EVID 4608 : System Starting (Security)
Event Details
| Event Type | System Starting |
|---|---|
| Event Description | 4608(S) : The following callout was present when the Windows Filtering Platform Base Filtering Engine started. |
| vent IDs | 4608 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 | |
|---|---|---|---|
| Provider | N/A | N/A | |
| EventID | <vmid> | <vmid> | |
| Version | N/A | N/A | |
| Level | N/A | <severity> | |
| Task | N/A | <vendorinfo> | |
| Opcode | N/A | N/A | |
| Keywords | <tag1> | <result>, <tag2> | |
| TimeCreated | N/A | N/A | |
| EventRecordID | N/A | N/A | |
| Correlation | N/A | N/A | |
| Execution | N/A | N/A | |
| ProcessID | N/A | N/A | |
| Channel | N/A | N/A | |
| Computer | <dname> | <dname> | |
| EventData | <vendorinfo>, <tag5> | N/A | |
| ErrorCode | N/A | <responsecode> | |
| SubjectUserSid | N/A | N/A | |
| SubjectUserName | N/A | N/A | |
| SubjectDomainName | N/A | N/A | |
| SubjectLogonId | N/A | N/A | |
| ObjectType | N/A | N/A | |
| IpAddress | N/A | N/A | |
| IpPort | N/A | N/A | |
| ShareName | N/A | N/A | |
| ShareLocation | N/A | N/A | |
| AccessMask | N/A | N/A | |
| AccessList | N/A | N/A | |
| RelativeTargetName | N/A | N/A | |
| ShareLocationPath | N/A | N/A | |
| RelativeTargetName | N/A | N/A | |
| Accesses | N/A | N/A | |
| FileName | N/A | N/A | |
| Provider Name | N/A | N/A | |
| Sub-layer Name | N/A | N/A | |
| User Data | <tag5> | N/A | |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1000644 | EVID 4608 : System Starting | Base Rule | System Starting | Startup and Shut Down |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
| 1011079 | V 2.0 : Catch All | Base Rule | Other Audit | General Audit Message |
| V 2.0 : EVID 4649 : Replay Attack Detected | Sub Rule | Attack | Replay Activity | |
| V 2.0 : EVID 4675 : SIDs Were Filtered | Sub Rule | Other Audit | SIDs Filtered | |
| V 2.0 : EVID 4765 : SID History Added To Account | Sub Rule | Account Modified | User Account Attribute Modified | |
| V 2.0 : EVID 4766 : SID History Add Failed | Sub Rule | Access Failure | Modify Object Attribute Failure | |
| V 2.0 : EVID 5378 : Credential Delegation Disallowed | Sub Rule | Access Failure | Access Object Failure | |
| V 2.0 : EVID 4709 : IPSEC - Service Started | Sub Rule | Startup and Shutdown | Process/Service Started | |
| V 2.0 : EVID 4710 : IPSEC - Service Disabled | Sub Rule | Startup and Shutdown | Process/Service Stopped | |
| V 2.0 : EVID 4711 : PAStore - General Event | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter | Sub Rule | Critical | General IPSec Critical | |
| V 2.0 : EVID 5040 : IPSEC - Auth. Set Added | Sub Rule | Configuration | Configuration Loaded : Security | |
| V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted | Sub Rule | Configuration | Configuration Deleted : Security | |
| V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added | Sub Rule | Configuration | Configuration Loaded : Security | |
| V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted | Sub Rule | Configuration | Configuration Deleted : Security | |
| V 2.0 : EVID 5046 : IPSEC - Crypto Set Added | Sub Rule | Configuration | Configuration Loaded : Security | |
| V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted | Sub Rule | Configuration | Configuration Deleted : Security | |
| V 2.0 : EVID 5440 : WFP - Callout Present At Start | Sub Rule | Information | Filtering Platform Startup State | |
| V 2.0 : EVID 5441 : WFP - Filter Present At Start | Sub Rule | Information | Filtering Platform Startup State | |
| V 2.0 : EVID 5442 : WFP - Prov. Present At Start | Sub Rule | Information | Filtering Platform Startup State | |
| V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start | Sub Rule | Information | Filtering Platform Startup State | |
| V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start | Sub Rule | Information | Filtering Platform Startup State | |
| V 2.0 : EVID 5446 : WFP - Callout Changed | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 5449 : WFP - Prov. Context Changed | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 5448 : WFP - Provider Changed | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 5450 : WFP - Sub-layer Changed | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail | Sub Rule | Other Audit Failure | IPSEC Policy Application Failed | |
