2.2.1.2 Subcategory and SubcategoryGUID
This section defines how the Subcategory and SubcategoryGUID values are used by the audit configuration client-side plug-in.
The Subcategory field is for user reference only and is ignored when the advanced audit policy is applied by the audit configuration client-side plug-in.
The syntax for the entries in this category MUST be as follows.
-
Subcategory = StringWithSpaces / QuotedString SubcategoryGUID = GUID
The SubcategoryGUID allows administrators to identify audit subcategories to enable or disable in the client's system or per-user advanced audit policy. For more information about enabling or disabling audit subcategories, see section 2.2.1.3.
The following table provides an explanation for the valid SubcategoryGUID values.
SubcategoryGUID |
Purpose |
---|---|
{0CCE9213-69AE-11D9-BED3-505054503030} |
Identifies the IPsec Driver audit subcategory. This subcategory audits events that are generated by the IPsec filter driver. |
{0CCE9212-69AE-11D9-BED3-505054503030} |
Identifies the System Integrity audit subcategory. This subcategory audits events that violate the integrity of the security subsystem. |
{0CCE9211-69AE-11D9-BED3-505054503030} |
Identifies the Security System Extension audit subcategory. This subcategory audits events related to security system extensions or services. |
{0CCE9210-69AE-11D9-BED3-505054503030} |
Identifies the Security State Change audit subcategory. This subcategory audits events generated by changes in the security state of the computer. |
{0CCE9214-69AE-11D9-BED3-505054503030} |
Identifies the Other System Events audit subcategory. This subcategory SHOULD<2> audit the following event: Cryptography key file and migration operations. |
{0CCE9243-69AE-11D9-BED3-505054503030} |
Identifies the Network Policy Server audit subcategory. This subcategory audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. |
{0CCE921C-69AE-11D9-BED3-505054503030} |
Identifies the Other Logon/Logoff Events audit subcategory. This subcategory audits other events related to logon and logoff that are not included in the Logon/Logoff category. |
{0CCE921B-69AE-11D9-BED3-505054503030} |
Identifies the Special Logon audit subcategory. This subcategory audits events generated by special logons. |
{0CCE921A-69AE-11D9-BED3-505054503030} |
Identifies the IPsec Extended Mode audit subcategory. This subcategory audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. |
{0CCE9219-69AE-11D9-BED3-505054503030} |
Identifies the IPsec Quick Mode audit subcategory. This subcategory audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. |
{0CCE9218-69AE-11D9-BED3-505054503030} |
Identifies the IPsec Main Mode audit subcategory. This subcategory audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. |
{0CCE9217-69AE-11D9-BED3-505054503030} |
Identifies the Account Lockout audit subcategory. This subcategory audits events generated by a failed attempt to log on to an account that is locked out. |
{0CCE9216-69AE-11D9-BED3-505054503030} |
Identifies the Logoff audit subcategory. This subcategory audits events generated by closing a logon session. These events occur on the computer that was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. |
{0CCE9215-69AE-11D9-BED3-505054503030} |
Identifies the Logon audit subcategory. This subcategory audits events generated by user account logon attempts on a computer. |
{0CCE9223-69AE-11D9-BED3-505054503030} |
Identifies the Handle Manipulation audit subcategory. This subcategory audits events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events. Open and close handle events will be audited when both the Handle Manipulation subcategory is enabled along with the corresponding resource manager identified by other Object Access audit subcategory, like File System or Registry. Enabling Handle Manipulation causes implementation-specific security event data to be logged identifying the permissions that were used to grant or deny the access requested by the user; this is also known as "Reason for access". |
{0CCE9244-69AE-11D9-BED3-505054503030} |
Identifies the Detailed File Share audit subcategory. This subcategory audits every attempt to access objects in a shared folder. |
