Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Catch All : Level 3 |
Base Rule |
General Information |
Information |
|
General Warning Message |
Sub Rule |
General Warning |
Warning |
|
General Critical Message |
Sub Rule |
General Critical |
Critical |
|
General Error Message |
Sub Rule |
General Error |
Error |
|
General Informational Message |
Sub Rule |
General Information |
Information |
|
EVID 0: Agent Isn't Reconnecting |
Sub Rule |
General .NET Runtime Error |
Error |
|
EVID 0: Component Not Installed Or Corrupted |
Sub Rule |
General Software Installation Error |
Error |
|
Evid 0 : General Warning |
Sub Rule |
General Warning |
Warning |
|
EVID 3 : WebHost Failed To Process Request |
Sub Rule |
Process Request Failed |
Error |
|
EVID 6: Citrix Service Cannot Be Started |
Sub Rule |
Service Start Failure |
Error |
|
EVID 10: Events Cannot Be Delivered |
Sub Rule |
General FILTER Error |
Error |
|
EVID 11 : VSS Writer Error Notification |
Sub Rule |
General VSS Error |
Error |
|
EVID 20 : Oracle Instance Notification |
Sub Rule |
General Error Information |
Error |
|
EVID 33: Activation Context Generation Failed |
Sub Rule |
Activation Failed |
Error |
|
EVID 33 : Port Connection Error |
Sub Rule |
Port Not Listening |
Error |
|
EVID 63 : WMI Privileged Provider Registered |
Sub Rule |
General Wmi Warning |
Warning |
|
EVID 64 : Certificate Expired Or About To Expire |
Sub Rule |
Certificate Expired |
Warning |
|
EVID 64 : Certificate Enrollment Failed |
Sub Rule |
Client Rejected Certificate |
Warning |
|
EVID 65 : Could Not Publish AD CS Revocation List |
Sub Rule |
Certificate Revocation List Adding Failure |
Error |
|
EVID 257: Volume Not Defragmented |
Sub Rule |
General O&O Defrag Error |
Error |
|
EVID 258 : Windows Defrag Activity |
Sub Rule |
General O&O Defrag Information |
Information |
|
EVID 400 : Terminal Services Gateway Message |
Sub Rule |
Content Services Gateway Notification |
Warning |
|
EVID 510 : Folder Redirection Policy Notification |
Sub Rule |
General Folder Redirection Warning |
Warning |
|
EVID 510 : ESENT Performance Notification |
Sub Rule |
Windows Warning Event |
Warning |
|
EVID 781 : COM+ Activity |
Sub Rule |
General COM+ Information |
Information |
|
EVID 900 : Office SPPS Starting |
Sub Rule |
MS Platform Service Activated Or Deactivated |
Information |
|
EVID 900 : SPP Service Starting |
Sub Rule |
Software Protection Service Started |
Information |
|
EVID 902 : SPP Service Has Started |
Sub Rule |
Software Protection Service Started |
Information |
|
EVID 902 : Office SPPS Started |
Sub Rule |
MS Platform Service Activated Or Deactivated |
Information |
|
EVID 903 : Software Protection Platform Service |
Sub Rule |
MS Platform Service Activated Or Deactivated |
Information |
|
EVID 903 : Office SPPS Stopped |
Sub Rule |
MS Platform Service Activated Or Deactivated |
Information |
|
EVID 1000 : Application Error Message |
Sub Rule |
General Application Error |
Error |
|
EVID 1000 : Auto Upgrade Not Supported |
Sub Rule |
Upgrade Canceled |
Warning |
|
EVID 1000 : Windows Performance Monitor |
Sub Rule |
General Perfmon Information |
Information |
|
EVID 1000 : Windows Interactive Services |
Sub Rule |
MS Windows Interactive Login |
Other Audit |
|
EVID 1001: Security Policy Cannot Be Propagated |
Sub Rule |
General POLICY Error |
Error |
|
EVID 1001 : Windows Performance Monitor |
Sub Rule |
General Perfmon Information |
Information |
|
EVID 1001 : Windows Error Reporting |
Sub Rule |
General Application Error Information |
Information |
|
EVID 1003 : Office SPPS Completed Licensing Check |
Sub Rule |
License Valid |
Information |
|
EVID 1003 : SPP Completed Licensing Check |
Sub Rule |
License Valid |
Information |
|
EVID 1008 : Performance Data Access Denied |
