Security Event log

Event log Security

Audit Logon (S/F) Logins
Access Audit policy Audit Directory Service Access (S/F)
Audit Special Logon (S/F) Audit policy
SACL Requires flag on object(s)
Audit Other Logon/Logoff Events (S/F)
Event log Security
Security Event log
Extended rights Audit policy Audit Directory Service Access (S/F)
Kerberos
Audit Kerberos Service Ticket Operations (S/F)
Audit policy Authentication SACL All extended rights on object(s)
Audit Kerberos Authentication Service (S/F)
Event log Security
Directory Services
Microsoft-Windows-NTLM/Operational
Event log Audit policy Audit Directory Service Changes (S/F)
Security Changes
Write all properties
Audit Credential Validation (S/F) Audit policy
SACL Modify owner Provides advanced detection
NTLM
Restrict NTLM: Audit NTLM authentication in
this domain Modify permissions

Active Directory Event log Security

Optional Restrict NTLM: Audit Outgoing NTLM Traffic to Audit settings
remote servers advanced auditing Replication
Audit Directory Service Replication (S/F)
Restrict NTLM: Audit Incoming NTLM Traffic Audit policy
Audit Detailed Directory Service Replication (S/F)

Microsoft-Windows-Authentication/
AuthenticationPolicyFailures- Event log Security
DomainController
Audit Computer Account Management (S)
Directory users and groups
Microsoft-Windows-Authentication/
Disabled event log Audit Security Group Management (S)
ProtectedUser-Client
Audit policy
Event log Protected users groups
Audit Other Account Management Events (S)
Microsoft-Windows-Authentication/
ProtectedUserFailures-DomainController
Author: mdecrevoisier Audit User Account Management (S/F)

Microsoft-Windows-Authentication/ Version: 2022.01.03

ProtectedUserSuccess-DomainController
Status: stable