| Account Constrained Delegation SPNs changed |
Constrained delegation restricts the services to which the specified server can act on behalf of the user. |
| Account Constrained Delegation State changed |
Constrained delegation configuration setting has changed for an entity. |
| Account Delegation changed |
Changes to the account delegation settings. |
| Account Deleted changed |
User account was deleted. |
| Account disabled |
An account was disabled, restricting its use. |
| Account Disabled changed |
Indicates whether an account is disabled or enabled. |
| Account Display Name changed |
User’s display name was changed. |
| Account enabled |
A disabled account was re-enabled. |
| Account expired |
Date when the account expires. |
| Account Expiry Time changed |
Change to the date when the account expires. |
| Account Name changed |
User’s name was changed. |
| Account password change failed |
Password change attempt failed. |
| Account Password changed |
User changed their password. |
| Account Password expired |
User’s password expired. |
| Account Password Never Expires changed |
User’s password changed to never expire. |
| Account Password Not Required changed |
User account was changed allow logging in with a blank password. |
| Account Path changed |
User Distinguished name was changed from X to Y. |
| Account primary group ID changed |
Primary group ID for the account was updated. |
| Account Smart Card Required changed |
Account changes to require users to log on to a device using a smart card. |
| Account Supported Encryption Types changed |
Kerberos supported encryption types were changed(types: Des, AES 129, AES 256). |
| Account Unlock changed |
Changes to the account unlock settings. |
| Account Upn Name changed |
User’s principle name was changed. |
| Active Directory security group created |
A new security group was created in Active Directory. |
| ADCS certificate issued |
A certificate was issued using Active Directory Certificate Services (ADCS). |
| ADFS DKM property read |
An account read the Active Directory Federation Services (AD FS) Distributed Key Manager property. |
| ADFS settings changed |
Modifications made to the Active Directory Federation Services (ADFS) configuration, potentially impacting authentication and access policies. |
| DES encryption restriction changed |
A user account control flag restricting encryption to DES was updated. |
| Device Account Created |
A new device account was created. |
| Device dNSHostName changed |
The DNS hostname of a device was updated. |
| Device Operating System changed |
An operating system attribute was changed. |
| Directory Service replication |
User tried to replicate the directory service. |
| Domain trusts enumerated |
Trust relationships between domains were queried and listed to identify potential lateral movement paths. |
| Entra Connect password writeback failed |
Password writeback attempt using Entra Connect failed. |
| GMSA password read |
The Group Managed Service Account (gMSA) password, which can expose service credentials used for automated tasks and services, was read. |
| Group Membership changed |
User was added/removed, to/from a group, by another user or by themselves. |
| Group Policy display name changed |
The display name of a Group Policy Object was updated. |
| Group Policy Object created |
A new Group Policy Object was created. |
| Group Policy Object deleted |
A Group Policy Object was deleted from Active Directory. |
| Group Policy settings changed |
Settings in a Group Policy Object were updated. |
| Kerberos preauthentication flag changed |
A user account control flag for Kerberos preauthentication was modified. |
| Plaintext password allow status changed |
A user account control flag for plaintext passwords was changed. |
| Potential lateral movement path identified |
Identified potential lateral movement path to a sensitive user. |
| PowerShell execution |
User attempted to remotely execute a PowerShell command. |
| Private Data Retrieval |
User attempted/succeeded to query private data using LSARPC protocol. |
| SAM account name changed |
The Security Account Manager (SAM) account name was modified. |
| Security Principal created |
Account was created (both user and computer). |
| Security Principal deleted changed |
Account was deleted/restored (both user and computer). |
| Security Principal Display Name changed |
Account display name was changed from X to Y. |
| Security Principal Name changed |
Account name attribute was changed. |
| Security Principal Path changed |
Account Distinguished name was changed from X to Y. |
| Security Principal Sam Name changed |
SAM name changed (SAM is the logon name used to support clients and servers running earlier versions of the operating system). |
| Sensitive DACL changed |
A change was made to a sensitive Discretionary Access Control List (DACL). |
| Service creation |
User attempted to remotely create a specific service to a remote machine. |
| SID-History changed |
A modification was made to the account’s SID-History attribute. |
| SMB session |
User attempted to enumerate all users with open SMB sessions on the domain controllers. |
| SmbFileCopy |
User copied files using SMB. |
| Task scheduling |
User tried to remotely schedule X task to a remote machine. |
| User Mail changed |
Users email attribute was changed. |
| User Manager changed |
User’s manager attribute was changed. |
| User Phone Number changed |
User’s phone number attribute was changed. |
| User Title changed |
User’s title attribute was changed. |
| Wmi execution |
User attempted to remotely execute a WMI method. |