Common entries
Some common entries (grouped by category) are
Logon
Audit Success | 4624 | An account was successfully logged on |
Audit Failure | 4625 | An account failed to log on |
Audit Success | 4648 | A logon was attempted using explicit credentials |
Logoff
Audit Success | 4634 | An account was logged off |
User Account Management
Audit Success | 4722 | A user account was enabled |
Audit Success | 4723 | An attempt was made to change an account’s password |
Audit Success | 4725 | A user account was disabled |
Audit Success | 4738 | A user account was changed |
Audit Success | 4740 | A user account was locked out |
Useful custom query
A useful custom query that can’t be achieved simply through a filter is:
Get logon and logoff events for a specific user
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[
EventData[Data[@Name='TargetUserName']='{:Username:}']
and
System[ (EventID >= 4620 and EventID <= 4639) ]
]
</Select>
</Query>
</QueryList>