| V 2.0 : EVID 5458 : PAStore - Cached AD IPSEC Policy | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5459 : PAStore - Cached AD IPSEC Policy | Sub Rule | Error | General IPSec Error | |
| V 2.0 : EVID 5460 : PAStore - Registry IPSEC Policy | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5461 : PAStore - Registry IPSEC Policy | Sub Rule | Error | General IPSec Error | |
| V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC | Sub Rule | Error | General IPSec Error | |
| V 2.0 : EVID 5463 : PAStore - Poll For IPSEC Policy | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5464 : PAStore - Poll For IPSEC Policy | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5465 : PAStore - IPSEC Policy Forcibly | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5466 : PAStore - Unable To Reach AD | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5467 : PAStore - Poll For IPSEC Policy | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5468 : PAStore - Poll For IPSEC Policy | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5471 : PAStore - Local IPSEC Policy Loa | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 4772 : Kerberos TGT Request Failed | Sub Rule | Other Audit Failure | Windows Audit Failure Event | |
| V 2.0 : EVID 4773 : Kerberos TGS Request Failed | Sub Rule | Access Failure | Access Object Failure | |
| V 2.0 : EVID 4774 : Account Successfully Mapped | Sub Rule | Other Audit Success | Account Mapped For Logon | |
| V 2.0 : EVID 4774 : Account Failed To Be Mapped | Sub Rule | Other Audit Failure | Account Logon Mapping Failed | |
| V 2.0 : EVID 4775 : Account Could Not Be Mapped | Sub Rule | Other Audit Failure | Account Logon Mapping Failed | |
| V 2.0 : EVID 4777 : Domain Controller Failed To Valid | Sub Rule | Other Audit Failure | Windows Audit Failure Event | |
| V 2.0 : EVID 4646 : IPSEC - DoS Prevention Mode Strt | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 4650 : IPSEC - Main Mode Security | Sub Rule | Network Traffic | IPSEC Security Association Established | |
| V 2.0 : EVID 4651 : IPSEC - Main Mode Security | Sub Rule | Network Traffic | IPSEC Security Association Established | |
| V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation | Sub Rule | Error | IPSEC Negotiation Failed | |
| V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation | Sub Rule | Error | IPSEC Negotiation Failed | |
| V 2.0 : EVID 4655 : IPSEC - Main Mode Security | Sub Rule | Network Traffic | IPSEC Security Association Ended | |
| V 2.0 : EVID 4960 : IPSEC - Inbound Pck Intrgty Flr | Sub Rule | Error | Integrity Check Failed | |
| V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay | Sub Rule | Error | Integrity Check Failed | |
| V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay | Sub Rule | Error | Integrity Check Failed | |
| V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clear | Sub Rule | Warning | General IPSec Warning | |
| V 2.0 : EVID 4965 : IPSEC - Packet Received Invalid | Sub Rule | Error | IPSEC Received Bad Packet | |
| V 2.0 : EVID 4976 : IPSEC - Main Mode Invld Negt | Sub Rule | Error | IPSEC Received Bad Packet | |
| V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld Negot | Sub Rule | Error | IPSEC Received Bad Packet | |
| V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid | Sub Rule | Error | IPSEC Received Bad Packet | |
| V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode | Sub Rule | Network Traffic | IPSEC Security Association Established | |
| V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode | Sub Rule | Network Traffic | IPSEC Security Association Established | |
| V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode | Sub Rule | Network Traffic | IPSEC Security Association Established | |
| V 2.0 : EVID 5024 : Firewall - Service Started | Sub Rule | Startup and Shutdown | Process/Service Started | |
| V 2.0 : EVID 5025 : Firewall - Service Stopped | Sub Rule | Startup and Shutdown | Process/Service Stopped | |