Sub Rule |
Access Object Failure |
Access Failure |
|
EVID 1013 : MsiInstaller Information |
Sub Rule |
General MsiInstaller Information |
Information |
|
EVID 1013 : MsiInstaller Error Notification |
Sub Rule |
General MsiInstaller Error |
Error |
|
EVID 1015 : Failed To Connect Server |
Sub Rule |
Windows Installer Failed to Connect to Server |
Warning |
|
EVID 1015 : MsiInstaller Information |
Sub Rule |
General MsiInstaller Warning |
Warning |
|
EVID 1020: Error Processing Registry Parameters |
Sub Rule |
Invalid Registry Value |
Error |
|
EVID 1023 : Cannot Load Extensible Counter DLL |
Sub Rule |
Failed To Load Module |
Error |
|
EVID 1026 : Process Error - Unhandled Exception |
Sub Rule |
Unhandled Exception |
Error |
|
EVID 1033 : Office SPPS Startup Or Shutdown |
Sub Rule |
MS Platform Service Activated Or Deactivated |
Information |
|
EVID 1033 : SPP Policies Excluded |
Sub Rule |
Policy Disabled : System |
Policy |
|
EVID 1034 : SPP Duplicate Policy Found |
Sub Rule |
General Policy |
Other Audit |
|
EVID 1066 : SPPS Startup Or Shutdown |
Sub Rule |
MS Platform Service Activated Or Deactivated |
Information |
|
EVID 1101 : Service Failed - No VDA Available |
Sub Rule |
Service Broker Message Undeliverable |
Warning |
|
EVID 1101: Failed To Compile Service |
Sub Rule |
General .NET Runtime Optimization Svc Error |
Error |
|
EVID 1103 : Printer Access Failure |
Sub Rule |
Printer Stalled |
Warning |
|
EVID 1104 : Printer Auto-creation Failed |
Sub Rule |
Printer Not Ready |
Warning |
|
EVID 1106 : Printer Auto-creation Failed |
Sub Rule |
Printer Not Ready |
Warning |
|
EVID 1110: Service Stopped |
Sub Rule |
General .NET Runtime Optimization Svc Error |
Error |
|
EVID 1116: Error During Printer Autocreation |
Sub Rule |
Printer Not Ready |
Warning |
|
EVID 1202 : User Account Not Resolvable To SID |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
EVID 1309 : ASP.NET Request Timed Out |
Sub Rule |
Operation Timed Out |
Warning |
|
EVID 1505 : Cannot Load User Profile |
Sub Rule |
Authorization Profiles Not Found |
Error |
|
EVID 1511 : User Logged On Using Temporary Profile |
Sub Rule |
Authorization Profiles Not Found |
Error |
|
EVID 1515 : User Logged On Using Temporary Profile |
Sub Rule |
Authorization Profiles Not Found |
Error |
|
EVID 1530 : Registry File Still In Use - Unloading |
Sub Rule |
Registry File Currently In Use By Another App |
Warning |
|
EVID 1542 : Cannot Load Classes Registry File |
Sub Rule |
File Not Found |
Error |
|
EVID 1704 : GPO Information |
Sub Rule |
Group Policy Retrieved |
Other Audit Success |
|
EVID 2004 : Cannot Open Server Service Perf Object |
Sub Rule |
Access Object Failure |
Access Failure |
|
EVID 2017 : PerfOS Event Notification |
Sub Rule |
General PerfOS Warning |
Warning |
|
EVID 2019: SNMP Agent Initialized Incorrectly |
Sub Rule |
SNMP Initialization Failed |
Error |
|
EVID 3001 : Windows Performance Monitor |
Sub Rule |
General Perfmon Information |
Information |
|
EVID 3005: Seek To End Of Log Failed |
Sub Rule |
Error Detecting End Of Line |
Error |
|
EVID 4005: Windows Logon Process Terminated |
Sub Rule |
General Winlogon Error |
Error |
|
EVID 4018 : DX Spooling |
Sub Rule |
General SpoolerCtrs Warning |
Warning |
|
EVID 4098 : Service Does Not Exist |
Sub Rule |
Process Does Not Exist |
Information |
|
EVID 4101 : WinLogon - Windows License Validated |
Sub Rule |
General Winlogon Information |
Information |
|
EVID 4103 : Object Access Failure |
Sub Rule |
Access Object Failure |
Access Failure |
|
EVID 4156 : MSDTC Information |
Sub Rule |
General MSDTC Information |
Information |
|
EVID 4404:Tracing System Initialization Failed |
Sub Rule |
The Trace Was Unable To Initialize |
Error |
|
EVID 4407:Tracing System Initialization Failed |
