Table of contents
TOC
Collapse the table of content
Expand the table of content

Appendix L: Events to Monitor

Bill Mathers|Last Updated: 2/10/2017
|
5 Contributors

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Appendix L: Events to Monitor

The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the "Current Windows Event ID" column lists the event ID as it is implemented in versions of Windows and Windows Server that are currently in mainstream support.

The "Legacy Windows Event ID" column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The "Potential Criticality" column identifies whether the event should be considered of low, medium, or high criticality in detecting attacks, and the "Event Summary" column provides a brief description of the event.

A potential criticality of High means that one occurrence of the event should be investigated. Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of High may occur due to other harmless events.

Current Windows Event IDLegacy Windows Event IDPotential CriticalityEvent Summary
4618N/AHighA monitored security event pattern has occurred.
4649N/AHighA replay attack was detected. May be a harmless false positive due to misconfiguration error.
4719612HighSystem audit policy was changed.
4765N/AHighSID History was added to an account.
4766N/AHighAn attempt to add SID History to an account failed.
4794N/AHighAn attempt was made to set the Directory Services Restore Mode.
4897801HighRole separation enabled:
4964N/AHighSpecial groups have been assigned to a new logon.
5124N/AHighA security setting was updated on the OCSP Responder Service
N/A550Medium to HighPossible denial-of-service (DoS) attack
1102517Medium to HighThe audit log was cleared
4621N/AMediumAdministrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
4675N/AMediumSIDs were filtered.
4692N/AMediumBackup of data protection master key was attempted.
4693N/AMediumRecovery of data protection master key was attempted.
4706610MediumA new trust was created to a domain.
4713617MediumKerberos policy was changed.
4714618MediumEncrypted data recovery policy was changed.
4715N/AMediumThe audit policy (SACL) on an object was changed.
4716620MediumTrusted domain information was modified.
4724628MediumAn attempt was made to reset an account's password.
4727631MediumA security-enabled global group was created.
4735639MediumA security-enabled local group was changed.
4737641MediumA security-enabled global group was changed.
4739643MediumDomain Policy was changed.
4754658MediumA security-enabled universal group was created.
4755659MediumA security-enabled universal group was changed.
4764667MediumA security-disabled group was deleted
4764668MediumA group's type was changed.
4780684MediumThe ACL was set on accounts which are members of administrators groups.
4816N/AMediumRPC detected an integrity violation while decrypting an incoming message.
4865N/AMediumA trusted forest information entry was added.
4866N/AMediumA trusted forest information entry was removed.
4867N/AMediumA trusted forest information entry was modified.
4868772MediumThe certificate manager denied a pending certificate request.
4870774MediumCertificate Services revoked a certificate.
4882786MediumThe security permissions for Certificate Services changed.
4885789MediumThe audit filter for Certificate Services changed.
4890794MediumThe certificate manager settings for Certificate Services changed.
4892796MediumA property of Certificate Services changed.
4896800MediumOne or more rows have been deleted from the certificate database.
4906N/AMediumThe CrashOnAuditFail value has changed.
4907N/AMediumAuditing settings on object were changed.
4908N/AMediumSpecial Groups Logon table modified.
4912807MediumPer User Audit Policy was changed.
4960N/AMediumIPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
4961N/AMediumIPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
4962N/AMediumIPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
4963N/AMediumIPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
4965N/AMediumIPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
4976N/AMediumDuring Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4977N/AMediumDuring Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4978N/AMediumDuring Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4983N/AMediumAn IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
4984N/AMediumAn IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
5027N/AMediumThe Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028N/AMediumThe Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029N/AMediumThe Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030N/AMediumThe Windows Firewall Service failed to start.
5035N/AMediumThe Windows Firewall Driver failed to start.
5037N/AMediumThe Windows Firewall Driver detected critical runtime error. Terminating.
5038N/AMediumCode integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
5120N/AMediumOCSP Responder Service Started
5121N/AMediumOCSP Responder Service Stopped
5122N/AMediumA configuration entry changed in OCSP Responder Service