| V 2.0 : EVID 5027 : Firewall - ServiceUnableToRetrie | Sub Rule | Warning | Firewall Service Failed To Load Local Policy | |
| V 2.0 : EVID 5028 : Firewall - Service FailedToParse | Sub Rule | Warning | Firewall Service Failed To Load Local Policy | |
| V 2.0 : EVID 5029 : Firewall - ServiceFailedToLoadDr | Sub Rule | Warning | Driver Failed To Load | |
| V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode | Sub Rule | Network Traffic | IPSEC Security Association Established | |
| V 2.0 : EVID 5030 : Firewall -Service FailedToStart | Sub Rule | Critical | Firewall Service Failed To Start | |
| V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotion Fail | Sub Rule | Error | IPSEC Negotiation Failed | |
| V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser | Sub Rule | Warning | Firewall Notification Failed | |
| V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFail | Sub Rule | Error | IPSEC Negotiation Failed | |
| V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted | Sub Rule | Configuration | Configuration Deleted : Security | |
| V 2.0 : EVID 5033 : Firewall - Driver StartedSucs | Sub Rule | Startup and Shutdown | Process/Service Started | |
| V 2.0 : EVID 5451 : IPSEC - Quick Mode Security Ass | Sub Rule | Network Traffic | IPSEC Security Association Established | |
| V 2.0 : EVID 5034 : Firewall - Driver Stopped | Sub Rule | Startup and Shutdown | Process/Service Stopped | |
| V 2.0 : EVID 5452 : IPSEC - Quick Mode Security Ass | Sub Rule | Network Traffic | IPSEC Security Association Ended | |
| V 2.0 : EVID 5035 : Firewall - DriverFailedToStart | Sub Rule | Critical | Firewall Driver Startup Failed | |
| V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due | Sub Rule | Error | IPSEC Negotiation Failed | |
| V 2.0 : EVID 5478 : IPSEC - Service Started | Sub Rule | Startup and Shutdown | Process/Service Started | |
| V 2.0 : EVID 5037 : Firewall - DriverCriticalRuntime | Sub Rule | Critical | Firewall Driver Critical Condition | |
| V 2.0 : EVID 5479 : IPSEC - Service Stopped | Sub Rule | Startup and Shutdown | Process/Service Stopped | |
| V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw | Sub Rule | Warning | IPSEC Network Interface List Failed | |
| V 2.0 : EVID 5483 : IPSEC - Failed To Initialize RPC | Sub Rule | Error | IPSEC Service Failed To Start | |
| V 2.0 : EVID 5484 : IPSEC - Critical Service Failure | Sub Rule | Critical | IPSEC Service Error Caused Shutdown | |
| V 2.0 : EVID 5485 : IPSEC - Failed To Press Filter | Sub Rule | Error | IPSEC Filter Processing Failed | |
| V 2.0 : EVID 6400 : BranchCache-IncorrectlyFrmated | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6401 : BranchCache-InvalidPeerDataRec | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6402 : BranchCache - IncorectlyFrmatd | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6403 : BranchCache - IncorectlyFrmatd | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6404 : BranchCache - UnablToAuth | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6405 : BranchCache - Mult EventsRecv | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6406 : BranchCache - Registration | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6407 : BranchCache - General Event | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6408: BranchCache - Regt Wind Firewal | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6409 : BranchCache - Service Conn | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply | Sub Rule | Error | Policy Failed | |
| V 2.0 : EVID 6144 : Security Policy GPOs Applied | Sub Rule | Policy | Policy Enabled : System | |
| V 2.0 : EVID 5447 : WFP - Filter Changed | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed | Sub Rule | Configuration | Configuration Modified : System | |
| V 2.0 : EVID 4908 : Special Groups Logon Table Mod | Sub Rule | Configuration | Configuration Modified : System | |
| V 2.0 : EVID 4909 : Local TBS Policy Settings Mod. | Sub Rule | Policy | Policy Modified : System | |
| V 2.0 : EVID 4910 : Group TBS Policy Settings Modi | Sub Rule | Policy | Policy Modified : System | |
| V 2.0 : EVID 4902 : Per-User Policy Table Created | Sub Rule | Policy | Policy Created : System | |
