every time the SACL of an object, such as a file or a registry key, is changed. This event is generated every time specific access is requested for an object, such as a file system, kernel, registry object, or a file system object on a removable storage device.
An object was opened for deletion. This event is generated every time an object is accessed successfully with the intention of deleting it. This event is generated every time an Active Directory object is successfully deleted. This event is generated every time a user or program attempts to open an Active Directory object. A logon was attempted using explicit credentials. This event is generated every time a process attempts to log on to an account by explicitly specifying that account's credentials.
This event is generated every time NPS grants access to a user. It is logged only on NPS. NPS denied access to a user. This event is generated every time NPS denies access to a user. NPS discarded the request for a user. NPS discarded the accounting request for a user. NPS quarantined a user. This event is generated every time NPS quarantines a user for multiple authentication failures. NPS granted access to a user, but put the user on probation because the host did not meet the defined health policy.
This event is generated every time NPS puts a user on probation after granting access because the host could not meet the defined health policy. NPS granted access to a user because the host met the defined health policy. This event is generated every time NPS grants access to a user since the host has met the defined health policy. NPS locked the user account due to repeat failed authentication attempts.
This event is generated every time NPS locks a user account due to repeat failed authentication attempts. NPS unlocked the user account. This event is generated every time NPS unlocks a user account after the account lockout. A client disconnected from the resource.
This event is generated every time a user on a client computer is disconnected from the network resource. The user met the connection authorization policy and resource authorization policy requirements, but could not connect to the resource. This event is generated every time the user is unable to connect to the network resource even after meeting the connection and resource authorization policies.
AD FS token issued. This event is generated every time AD FS issues a trusted token for authenticating a user based on a set of claims. Issued identity. This event is generated every time a unique identity is issued to identify configuration objects and partner network addresses.
It is logged only on a federation server. Caller identity. This event is generated every time a token issuance failure occurs for that caller identity.
Token issued. This event is generated every time a token is issued by AD FS for having the necessary claims to authorize user access to the application.
Application token success. This event is generated every time an application token is issued successfully by AD FS for an authentication request. Application token failure. This event is generated every time an application token issuance by AD FS fails for an authentication request.
FSMO role not responding. An attempt to transfer the operations master role failed. This event is generated every time an attempt to transfer the FSMO role by the user fails. This directory partition has not been backed up since at least the following number of days. This event is generated every time a backup hasn't been created since the enabled backup latency threshold. This event is generated every time a client initiates an LDAP bind without requesting the verification that the directory server is not configured to reject.
A Kerberos service ticket was requested. Special privileges assigned to new logon. This event is generated every time sensitive privileges are assigned to a new logon session. The special groups logon table was modified. This event is generated every time a security identifier SID is added to a special group for auditing purposes. A user's local group membership was enumerated. This event is generated every time a process enumerates the list of security groups that a user belongs to.
It is logged on member servers and workstations. A member was removed from a security-enabled global group. This event is generated when a user, group, or computer is removed from a security-enabled global group. A security-enabled global group was deleted. This event is generated when a security-enabled global group is deleted. A security-enabled local group was created. This event is generated when a security-enabled local group is created. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.
A member was added to a security-enabled local group. This event is generated when users, groups, or computers are added to a security-enabled local group. A member was removed from a security-enabled local group. This event is generated when users, groups, or computers are removed from a security-enabled local group.
A security-enabled local group was deleted. This event is generated when a security-enabled local group is deleted. A security-enabled local group was changed. This event is generated when a security-enabled local group is modified.
A security-enabled global group was changed. This event is generated when a security-enabled global group is changed. A user account was changed. This event is generated when the attributes of a user object are modified. It is logged on domain controllers for domain accounts, and on member computers for local accounts. Domain Policy was changed. This event is generated when an Active Directory Domain Policy is changed.
It is logged on domain controllers and member computers. Certificate Services denied a certificate request. Certificate Services set the status of a certificate request to pending. The certificate manager settings for Certificate Services changed. A configuration entry changed in Certificate Services. A property of Certificate Services changed. Certificate Services archived a key.
Certificate Services imported and archived a key. One or more rows have been deleted from the certificate database. Role separation enabled. Certificate Services loaded a template. A Certificate Services template was updated. Certificate Services template security was updated. The Per-user audit policy table was created. An attempt was made to register a security event source. An attempt was made to unregister a security event source. The CrashOnAuditFail value has changed. Special Groups Logon table modified.