5123N/AMediumA configuration entry changed in OCSP Responder Service
5376N/AMediumCredential Manager credentials were backed up.
5377N/AMediumCredential Manager credentials were restored from a backup.
5453N/AMediumAn IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
5480N/AMediumIPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
5483N/AMediumIPsec Services failed to initialize RPC server. IPsec Services could not be started.
5484N/AMediumIPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5485N/AMediumIPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
6145N/AMediumOne or more errors occurred while processing security policy in the Group Policy objects.
6273N/AMediumNetwork Policy Server denied access to a user.
6274N/AMediumNetwork Policy Server discarded the request for a user.
6275N/AMediumNetwork Policy Server discarded the accounting request for a user.
6276N/AMediumNetwork Policy Server quarantined a user.
6277N/AMediumNetwork Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278N/AMediumNetwork Policy Server granted full access to a user because the host met the defined health policy.
6279N/AMediumNetwork Policy Server locked the user account due to repeated failed authentication attempts.
6280N/AMediumNetwork Policy Server unlocked the user account.
-640MediumGeneral account database changed
-619MediumQuality of Service Policy changed
24586N/AMediumAn error was encountered converting volume
24592N/AMediumAn attempt to automatically restart conversion on volume %2 failed.
24593N/AMediumMetadata write: Volume %2 returning errors while trying to modify metadata. If failures continue, decrypt volume
24594N/AMediumMetadata rebuild: An attempt to write a copy of metadata on volume %2 failed and may appear as disk corruption. If failures continue, decrypt volume.
4608512LowWindows is starting up.
4609513LowWindows is shutting down.
4610514LowAn authentication package has been loaded by the Local Security Authority.
4611515LowA trusted logon process has been registered with the Local Security Authority.
4612516LowInternal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4614518LowA notification package has been loaded by the Security Account Manager.
4615519LowInvalid use of LPC port.
4616520LowThe system time was changed.
4622N/ALowA security package has been loaded by the Local Security Authority.
4624528,540LowAn account was successfully logged on.
4625529-537,539LowAn account failed to log on.
4634538LowAn account was logged off.
4646N/ALowIKE DoS-prevention mode started.
4647551LowUser initiated logoff.
4648552LowA logon was attempted using explicit credentials.
4650N/ALowAn IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
4651N/ALowAn IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
4652N/ALowAn IPsec Main Mode negotiation failed.
4653N/ALowAn IPsec Main Mode negotiation failed.
4654N/ALowAn IPsec Quick Mode negotiation failed.
4655N/ALowAn IPsec Main Mode security association ended.
4656560LowA handle to an object was requested.
4657567LowA registry value was modified.
4658562LowThe handle to an object was closed.
4659N/ALowA handle to an object was requested with intent to delete.
4660564LowAn object was deleted.
4661565LowA handle to an object was requested.
4662566LowAn operation was performed on an object.
4663567LowAn attempt was made to access an object.
4664N/ALowAn attempt was made to create a hard link.
4665N/ALowAn attempt was made to create an application client context.
4666N/ALowAn application attempted an operation:
4667N/ALowAn application client context was deleted.
4668N/ALowAn application was initialized.
4670N/ALowPermissions on an object were changed.
4671N/ALowAn application attempted to access a blocked ordinal through the TBS.
4672576LowSpecial privileges assigned to new logon.
4673577LowA privileged service was called.
4674578LowAn operation was attempted on a privileged object.
4688592LowA new process has been created.
4689593LowA process has exited.
4690594LowAn attempt was made to duplicate a handle to an object.
4691595LowIndirect access to an object was requested.
4694N/ALowProtection of auditable protected data was attempted.
4695N/ALowUnprotection of auditable protected data was attempted.
4696600LowA primary token was assigned to process.
4697601LowAttempt to install a service
4698602LowA scheduled task was created.
4699602LowA scheduled task was deleted.
4700602LowA scheduled task was enabled.
4701602LowA scheduled task was disabled.
4702602LowA scheduled task was updated.
4704608LowA user right was assigned.
4705609LowA user right was removed.
4707611LowA trust to a domain was removed.
4709N/ALowIPsec Services was started.
4710N/ALowIPsec Services was disabled.
4711N/ALowMay contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.
4712N/ALowIPsec Services encountered a potentially serious failure.
4717621LowSystem security access was granted to an account.
4718622LowSystem security access was removed from an account.
4720624LowA user account was created.
4722626LowA user account was enabled.