| V 2.0 : EVID 4826 : Boot Configuration Data Loaded | Sub Rule | Configuration | Configuration Loaded : System | |
| V 2.0 : EVID 4864 : Namespace Collision Detected | Sub Rule | Error | Namespace Collision | |
| V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod | Sub Rule | Policy | Policy Modified : System | |
| V 2.0 : EVID 4671 : Application Attempted Access | Sub Rule | Access Failure | Access Object Failure | |
| V 2.0 : EVID 5148 : WFP - DoS Attack Detected | Sub Rule | Failed Denial of Service | Failed Network Denial Of Service | |
| V 2.0 : EVID 5149 : WFP - DoS Attack Ended | Sub Rule | Other Security | General Security | |
| V 2.0 : EVID 4608 : Windows Starting Up | Sub Rule | Startup and Shutdown | System Started | |
| V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus | Sub Rule | Warning | Audit Queuing Resources Exhausted | |
| V 2.0 : EVID 4615 : Invalid LPC Port Use | Sub Rule | Misuse | Unauthorized Activity | |
| V 2.0 : EVID 4618 : User-Defined Security Event | Sub Rule | Information | General Event Log Information | |
| V 2.0 : EVID 4621 : Admin Recovrd Frm CrashOnAudi | Sub Rule | Information | Crash On Audit Fail Recovered | |
| V 2.0 : EVID 4816 : RPC Message Integrity Violation | Sub Rule | Error | RPC Integrity Violation | |
| V 2.0 : EVID 5038 : Invalid Image Hash | Sub Rule | Error | Integrity Check Failed | |
| V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf | Sub Rule | Information | Cryptographic Self Test Performed | |
| V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check | Sub Rule | Information | Cryptographic Self Test Performed | |
| V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail | Sub Rule | Error | Cryptographic Failure | |
| V 2.0 : EVID 5060 : CNG - Crypto Verification Fail | Sub Rule | Error | Cryptographic Failure | |
| V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil | Sub Rule | Error | Integrity Check Failed | |
| V 2.0 : EVID 6410 : File Failed Security Check | Sub Rule | Failed Suspicious | Failed Suspicious Activity | |
| V 2.0 : EVID 5712 : RPC Attempted | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 4944 : WFP - Policy Active And Windows | Sub Rule | Information | Active Firewall Policy On Start | |
| V 2.0 : EVID 4949 : WFP Settings Restored To Default | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 4954 : WFP - Group Policy Settings | Sub Rule | Configuration | Configuration Modified : Security | |
| V 2.0 : EVID 4783 : Basic Application Group Create | Sub Rule | Account Created | Group Created | |
| V 2.0 : EVID 4784 : Basic Application Group Change | Sub Rule | Account Modified | Group Attribute Modified | |
| V 2.0 : EVID 4785 : Member Add To Basic App Group | Sub Rule | Access Granted | Account Added To Group | |
| V 2.0 : EVID 4786 : Member Remove From Basic App | Sub Rule | Access Revoked | Account Removed From Group | |
| V 2.0 : EVID 4787 : Non-Member Add To Basic App | Sub Rule | Access Granted | Account Added To Group | |
| V 2.0 : EVID 4788 : Non-Memb Remove From Basic App | Sub Rule | Access Revoked | Account Removed From Group | |
| V 2.0 : EVID 4789 : Basic Application Group Delete | Sub Rule | Account Deleted | Group Deleted | |
| V 2.0 : EVID 4790 : LDAP Query Group Created | Sub Rule | Account Created | Group Created | |
| V 2.0 : EVID 4791 : LDAP Query Group Changed | Sub Rule | Account Modified | Group Attribute Modified | |
| V 2.0 : EVID 4934 : AD Object Attributes Replicate | Sub Rule | Information | AD Object Attributes Replicated | |
| V 2.0 : EVID 4935 : Replication Failure Begins | Sub Rule | Error | AD Replication Failure Begins | |
| V 2.0 : EVID 4936 : Replication Failure Ends | Sub Rule | Error | AD Replication Failure Ends | |
| V 2.0 : EVID 4937 : Lingering Obj Removed Frm ADRe | Sub Rule | Access Success | Object Deleted/Removed | |
| V 2.0 : EVID 4792 : LDAP Query Group Deleted | Sub Rule | Account Deleted | Group Deleted | |
| V 2.0 : EVID 4664 : File Hard Link Created | Sub Rule | Access Success | Object Created | |
| V 2.0 : EVID 4690 : Object Handle Duplicated | Sub Rule | Access Success | Object Created | |
| V 2.0 : EVID 5039 : Registry Key Virtualized | Sub Rule | Other Audit Success | Registry Key Virtualized | |
