I attempted to map Windows Security Event IDs to their audit polices, Microsoft recommendations, and other third-party forwarding guidance. Mitre ATT&CK, event volume, and event criticality is not included at this time. This sheet was precipitated by Christophe’s question on Twitter below.

There are about 409 events I was able to map, but I am not sure about the last 40 rows. Columns G through J come from the specific web page for the audit policy. Those recommendations are often different than the Microsoft Audit Policy Recommendations page. I would be interested to learn why. Blanks in columns O through R can be read as “no”. Some of how I filled out the sheet made sense in the moment, but I can see how it could be confusing. Let me know if you have any questions. The second tab includes some relevant links.

Google Sheet