{0CCE9227-69AE-11D9-BED3-505054503030} |
Identifies the Other Object Access Events audit subcategory. This subcategory audits events generated by the management of Task Scheduler jobs or COM+ objects. |
{0CCE9226-69AE-11D9-BED3-505054503030} |
Identifies the Filtering Platform Connection audit subcategory. This subcategory audits connections that are allowed or blocked by WFP. |
{0CCE9225-69AE-11D9-BED3-505054503030} |
Identifies the Filtering Platform Packet Drop audit subcategory. This subcategory audits packets that are dropped by Windows Filtering Platform (WFP). |
{0CCE9224-69AE-11D9-BED3-505054503030} |
Identifies the File Share audit subcategory. This subcategory audits attempts to access a shared folder. |
{0CCE9222-69AE-11D9-BED3-505054503030} |
Identifies the Application Generated audit subcategory. This subcategory audits applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. |
{0CCE9221-69AE-11D9-BED3-505054503030} |
Identifies the Certification Services audit subcategory. This subcategory audits Active Directory Certificate Services (AD CS) operations. |
{0CCE9220-69AE-11D9-BED3-505054503030} |
Identifies the SAM audit subcategory. This subcategory audits events generated by attempts to access Security Accounts Manager (SAM) objects. |
{0CCE921F-69AE-11D9-BED3-505054503030} |
Identifies the Kernel Object audit subcategory. This subcategory audits attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events. Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. |
{0CCE921E-69AE-11D9-BED3-505054503030} |
Identifies the Registry audit subcategory. This subcategory audits attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. |
{0CCE921D-69AE-11D9-BED3-505054503030} |
Identifies the File System audit subcategory. This subcategory audits user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL. |
{0CCE9229-69AE-11D9-BED3-505054503030} |
Identifies the Non Sensitive Privilege Use audit subcategory. This subcategory audits events generated by the use of nonsensitive privileges (user rights), such as logging on locally or with a Remote Desktop connection, changing the system time, or removing a computer from a docking station. |
{0CCE922A-69AE-11D9-BED3-505054503030} |
Identifies the Other Privilege Use Events audit subcategory. |
{0CCE9228-69AE-11D9-BED3-505054503030} |
Identifies the Sensitive Privilege Use audit subcategory. This subcategory audits events generated by the use of sensitive privileges (user rights), such as acting as part of the operating system, backing up files and directories, impersonating a client computer, or generating security audits. |
{0CCE922D-69AE-11D9-BED3-505054503030} |
Identifies the DPAPI Activity audit subcategory. This subcategory audits events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. |
{0CCE922C-69AE-11D9-BED3-505054503030} |
Identifies the Process Termination audit subcategory. This subcategory audits events generated when a process ends. |
{0CCE922B-69AE-11D9-BED3-505054503030} |
Identifies the Process Creation audit subcategory. This subcategory audits events generated when a process is created or starts. The name of the application or user that created the process is also audited. |
{0CCE922E-69AE-11D9-BED3-505054503030} |
Identifies the RPC Events audit subcategory. This subcategory audits inbound remote procedure call (RPC) connections. |
{0CCE9232-69AE-11D9-BED3-505054503030} |
Identifies the MPSSVC Rule-Level Policy Change audit subcategory. This subcategory audits events generated by changes in policy rules used by Windows Firewall. |
{0CCE9234-69AE-11D9-BED3-505054503030} |
Identifies the Other Policy Change Events audit subcategory. This subcategory audits events generated by other security policy changes that are not audited in the Policy Change category. |
{0CCE9233-69AE-11D9-BED3-505054503030} |
Identifies the Filtering Platform Policy Change audit subcategory. This subcategory audits events generated by changes to Windows Filtering Platform (WFP). |
{0CCE922F-69AE-11D9-BED3-505054503030} |
Identifies the Audit Policy Change audit subcategory. This subcategory audits changes in security audit policy settings. |
{0CCE9231-69AE-11D9-BED3-505054503030} |