| V 2.0 : EVID 5051 : File Virtualized | Sub Rule | Other Audit Success | File Virtualized | |
| V 2.0 : EVID 5168 : SPN Check For SMB Failed | Sub Rule | Access Failure | Access Object Failure | |
| V 2.0 : EVID 6275 : NPS - Accounting Request Discard | Sub Rule | Warning | Bad Request | |
| V 2.0 : EVID 6276 : NPS - User Quarantined | Sub Rule | Other Audit | Network Policy Server Quarantined User | |
| V 2.0 : EVID 6277 : NPS - Access Granted User | Sub Rule | Access Granted | Access Granted Activity | |
| V 2.0 : EVID 6279 : NPS - User Account Locked | Sub Rule | Access Revoked | Account Locked | |
| V 2.0 : EVID 6280 : NPS - User Account Unlocked | Sub Rule | Access Granted | Account Unlocked | |
| V 2.0 : EVID 4626 : User/Device Claims Information | Sub Rule | Information | User Information | |
| V 2.0 : EVID 4666 : AM - App Attempted Operation | Sub Rule | Information | General Application Information | |
| V 2.0 : EVID 4665 : AM - App Client Context Create | Sub Rule | Information | General Application Information | |
| V 2.0 : EVID 4667 : AM - App Client Context Delete | Sub Rule | Information | General Application Information | |
| V 2.0 : EVID 4668 : AM - Application Initialized | Sub Rule | Information | General Application Information | |
| V 2.0 : EVID 4985 : Transaction State Change | Sub Rule | Information | General Transaction Information | |
| V 2.0 : EVID 1101 : Audit Events Dropped | Sub Rule | Error | Message Dropped | |
| V 2.0 : EVID 4609 : Windows Shutting Down | Sub Rule | Startup and Shutdown | System Shutting Down | |
| V 2.0 : EVID 4654 : Quick Mode Negotiation Failed | Sub Rule | Error | IPSEC Negotiation Failed | |
| V 2.0 : EVIDI 4797 : Blank Passwords Queried | Sub Rule | Other Audit | General Audit Message | |
| V 2.0 : EVID 4820 : TGT Denied - ACL | Sub Rule | Authentication Failure | User Logon Failure | |
| V 2.0 : EVID 4821 : TGS Denied - ACL | Sub Rule | Access Failure | Access Object Failure | |
| V 2.0 : EVID 4822 : NTLM Auth Denied | Sub Rule | Authentication Failure | User Logon Failure | |
| V 2.0 : EVID 4823 : NTLM Auth Denied | Sub Rule | Authentication Failure | User Logon Failure | |
| V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed | Sub Rule | Authentication Failure | User Logon Failure | |
| V 2.0 : EVID 4825 : RDP Access Denied | Sub Rule | Authentication Failure | User Logon Failure | |
| V 2.0 : EVID 4830 : SID History Removed From Account | Sub Rule | Account Modified | User Account Attribute Modified | |
| V 2.0 : EVID 4899 : Certificate Template Updated | Sub Rule | Access Success | Object Modified | |
| V 2.0 : EVID 4900 : Certificate Template Sec Update | Sub Rule | Access Success | Object Attribute Modified | |
| V 2.0 : EVID 5150 : Firewall - Disable Attempt | Sub Rule | Suspicious | Suspicious Activity | |
| V 2.0 : EVID 5071 : Key Access Denied | Sub Rule | Access Failure | Access Object Failure | |
| V 2.0 : EVID 5146 : WFP - Packed Blocked | Sub Rule | Network Deny | Traffic Denied by Host Firewall | |
| V 2.0 : EVID 5147 : WFP - Packed Blocked | Sub Rule | Network Deny | Traffic Denied by Host Firewall | |
| V 2.0 : EVID 5151 : File Virtualized | Sub Rule | Other Audit Success | File Virtualized | |
| V 2.0 : EVID 5170 : AD Object Modified | Sub Rule | Access Success | Object Modified | |
| V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy Fail | Sub Rule | Error | General IPSec Error | |
| V 2.0 : EVID 5473 : PAStore - Directory Storage IPSEC | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 5477 : PAStore - Failed To Add Quick Mod | Sub Rule | Information | General IPSEC Message | |
| V 2.0 : EVID 6278 : NPS - Full Access Granted To User | Sub Rule | Access Granted | Access Granted Activity | |
| V 2.0 : EVID 6417 : FIPS Selftest Passed | Sub Rule | Information | Cryptographic Self Test Performed | |
| V 2.0 : EVID 6418 : FIPS Selftest Failed | Sub Rule | Error | Cryptographic Failure | |
| V 2.0 : EVID 4868 : CS - Certificate Manager Denied | Sub Rule | Warning | Certificate Manager Denied Pending Cert Request | |
| V 2.0 : EVID 4869 : CS - Received Resubmitted Cert | Sub Rule | Other Audit | Certificate Services Rcvd Resubmitted Cert Request | |