4723627LowAn attempt was made to change an account's password.
4725629LowA user account was disabled.
4726630LowA user account was deleted.
4728632LowA member was added to a security-enabled global group.
4729633LowA member was removed from a security-enabled global group.
4730634LowA security-enabled global group was deleted.
4731635LowA security-enabled local group was created.
4732636LowA member was added to a security-enabled local group.
4733637LowA member was removed from a security-enabled local group.
4734638LowA security-enabled local group was deleted.
4738642LowA user account was changed.
4740644LowA user account was locked out.
4741645LowA computer account was changed.
4742646LowA computer account was changed.
4743647LowA computer account was deleted.
4744648LowA security-disabled local group was created.
4745649LowA security-disabled local group was changed.
4746650LowA member was added to a security-disabled local group.
4747651LowA member was removed from a security-disabled local group.
4748652LowA security-disabled local group was deleted.
4749653LowA security-disabled global group was created.
4750654LowA security-disabled global group was changed.
4751655LowA member was added to a security-disabled global group.
4752656LowA member was removed from a security-disabled global group.
4753657LowA security-disabled global group was deleted.
4756660LowA member was added to a security-enabled universal group.
4757661LowA member was removed from a security-enabled universal group.
4758662LowA security-enabled universal group was deleted.
4759663LowA security-disabled universal group was created.
4760664LowA security-disabled universal group was changed.
4761665LowA member was added to a security-disabled universal group.
4762666LowA member was removed from a security-disabled universal group.
4767671LowA user account was unlocked.
4768672,676LowA Kerberos authentication ticket (TGT) was requested.
4769673LowA Kerberos service ticket was requested.
4770674LowA Kerberos service ticket was renewed.
4771675LowKerberos pre-authentication failed.
4772672LowA Kerberos authentication ticket request failed.
4774678LowAn account was mapped for logon.
4775679LowAn account could not be mapped for logon.
4776680,681LowThe domain controller attempted to validate the credentials for an account.
4777N/ALowThe domain controller failed to validate the credentials for an account.
4778682LowA session was reconnected to a Window Station.
4779683LowA session was disconnected from a Window Station.
4781685LowThe name of an account was changed:
4782N/ALowThe password hash an account was accessed.
4783667LowA basic application group was created.
4784N/ALowA basic application group was changed.
4785689LowA member was added to a basic application group.
4786690LowA member was removed from a basic application group.
4787691LowA nonmember was added to a basic application group.
4788692LowA nonmember was removed from a basic application group.
4789693LowA basic application group was deleted.
4790694LowAn LDAP query group was created.
4793N/ALowThe Password Policy Checking API was called.
4800N/ALowThe workstation was locked.
4801N/ALowThe workstation was unlocked.
4802N/ALowThe screen saver was invoked.
4803N/ALowThe screen saver was dismissed.
4864N/ALowA namespace collision was detected.
4869773LowCertificate Services received a resubmitted certificate request.
4871775LowCertificate Services received a request to publish the certificate revocation list (CRL).
4872776LowCertificate Services published the certificate revocation list (CRL).
4873777LowA certificate request extension changed.
4874778LowOne or more certificate request attributes changed.
4875779LowCertificate Services received a request to shut down.
4876780LowCertificate Services backup started.
4877781LowCertificate Services backup completed.
4878782LowCertificate Services restore started.
4879783LowCertificate Services restore completed.
4880784LowCertificate Services started.
4881785LowCertificate Services stopped.
4883787LowCertificate Services retrieved an archived key.
4884788LowCertificate Services imported a certificate into its database.
4886790LowCertificate Services received a certificate request.
4887791LowCertificate Services approved a certificate request and issued a certificate.
4888792LowCertificate Services denied a certificate request.
4889793LowCertificate Services set the status of a certificate request to pending.
4891795LowA configuration entry changed in Certificate Services.
4893797LowCertificate Services archived a key.
4894798LowCertificate Services imported and archived a key.
4895799LowCertificate Services published the CA certificate to Active Directory Domain Services.
4898802LowCertificate Services loaded a template.
4902N/ALowThe Per-user audit policy table was created.
4904N/ALowAn attempt was made to register a security event source.
4905N/ALowAn attempt was made to unregister a security event source.
4909N/ALowThe local policy settings for the TBS were changed.
4910N/ALowThe Group Policy settings for the TBS were changed.
