diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md
index a2b5041..426f661 100644
--- a/Forensics/Windows Event Logs.md	
+++ b/Forensics/Windows Event Logs.md	
@@ -84,6 +84,13 @@ The `Logon ID` is the session identifier.
   `net use /user:`)
 * **4779**: Session disconnect
 
+### AD & Entra ID
+
+* **50126**: Invalide username or password
+* **50053**: Account locked, because too many attempts were failed
+* **50074**: MFA required but not provided
+* **50055**: Password expired
+
 ### Active Directory Objects
 
 * **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects)
@@ -91,6 +98,14 @@ The `Logon ID` is the session identifier.
 * **5140**: Object Access
 * **5145**: Shared Access
 
+#### Network Policy Server
+
+RADIUS connection via VPN.
+
+* **6272**: Network Policy Server granted access (e.g. VPN login)
+* **6273**: Network Policy Server denied access (e.g. VPN login failed)
+* **6274**: Network Policy Server discarded the request (e.g. incorrect request)
+
 ### Logon Types
 
 * **2**: Interactive