Sub Rule |
The Trace Was Unable To Initialize |
Error |
|
EVID 4609 : COM+ Bad Return Code |
Sub Rule |
General COM+ Error |
Error |
|
EVID 5017 : LR Agent Connection Forcibly Closed |
Sub Rule |
Connection Closed |
Network Traffic |
|
EVID 5121 : OCSP Responder Service Stopped |
Sub Rule |
OCSP Response Error |
Error |
|
EVID 5605 : Wmi Notification |
Sub Rule |
General Wmi Warning |
Warning |
|
EVID 6000 : Winlogon Unavailable |
Sub Rule |
General Winlogon Warning |
Warning |
|
EVID 6003 : Winlogon Unavailable - Critical Event |
Sub Rule |
General Winlogon Error |
Error |
|
EVID 6004 : Subscriber Failure Notification |
Sub Rule |
General Winlogon Warning |
Warning |
|
EVID 6005 : Subscriber Notification |
Sub Rule |
General Winlogon Warning |
Warning |
|
EVID 6006 : Subscriber Notification |
Sub Rule |
General Winlogon Warning |
Warning |
|
EVID 8001: LR Agent Unable To Resolve Virtual Host |
Sub Rule |
Unable To Resolve Dynamic Address Object |
Information |
|
EVID 8194: User Policy Cannot Be Removed |
Sub Rule |
Policy Cannot Be Removed |
Error |
|
EVID 8194: Policy Cannot Be Removed |
Sub Rule |
Policy Cannot Be Removed |
Error |
|
EVID 8197 : SLUI.exe Launched With Parameters |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
EVID 8200: License Acquisition Failure Details |
Sub Rule |
License Error |
Error |
|
EVID 8208: Acquisition Of Ticket Failed |
Sub Rule |
Failed To Acquire Credentials |
Error |
|
EVID 8211: Windows License Update Failed |
Sub Rule |
License Update Failed |
Error |
|
EVID 8230 : VSS Warning Message |
Sub Rule |
General VSS Warning |
Warning |
|
EVID 8230 : SPP Schedule Information |
Sub Rule |
General Schedule Information |
Information |
|
EVID 9002 : DWM Unable To Start |
Sub Rule |
Desktop Window Manager Unable To Start |
Error |
|
EVID 9003 : DWM Unable To Start |
Sub Rule |
Desktop Window Manager Unable To Start |
Error |
|
EVID 9009 : DWM Has Exited |
Sub Rule |
Desktop Manager Exited |
Information |
|
EVID 10000 : WSUS Information |
Sub Rule |
General WSUSService Information |
Information |
|
EVID 10000 : Windows Restart Manager |
Sub Rule |
Session State Changed |
Other Audit |
|
EVID 10001 : Windows Restart Manager |
Sub Rule |
Session State Changed |
Other Audit |
|
EVID 10109: LR Agent Acceptance Error Received |
Sub Rule |
Connection Rejected |
Information |
|
EVID 12288 : Windows Activation VKM Information |
Sub Rule |
General Windows Product Activation Information |
Information |
|
EVID 12288 : Volume Shadow Copy Error |
Sub Rule |
General VSS Error |
Error |
|
EVID 12289 : VSS Error Notification |
Sub Rule |
General VSS Error |
Error |
|
EVID 12289 : Windows Activation VKM Warning |
Sub Rule |
License Approaching Limit |
Error |
|
EVID 12289 : Office Activation Response |
Sub Rule |
General Windows Product Activation Information |
Information |
|
EVID 12293: DNS Signature Failed To Verify |
Sub Rule |
General DNS Error |
Error |
|
EVID 12294 : SPP Information |
Sub Rule |
MS Platform Service Activated Or Deactivated |
Information |
|
EVID 16384 : Office Licensing Status Check |
Sub Rule |
General Windows Product Activation Information |
Information |
|
EVID 16384 : SPP Scheduled For Restart |
Sub Rule |
Scheduled Task Created |
Information |
|
EVID 16385: Failed To Schedule SPP Service |
Sub Rule |
General Schedule Error |
Error |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
N/A |
<process> |
Text/String |
|
Provider name |
<vendorinfo> |
Text/String |
|
Eventid |
<vmid> |
Number |
|
Level |
<severity> |
Text/String |
|
Computer |
<dname> |
Text/String |
|
processid |
<processid> |
Number |
|
threadid |
<session> |
Number |
|
userid |
<domain> |
Text/String |
|
N/A |
<login> |
Text/String |
|
IP |
<sip> |
Number |
|
N/A |
<object> |
Text/String |