4928N/ALowAn Active Directory replica source naming context was established.
4929N/ALowAn Active Directory replica source naming context was removed.
4930N/ALowAn Active Directory replica source naming context was modified.
4931N/ALowAn Active Directory replica destination naming context was modified.
4932N/ALowSynchronization of a replica of an Active Directory naming context has begun.
4933N/ALowSynchronization of a replica of an Active Directory naming context has ended.
4934N/ALowAttributes of an Active Directory object were replicated.
4935N/ALowReplication failure begins.
4936N/ALowReplication failure ends.
4937N/ALowA lingering object was removed from a replica.
4944N/ALowThe following policy was active when the Windows Firewall started.
4945N/ALowA rule was listed when the Windows Firewall started.
4946N/ALowA change has been made to Windows Firewall exception list. A rule was added.
4947N/ALowA change has been made to Windows Firewall exception list. A rule was modified.
4948N/ALowA change has been made to Windows Firewall exception list. A rule was deleted.
4949N/ALowWindows Firewall settings were restored to the default values.
4950N/ALowA Windows Firewall setting has changed.
4951N/ALowA rule has been ignored because its major version number was not recognized by Windows Firewall.
4952N/ALowParts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953N/ALowA rule has been ignored by Windows Firewall because it could not parse the rule.
4954N/ALowWindows Firewall Group Policy settings have changed. The new settings have been applied.
4956N/ALowWindows Firewall has changed the active profile.
4957N/ALowWindows Firewall did not apply the following rule:
4958N/ALowWindows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
4979N/ALowIPsec Main Mode and Extended Mode security associations were established.
4980N/ALowIPsec Main Mode and Extended Mode security associations were established.
4981N/ALowIPsec Main Mode and Extended Mode security associations were established.
4982N/ALowIPsec Main Mode and Extended Mode security associations were established.
4985N/ALowThe state of a transaction has changed.
5024N/ALowThe Windows Firewall Service has started successfully.
5025N/ALowThe Windows Firewall Service has been stopped.
5031N/ALowThe Windows Firewall Service blocked an application from accepting incoming connections on the network.
5032N/ALowWindows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033N/ALowThe Windows Firewall Driver has started successfully.
5034N/ALowThe Windows Firewall Driver has been stopped.
5039N/ALowA registry key was virtualized.
5040N/ALowA change has been made to IPsec settings. An Authentication Set was added.
5041N/ALowA change has been made to IPsec settings. An Authentication Set was modified.
5042N/ALowA change has been made to IPsec settings. An Authentication Set was deleted.
5043N/ALowA change has been made to IPsec settings. A Connection Security Rule was added.
5044N/ALowA change has been made to IPsec settings. A Connection Security Rule was modified.
5045N/ALowA change has been made to IPsec settings. A Connection Security Rule was deleted.
5046N/ALowA change has been made to IPsec settings. A Crypto Set was added.
5047N/ALowA change has been made to IPsec settings. A Crypto Set was modified.
5048N/ALowA change has been made to IPsec settings. A Crypto Set was deleted.
5050N/ALowAn attempt to programmatically disable the Windows Firewall using a call to InetFwProfile.FirewallEnabled(False)
5051N/ALowA file was virtualized.
5056N/ALowA cryptographic self test was performed.
5057N/ALowA cryptographic primitive operation failed.
5058N/ALowKey file operation.
5059N/ALowKey migration operation.
5060N/ALowVerification operation failed.
5061N/ALowCryptographic operation.
5062N/ALowA kernel-mode cryptographic self test was performed.
5063N/ALowA cryptographic provider operation was attempted.
5064N/ALowA cryptographic context operation was attempted.
5065N/ALowA cryptographic context modification was attempted.
5066N/ALowA cryptographic function operation was attempted.
5067N/ALowA cryptographic function modification was attempted.
5068N/ALowA cryptographic function provider operation was attempted.
5069N/ALowA cryptographic function property operation was attempted.
5070N/ALowA cryptographic function property modification was attempted.
5125N/ALowA request was submitted to the OCSP Responder Service
5126N/ALowSigning Certificate was automatically updated by the OCSP Responder Service
5127N/ALowThe OCSP Revocation Provider successfully updated the revocation information
5136566LowA directory service object was modified.
5137566LowA directory service object was created.
5138N/ALowA directory service object was undeleted.
5139N/ALowA directory service object was moved.
5140N/ALowA network share object was accessed.
5141N/ALowA directory service object was deleted.
5152N/ALowThe Windows Filtering Platform blocked a packet.
5153N/ALowA more restrictive Windows Filtering Platform filter has blocked a packet.
