Active Directory Domain Services

Log Name	Event ID	Severity	Description
Security	4624	Info	Successful logon
Security	4625	Warning	Failed logon attempt
Security	4672	High	Special privileges assigned (Admin logon)
Security	4740	High	Account locked out
Security	4720	High	User account created
Security	4726	High	User account deleted
Security	4723 / 4724	Medium	Password changed / reset
Security	4728 / 4729	High	User added/removed from security group
Security	4732 / 4733	Medium	Member added/removed from local group
Security	4768 / 4771	Medium	Kerberos ticket request/failure
Security	4648	Medium	Logon attempt with explicit credentials
Directory Service	2887	High	LDAP signing not enforced
Directory Service	2889	High	LDAP simple bind without SSL detected
Security	4740	Medium	User account locked out
Security	4768–4771	Medium	Kerberos ticket requests/failures
Security	4625	High	Failed logon attempt
Security	1102	Critical	Audit logs cleared
System	5719	High	No domain controller available
Security	5722	High	Secure channel setup failed
Security	5805	Medium	Trust relationship failed
Security	4731 / 4735 / 4737	Medium	GPO created / modified / deleted
Security	4719	High	Audit policy changed
Security	5136	High	Directory object modified
Security	5137	High	Directory object created
Security	5138	High	Directory object undeleted (from recycle bin)
Security	5139	Medium	Directory object moved
Security	5141	High	Directory object deleted
Windows PowerShell	4103	Medium	PowerShell command pipeline execution
Windows PowerShell	4104	High	PowerShell script block execution
Security	4688	Medium	New process created
Security	4697	High	Service installed on system
Microsoft-Windows-Sysmon/Operational	1	High	Process creation
Microsoft-Windows-Sysmon/Operational	3	Medium	Network connection established
Microsoft-Windows-Sysmon/Operational	7	Medium	Image loaded
Microsoft-Windows-Sysmon/Operational	10	Medium	Process access
Microsoft-Windows-Sysmon/Operational	13	Medium	Registry modification
Security	4769	High	Kerberos service ticket request failure
Security	4771	High	Kerberos pre-authentication failed
Security	2889	High	LDAP simple bind without SSL detected
Security	4739	High	Domain policy changed
Security	4741	Medium	User account created
Security	4742	Medium	Computer account changed
Security	4743	Medium	Computer account deleted
Directory Service	1864	High	Domain controller not replicating
Directory Service	2042	Critical	Replication disabled due to stale DC
Directory Service	1566	High	KCC topology error
Directory Service	2103	Critical	NTDS database recovery mode
System	1311	High	Replication connectivity failure