API Reference

Enum

AuditSubcategory

Edit on GitHub

Namespace TestimoX.Baselines.Crosswalk

Assembly TestimoX

Source TestimoX/Testimo.cs:412

Base Enum

Implements

IComparable ISpanFormattable IFormattable IConvertible

Modifiers sealed

Advanced Audit Policy subcategories. Names and descriptions mirror Windows labels/intent.

Inheritance

Enum
AuditSubcategory

Inherited Methods

Values

public const AuditSubcategory KerberosAuthenticationService #

Kerberos AS requests (TGT acquisition).

Value: 0

public const AuditSubcategory KerberosServiceTicketOperations #

Kerberos TGS requests (service tickets).

Value: 1

public const AuditSubcategory CredentialValidation #

NTLM and other credential validation events.

Value: 2

public const AuditSubcategory OtherAccountLogonEvents #

Other Account Logon events.

Value: 3

public const AuditSubcategory UserAccountManagement #

User account lifecycle (create/modify/delete).

Value: 4

public const AuditSubcategory ComputerAccountManagement #

Computer account lifecycle events.

Value: 5

public const AuditSubcategory SecurityGroupManagement #

Security group changes and membership.

Value: 6

public const AuditSubcategory DistributionGroupManagement #

Distribution group changes and membership.

Value: 7

public const AuditSubcategory ApplicationGroupManagement #

Application group management.

Value: 8

public const AuditSubcategory OtherAccountManagementEvents #

Other Account Management events.

Value: 9

public const AuditSubcategory ProcessCreation #

Process creation (4688). Often paired with command line logging.

Value: 10

public const AuditSubcategory ProcessTermination #

Process termination (4689).

Value: 11

public const AuditSubcategory DPAPIActivity #

DPAPI events (backup/restore master keys).

Value: 12

public const AuditSubcategory RPCEvents #

RPC events.

Value: 13

public const AuditSubcategory PNPActivity #

Plug and Play device activity.

Value: 14

public const AuditSubcategory DirectoryServiceAccess #

DS access reads/writes.

Value: 15

public const AuditSubcategory DirectoryServiceChanges #

DS object changes (audit directory service changes).

Value: 16

public const AuditSubcategory DirectoryServiceReplication #

DS replication operations.

Value: 17

public const AuditSubcategory DetailedDirectoryServiceReplication #

Detailed replication operations.

Value: 18

public const AuditSubcategory Logon #

Logon attempts and types.

Value: 19

public const AuditSubcategory Logoff #

Logoff events.

Value: 20

public const AuditSubcategory AccountLockout #

Account lockout events.

Value: 21

public const AuditSubcategory SpecialLogon #

Special logon (e.g., administrators).

Value: 22

public const AuditSubcategory OtherLogonLogoffEvents #

Other Logon/Logoff events.

Value: 23

public const AuditSubcategory NetworkPolicyServer #

NPS (RADIUS) server events.

Value: 24

public const AuditSubcategory UserDeviceClaims #

Claims-based access: user/device claims.

Value: 25

public const AuditSubcategory FileSystem #

File system object access.

Value: 26

public const AuditSubcategory Registry #

Registry object access.

Value: 27

public const AuditSubcategory SAM #

SAM access.

Value: 28

public const AuditSubcategory CertificationServices #

Certificate services events.

Value: 29

public const AuditSubcategory KernelObject #

Kernel object access.

Value: 30

public const AuditSubcategory RemovableStorage #

Removable storage events.

Value: 31

public const AuditSubcategory WMI #

Windows Management Instrumentation events.

Value: 32

public const AuditSubcategory CentralPolicyStaging #

Central Access Policy (staging).

Value: 33

public const AuditSubcategory FilteringPlatformPacketDrop #

WFP packet drop.

Value: 34

public const AuditSubcategory FilteringPlatformConnection #

WFP connection events.

Value: 35

public const AuditSubcategory OtherObjectAccessEvents #

Other Object Access events.

Value: 36

public const AuditSubcategory HandleManipulation #

Handle manipulation.

Value: 37

public const AuditSubcategory AuditPolicyChange #

Audit policy changed.

Value: 38

public const AuditSubcategory AuthenticationPolicyChange #

Authentication policy changed.

Value: 39

public const AuditSubcategory AuthorizationPolicyChange #

Authorization policy changed.

Value: 40

public const AuditSubcategory MPSSVCRuleLevelPolicyChange #

Windows Defender Firewall policy change.

Value: 41

public const AuditSubcategory FilteringPlatformPolicyChange #

WFP policy change.

Value: 42

public const AuditSubcategory OtherPolicyChangeEvents #

Other Policy Change events.

Value: 43

public const AuditSubcategory SensitivePrivilegeUse #

Sensitive privilege use (e.g., SeDebug, SeTcb).

Value: 44

public const AuditSubcategory NonSensitivePrivilegeUse #

Non-sensitive privilege use.

Value: 45

public const AuditSubcategory OtherPrivilegeUseEvents #

Other Privilege Use events.

Value: 46

public const AuditSubcategory SecurityStateChange #

Security state change (startup/shutdown).

Value: 47

public const AuditSubcategory SecuritySystemExtension #

Security system extension.

Value: 48

public const AuditSubcategory SystemIntegrity #

System integrity (code integrity).

Value: 49

public const AuditSubcategory IPsecDriver #

IPsec driver events.

Value: 50

public const AuditSubcategory OtherSystemEvents #

Other System events.

Value: 51

AuditSubcategory

Inheritance

Inherited Methods

Parameters

Parameters

Parameters

Parameters

Values