| V 2.0 : EVID 4870 : CS - Certificate Revoked | Sub Rule | Other Audit | Certificate Services Rcvd Resubmitted Cert Request | |
| V 2.0 : EVID 4871 : CS - CRL Publication Request Rcvd | Sub Rule | Information | Certificate Svcs Received Request To Publish CRL | |
| V 2.0 : EVID 4872 : CS - CRL Published | Sub Rule | Information | Certificate Services Published CRL | |
| V 2.0 : EVID 4873 : CS - Certificate Request Extn | Sub Rule | Information | Certificate Request Extension Changed | |
| V 2.0 : EVID 4874 : CS - Certificate Request Change | Sub Rule | Information | Certificate Request Attributes Changed | |
| V 2.0 : EVID 4875 : CS - Shutdown Request Received | Sub Rule | Startup and Shutdown | Process/Service Startup Or Shutdown Activity | |
| V 2.0 : EVID 4876 : CS - Backup Started | Sub Rule | Information | Backup Active | |
| V 2.0 : EVID 4877 : CS - Backup Complete | Sub Rule | Information | Backup Completed | |
| V 2.0 : EVID 4878 : CS - Restore Started | Sub Rule | Information | Backup Restored | |
| V 2.0 : EVID 4879 : CS - Restore Completed | Sub Rule | Information | Backup Restored | |
| V 2.0 : EVID 4880 : CS - Services Started | Sub Rule | Startup and Shutdown | Process/Service Started | |
| V 2.0 : EVID 4881 : CS - Services Stopped | Sub Rule | Startup and Shutdown | Process/Service Stopped | |
| V 2.0 : EVID 4882 : CS - Security Permissions Modified | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 4883 : CS - Archived Key Retrieved | Sub Rule | Information | Certificate Services Retrieved Archived Key | |
| V 2.0 : EVID 4884 : CS - Certificate Imported | Sub Rule | Information | Certificate Services Imported Certificate | |
| V 2.0 : EVID 4885 : CS - Audit Filter Modified | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 4886 : CS - Certificate Request Received | Sub Rule | Other Audit Success | Certificate Services Received Certificate Request | |
| V 2.0 : EVID 4887 : CS - Certificate Issued | Sub Rule | Information | Certificate Services Issued Certificate | |
| V 2.0 : EVID 4888 : CS - Certificate Request Denied | Sub Rule | Warning | Certificate Services Denied Certificate Request | |
| V 2.0 : EVID 4889 : CS - Certificate Request Status | Sub Rule | Information | Certificate Services Set Cert Status To Pending | |
| V 2.0 : EVID 4890 : CS - Certificate Manager Settings | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 4891 : CS - Configuration Entry Modified | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 4892 : CS - Property Modified | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 4893 : CS - Key Archived | Sub Rule | Information | Certificate Services Archived A Key | |
| V 2.0 : EVID 4894 : CS - Key Imported And Archived | Sub Rule | Information | Certificate Services Imported And Archived Key | |
| V 2.0 : EVID 4895 : CS -ADDS CA Certificate Published | Sub Rule | Information | Certificate Services Published CA Certificate | |
| V 2.0 : EVID 4896 : CS - Rows Deleted From Database | Sub Rule | Information | Certificate Services Database Rows Deleted | |
| V 2.0 : EVID 4897 : CS - Role Separation Enabled | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 4898 : CS - Template Loaded | Sub Rule | Information | Certificate Services Loaded Template | |
| V 2.0 : EVID 5120 : CS - OCSP Responder Started | Sub Rule | Startup and Shutdown | Process/Service Started | |
| V 2.0 : EVID 5121 : CS - OCSP Responder Stopped | Sub Rule | Startup and Shutdown | Process/Service Stopped | |
| V 2.0 : EVID 5122 : CS - OCSP Config Changed | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 4649 : Replay Attack Detected | Sub Rule | Attack | Replay Activity | |
| V 2.0 : EVID 5123 : CS - OCSP Config Changed | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 5124 : CS - OCSP Security Changed | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 5125 : CS - OCSP Request | Sub Rule | Other Audit Success | Request Received | |
| V 2.0 : EVID 5126 : CS - OCSP Signer Updated | Sub Rule | Configuration | Configuration Modified : Application | |
| V 2.0 : EVID 5127 : CS - OCSP Provider Updated | Sub Rule | Configuration | Configuration Modified : Application |