The local policy settings for the TBS were changed. The group policy settings for the TBS were changed. Resource attributes of the object were changed. Per User Audit Policy was changed. Central Access Policy on the object was changed. An Active Directory replica source naming context was established. An Active Directory replica source naming context was removed.
An Active Directory replica source naming context was modified. An Active Directory replica destination naming context was modified. Synchronization of a replica of an Active Directory naming context has begun. Synchronization of a replica of an Active Directory naming context has ended. Attributes of an Active Directory object were replicated.
Replication failure begins. Replication failure ends. A lingering object was removed from a replica. The following policy was active when the Windows Firewall started. A rule was listed when the Windows Firewall started. A change has been made to Windows Firewall exception list. A rule was added. A rule was modified. A rule was deleted. Windows Firewall settings were restored to the default values. A Windows Firewall setting has changed.
A rule has been ignored because its major version number was not recognized by Windows Firewall. Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. A rule has been ignored by Windows Firewall because it could not parse the rule. Windows Firewall Group Policy settings has changed. The new settings have been applied. Windows Firewall has changed the active profile. Windows Firewall did not apply the following rule. Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
IPsec dropped an inbound packet that failed an integrity check. IPsec dropped an inbound packet that failed a replay check. IPsec dropped an inbound clear text packet that should have been secured. Special groups have been assigned to a new logon. During Main Mode negotiation, IPsec received an invalid negotiation packet.
During Quick Mode negotiation, IPsec received an invalid negotiation packet. During Extended Mode negotiation, IPsec received an invalid negotiation packet. An IPsec Extended Mode negotiation failed. The state of a transaction has changed. The Windows Firewall Service has started successfully. The Windows Firewall Service has been stopped. The Windows Firewall Service was unable to retrieve the security policy from the local storage.
The Windows Firewall Service was unable to parse the new security policy. The Windows Firewall Service failed to initialize the driver. The Windows Firewall Service failed to start. The Windows Firewall Service blocked an application from accepting incoming connections on the network. Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. The Windows Firewall Driver has started successfully. The Windows Firewall Driver has been stopped.
The Windows Firewall Driver failed to start. The Windows Firewall Driver detected critical runtime error. Code integrity determined that the image hash of a file is not valid.
A registry key was virtualized. A change has been made to IPsec settings. An Authentication Set was modified. An Authentication Set was deleted. A Connection Security Rule was added. A Connection Security Rule was modified. A Connection Security Rule was deleted.
A Crypto Set was added. A Crypto Set was modified. A Crypto Set was deleted. An IPsec Security Association was deleted. A file was virtualized. A cryptographic self test was performed. A cryptographic primitive operation failed. Key file operation. Key migration operation. Verification operation failed.
Cryptographic operation. A kernel-mode cryptographic self test was performed. A cryptographic provider operation was attempted. A cryptographic context operation was attempted. A cryptographic context modification was attempted. A cryptographic function operation was attempted. A cryptographic function modification was attempted. A cryptographic function provider operation was attempted.
A cryptographic function property operation was attempted. Key access denied by Microsoft key distribution service. A directory service object was modified. A directory service object was created. A directory service object was undeleted. A directory service object was moved. A network share object was accessed. A directory service object was deleted. A network share object was added.
A network share object was modified. A network share object was deleted. A network share object was checked to see whether client can be granted desired access. The Windows Filtering Platform has blocked a packet. A more restrictive Windows Filtering Platform filter has blocked a packet.
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. The DoS attack has subsided and normal processing is being resumed. The Windows Filtering Platform blocked a packet. The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
The Windows Filtering Platform has allowed a connection. The Windows Filtering Platform has blocked a connection. The Windows Filtering Platform has permitted a bind to a local port. The Windows Filtering Platform has blocked a bind to a local port. A directory service object was modified during a background cleanup task.
Credential Manager credentials were backed up. Credential Manager credentials were restored from a backup. The requested credentials delegation was disallowed by policy. Credential Manager credentials were read. Vault Find Credential. Vault credentials were read. A Windows Filtering Platform callout has been changed. A Windows Filtering Platform filter has been changed. A Windows Filtering Platform provider has been changed.
A Windows Filtering Platform provider context has been changed. A Windows Filtering Platform sub-layer has been changed. An IPsec Quick Mode security association was established. An IPsec Quick Mode security association ended. PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
0コメント