Identifies the Authorization Policy Change audit subcategory. This subcategory audits events generated by changes to the authorization policy. |
{0CCE9230-69AE-11D9-BED3-505054503030} |
Identifies the Authentication Policy Change audit subcategory. This subcategory audits events generated by changes to the authentication policy. |
{0CCE923A-69AE-11D9-BED3-505054503030} |
Identifies the Other Account Management Events audit subcategory. This subcategory audits events generated by other user account changes that are not covered in this category. |
{0CCE9239-69AE-11D9-BED3-505054503030} |
Identifies the Application Group Management audit subcategory. This subcategory audits events generated by changes to application groups. |
{0CCE9238-69AE-11D9-BED3-505054503030} |
Identifies the Distribution Group Management audit subcategory. This subcategory audits events generated by changes to distribution groups. |
{0CCE9237-69AE-11D9-BED3-505054503030} |
Identifies the Security Group Management audit subcategory. This subcategory audits events generated by changes to security groups. |
{0CCE9236-69AE-11D9-BED3-505054503030} |
Identifies the Computer Account Management audit subcategory. This subcategory audits events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted. |
{0CCE9235-69AE-11D9-BED3-505054503030} |
Identifies the User Account Management audit subcategory. This subcategory audits changes to user accounts. |
{0CCE923E-69AE-11D9-BED3-505054503030} |
Identifies the Detailed Directory Service Replication audit subcategory. This subcategory audits events generated by detailed AD DS replication between domain controllers (DCs). |
{0CCE923B-69AE-11D9-BED3-505054503030} |
Identifies the Directory Service Access audit subcategory. This subcategory audits events generated when an AD DS object is accessed. Only AD DS objects with a matching SACL are logged. |
{0CCE923D-69AE-11D9-BED3-505054503030} |
Identifies the Directory Service Replication audit subcategory. This subcategory audits replication between two AD DS DCs. |
{0CCE923C-69AE-11D9-BED3-505054503030} |
Identifies the Directory Service Changes audit subcategory. This subcategory audits events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted. |
{0CCE9241-69AE-11D9-BED3-505054503030} |
Identifies the Other Account Logon Events audit subcategory. This subcategory audits events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. |
{0CCE9240-69AE-11D9-BED3-505054503030} |
Identifies the Kerberos Service Ticket Operations audit subcategory. This subcategory audits events generated by Kerberos service ticket requests. |
{0CCE923F-69AE-11D9-BED3-505054503030} |
Identifies the Credential Validation audit subcategory. This subcategory audits events generated by validation tests on user account logon credentials. |
{0CCE9242-69AE-11D9-BED3-505054503030} |
Identifies the Kerberos Authentication Service audit subcategory. This subcategory audits events generated by Kerberos authentication ticket-granting ticket (TGT) requests. |
{0CCE9245-69AE-11D9-BED3-505054503030} |
Identifies the Removable Storage audit subcategory. This subcategory audits user attempts to access file system objects on any Removable Storage device. A security audit event is generated for every read or write access to a file object on any Removable Storage device attached to the user's machine. |
{0CCE9246-69AE-11D9-BED3-505054503030} |
Identifies the Central Access Policy Staging audit subcategory. This subcategory audits access requests where the permission granted or denied by a proposed policy differs from that granted or denied by the current central access policy on an object. |
{0cce9247-69ae-11d9-bed3-505054503030} |
Identifies the User/Device Claims audit subcategory. This subcategory SHOULD<3> audit the user and device claims that are present in the token of an associated logon. |
{0cce9248-69ae-11d9-bed3-505054503030} |
Identifies the PNP Activity audit subcategory. This subcategory SHOULD<4> audit events generated by plug and play (PNP). |
{0cce9249-69ae-11d9-bed3-505054503030} |
Identifies the Group Membership audit subcategory. This subcategory SHOULD<5> audit the group membership of a token for an associated logon. |