I found this great table, which lists the AAP GPO settings and corresponding Event IDs: http://girl-germs.com/?p=363 . If you take the Event IDs in the eventtypes.conf of the Splunk App for Windows Infrastructure, you get the folllowing table: Account Account Credential Validation 4776 Audit Kerberos Authentication Service 4768,4771 Account Management Audit Distribution Group Management 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762 Audit Computer Account Management 4741, 4742, 4743 Audit User Account Management 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781 Audit Security Group Management 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764 DS Access Audit Directory Service Access 4662 Logon/Logoff Audit Account Lockout 4625 Audit Logon 4624, 4625 Policy Change Audit Audit Policy Change 4912 System Audit Security State Change 4609 Audit System Integrity 4612 Enabling the Success and Failure check boxes for each of them in Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration should to the trick. [edit 2016/01/19: added some missing event ids and GPO settings] ... View more