5154N/ALowThe Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155N/ALowThe Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156N/ALowThe Windows Filtering Platform has allowed a connection.
5157N/ALowThe Windows Filtering Platform has blocked a connection.
5158N/ALowThe Windows Filtering Platform has permitted a bind to a local port.
5159N/ALowThe Windows Filtering Platform has blocked a bind to a local port.
5378N/ALowThe requested credentials delegation was disallowed by policy.
5440N/ALowThe following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441N/ALowThe following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442N/ALowThe following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443N/ALowThe following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444N/ALowThe following sublayer was present when the Windows Filtering Platform Base Filtering Engine started.
5446N/ALowA Windows Filtering Platform callout has been changed.
5447N/ALowA Windows Filtering Platform filter has been changed.
5448N/ALowA Windows Filtering Platform provider has been changed.
5449N/ALowA Windows Filtering Platform provider context has been changed.
5450N/ALowA Windows Filtering Platform sublayer has been changed.
5451N/ALowAn IPsec Quick Mode security association was established.
5452N/ALowAn IPsec Quick Mode security association ended.
5456N/ALowPAStore Engine applied Active Directory storage IPsec policy on the computer.
5457N/ALowPAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
5458N/ALowPAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
5459N/ALowPAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
5460N/ALowPAStore Engine applied local registry storage IPsec policy on the computer.
5461N/ALowPAStore Engine failed to apply local registry storage IPsec policy on the computer.
5462N/ALowPAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
5463N/ALowPAStore Engine polled for changes to the active IPsec policy and detected no changes.
5464N/ALowPAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
5465N/ALowPAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
5466N/ALowPAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
5467N/ALowPAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
5468N/ALowPAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
5471N/ALowPAStore Engine loaded local storage IPsec policy on the computer.
5472N/ALowPAStore Engine failed to load local storage IPsec policy on the computer.
5473N/ALowPAStore Engine loaded directory storage IPsec policy on the computer.
5474N/ALowPAStore Engine failed to load directory storage IPsec policy on the computer.
5477N/ALowPAStore Engine failed to add quick mode filter.
5479N/ALowIPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5632N/ALowA request was made to authenticate to a wireless network.
5633N/ALowA request was made to authenticate to a wired network.
5712N/ALowA Remote Procedure Call (RPC) was attempted.
5888N/ALowAn object in the COM+ Catalog was modified.
5889N/ALowAn object was deleted from the COM+ Catalog.
5890N/ALowAn object was added to the COM+ Catalog.
6008N/ALowThe previous system shutdown was unexpected
6144N/ALowSecurity policy in the Group Policy objects has been applied successfully.
6272N/ALowNetwork Policy Server granted access to a user.
N/A561LowA handle to an object was requested.
N/A563LowObject open for delete
N/A625LowUser Account Type Changed
N/A613LowIPsec policy agent started
N/A614LowIPsec policy agent disabled
N/A615LowIPsec policy agent
N/A616LowIPsec policy agent encountered a potential serious failure
24577N/ALowEncryption of volume started
24578N/ALowEncryption of volume stopped
24579N/ALowEncryption of volume completed
24580N/ALowDecryption of volume started
24581N/ALowDecryption of volume stopped
24582N/ALowDecryption of volume completed
24583N/ALowConversion worker thread for volume started
24584N/ALowConversion worker thread for volume temporarily stopped
24588N/ALowThe conversion operation on volume %2 encountered a bad sector error. Please validate the data on this volume
24595N/ALowVolume %2 contains bad clusters. These clusters will be skipped during conversion.
24621N/ALowInitial state check: Rolling volume conversion transaction on %2.
5049N/ALowAn IPsec Security Association was deleted.
5478N/ALowIPsec Services has started successfully.
Note

Refer to Microsoft Support article 947226 for lists of many security event IDs and their meanings.

Run wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true to get a very detailed listing of all security event IDs

For more information about Windows security event IDs and their meanings, see the Microsoft Support articles Description of security events in Windows Vista and in Windows Server 2008 and Description of security events in Windows 7 and in Windows Server 2008 R2. You can also download Security Audit Events for Windows 7 and Windows Server 2008 R2 and Windows 8 and Windows Server 2012 Security Event Details, which provide detailed event information for the referenced operating systems in spreadsheet format.

© 2017 Microsoft