I found this great table, which lists the AAP GPO settings and corresponding Event IDs: http://girl-germs.com/?p=363 . If you take the Event IDs in the eventtypes.conf of the Splunk App for Windows Infrastructure, you get the folllowing table:
Account
Account Credential Validation 4776
Audit Kerberos Authentication Service 4768,4771
Account Management
Audit Distribution Group Management 4744, 4745, 4746, 4747,
4748, 4749, 4750, 4751,
4752, 4753, 4759, 4760,
4761, 4762
Audit Computer Account Management 4741, 4742, 4743
Audit User Account Management 4720, 4722, 4723, 4724,
4725, 4726, 4738, 4740,
4767, 4781
Audit Security Group Management 4727, 4728, 4729, 4730,
4731, 4732, 4733, 4734,
4735, 4737, 4754, 4755,
4756, 4757, 4758, 4764
DS Access
Audit Directory Service Access 4662
Logon/Logoff
Audit Account Lockout 4625
Audit Logon 4624, 4625
Policy Change
Audit Audit Policy Change 4912
System
Audit Security State Change 4609
Audit System Integrity 4612
Enabling the Success and Failure check boxes for each of them in Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration should to the trick.
[edit 2016/01/19: added some missing event ids and GPO settings]
... View more