diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md
index 51db21d..95b67d1 100644
--- a/Forensics/Windows Event Logs.md	
+++ b/Forensics/Windows Event Logs.md	
@@ -55,34 +55,46 @@ The `subject` is the account doing an action on an `object`.
   their password
 * **4724**: Attempt to reset the account password. The user attempts to reset
   the password of another account
-* **4725**: Account disable
+* **4725**: Account disabled
 * **4726**: Account removed from systemved from system
-* **4728**: Attempt to add an account to a global security group
+* **4728**: Attempt to add an account to a global security group (logged domain wide)
 * **4729**: Attempt to remove an account from a global security group
-* **4732**: User was added to a security group (like Administrators)
+* **4732**: User was added to a security group (like Administrators, logged on local or DC)
 * **4733**: User was removed from a security group (like Administrators)
 * **4738**: User account properties were changed
 * **4740**: User account was locked after repeated attempt of access
-* **4756**: Attempt to add an account to a universal security group
+* **4756**: Attempt to add an account to a universal security group (logged on entire ad forest)
 * **4757**: Attempt to remove an account from a universal security group
 * **4768**: Kerberos TGT request
 * **4769**: Kerberos TGS request
 * **4771**: Kerberos pre-auth failure
+* **4776**: Validate NTLM credentials at DC. This happens when the resource is
+  accessed via IP address, for legacy applications without Kerberos support or
+  auth between untrusted DC domains
 
 ### Account Logon
 
 These can be found via `Event Viewer` under `Windows Logs` -> `Security`.
 The `Logon ID` is the session identifier.
 
-* **4624**: Successful logon/login
+* **4624**: Successful logon/login, Session created on target resource
 * **4625**: Failed logon/login
 * **4634** and **4647**: Logoff
 * **4779**: Session disconnect
 
+### Active Directory Objects
+
+* **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects)
+* **5140**: Object Access
+
 ### Logon Types
 
-* **10**: RDP
+* **2**: Interactive
 * **3**: Network
+* **4**: Batch
+* **5**: Service
+* **7**: Unlock
+* **10**: RDP
 
 ### Scheduled Tasks