> Software > Protect > Identity > Active Directory > Auditing for Active Directory > Getting started

Event severity

Why event severity matters

Not all Active Directory events are equally important.

Some changes represent routine administrative activity. Others may indicate a security breach in progress.

Event severity helps you:

  • Focus on what actually matters

  • Reduce noise in high-volume environments

  • Identify risky or suspicious activity quickly

  • Prioritize investigation and response

Without severity, an audit stream becomes overwhelming - especially with high-volume events like authentication logs.

How severity works

Each audit event is assigned a severity level based on its potential security impact.

At a high level:

  • Critical: High-risk activity or potential compromise

  • Unclassified (or Informational): Routine or lower-risk activity

The goal is not to classify everything—it’s to highlight what needs attention.

This is intentional. Over-classification (low/medium/high everywhere) adds noise instead of clarity.

What makes an event "critical"

Critical events follow a simple principle:

Events that increase privilege, weaken security controls, enable persistence, or indicate active attack activity are considered critical.

Examples of critical events

Privilege escalation

  • User added to Domain Admins or other privileged groups

  • adminCount changes from 0 to 1

  • Privileged account re-enabled

Persistence and delegation

  • Unconstrained delegation enabled

  • msDS-AllowedToDelegateTo modified

  • Service Principal Names (SPNs) added

Security boundary changes

  • Changes to Domain or Kerberos policy

  • GPO security descriptor modifications

  • AdminSDHolder changes

Suspicious authentication activity

  • Repeated logon failures

  • Kerberos anomalies (for example, unusual ticket behavior)

  • Privileged logon events

These events are high signal and should be investigated immediately.

What is not marked as critical

Many events are useful for context, but not inherently risky.

Examples include:

  • Routine user attribute changes

  • Standard account lifecycle operations

  • Normal authentication activity (logon/logoff)

  • Replication metadata updates

These events are still captured and searchable but not highlighted.

Severity in the user interface

In the audit view:

  • Critical events are clearly highlighted

  • Non-critical events appear as standard entries

  • Filters allow you to:

  • Show only critical events

  • Include/exclude authentication activity

  • Focus on specific users, objects, or time ranges

This allows both:

  • Quick triage (what needs attention now)

  • Deep investigation (what exactly happened)

×

Loading...