Hello,

Does anyone have a list of Windows event ID's that you want to audit to be compliant with all of NIST 800-53? A lot of them are obviously in AC but I think some of the other controls require some event ID's to be audited. This is what I have so far...

1. Logon/Logoff: • Event ID 4624: Successful account logon. • Event ID 4625: Failed account logon.
2. User Account Management: • Event ID 4720: A user account was created. • Event ID 4722: A user account was enabled. • Event ID 4723: An attempt was made to change the password of an account. • Event ID 4724: An attempt was made to reset an account's password. • Event ID 4725: A user account was disabled. • Event ID 4738: A user account was changed.
3. Group Management: • Event ID 4732: A member was added to a security-enabled global group. • Event ID 4733: A member was removed from a security-enabled global group. • Event ID 4756: A member was added to a security-enabled universal group. • Event ID 4757: A member was removed from a security-enabled universal group.
4. Account Lockout: • Event ID 4740: An account was locked out.
5. Kerberos Authentication: • Event ID 4771: Kerberos pre-authentication failed.
6. Audit Policy Changes: • Event ID 4700: A scheduled task was enabled/disabled or its properties were changed.
7. Object Access: • Event ID 4663: An attempt was made to access an object. • Event ID 4656: A handle to an object was requested.
8. Registry Key and SAM Changes: • Event ID 4662: An operation was performed on an object.

Just trying not to reinvent the wheel if someone already has a list.