Event Details
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
<severity> |
|
|
Task |
N/A |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<tag1> |
<result>, <tag2> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Processid |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
SubjectUserName |
<login>, <tag2> |
N/A |
|
|
SubjectDomainName |
<domain> |
N/A |
|
|
SubjectLogonId |
<session> |
N/A |
|
|
ObjectType |
<tag3>, <subject> |
N/A |
|
|
ObjectName |
<object> |
N/A |
|
|
HandleId |
<objectname> |
N/A |
|
|
ProcessId |
<processid> |
N/A |
|
|
ProcessName |
<process> |
N/A |
|
|
operationtype |
N/A |
N/A |
|
|
AccessList |
N/A |
N/A |
|
|
Accessmask |
<status> |
N/A |
|
|
EventData |
<tag4>, <vendorinfo> |
N/A |
|
|
Account Name |
<login> |
N/A |
|
|
Account Domain |
<domain> |
N/A |
|
|
LogonId |
<session> |
N/A |
|
|
Accesses |
<command> |
N/A |
|
|
properties |
<action> |
N/A |
|
|
Default Property Set |
<objecttype> |
N/A |
|
|
Error code |
N/A |
<responsecode> |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1000607 |
Object Access |
Base Rule |
Object Accessed |
Access Success |
|
EVID 4656 : Object Opened |
Sub Rule |
Object Read |
Access Success |
|
|
EVID 4656 : Object Open Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 4657 : Registry Value Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 4658 : Handle To An Object Closed |
Sub Rule |
Object Handle Closed |
Other Audit Success |
|
|
EVID 4660 : Object Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
EVID 4662 : Operation Performed On Object |
Sub Rule |
Command Executed |
Access Success |
|
|
EVID 4663 : Attempt Made To Access Object |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4670 : Permissions On Object Changed |
Sub Rule |
Policy Modified : Object |
Policy |
|
|
EVID 4685 : State Of Transaction Changed |
Sub Rule |
Transaction State Change |
Network Traffic |
|
|
EVID 4985 : State Of Transaction Changed |
Sub Rule |
Transaction State Change |
Network Traffic |
|
|
EVID 4661 : Handle To An Object Was Requested |
Sub Rule |
Object Handle Requested |
Other Audit Success |
|
|
EVID 4690 : Attempt Made To Duplicate Object Handle |
Sub Rule |
Handle Duplicated |
Information |
|
|
EVID 4691 : Indirect Access To An Object Requested |
Sub Rule |
Object Accessed |
Access Success |
|
|
EVID 4658 : Handle To An Object Closed |
Sub Rule |
Object Handle Closed |
Other Audit Success |
|
|
EVID 4662 : Operation Performed On Object Failed |
Sub Rule |
Access Object Failure |
Access Failure |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1011079 |
V 2.0 : Catch All |
Base Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
|
V 2.0 : EVID 4675 : SIDs Were Filtered |
Sub Rule |
SIDs Filtered |
Other Audit |
|
|
V 2.0 : EVID 4765 : SID History Added To Account |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4766 : SID History Add Failed |
Sub Rule |
Modify Object Attribute Failure |
Access Failure |
|
|
V 2.0 : EVID 5378 : Credential Delegation Disallow |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4709 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4710 : IPSEC - Service Disabled |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 4711 : PAStore - General Event |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter |
Sub Rule |
General IPSec Critical |
Critical |
|
|
V 2.0 : EVID 5040 : IPSEC - Auth. Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5046 : IPSEC - Crypto Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5440 : WFP - Callout Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5441 : WFP - Filter Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5442 : WFP - Prov. Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5446 : WFP - Callout Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5449 : WFP - Prov. Context Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5448 : WFP - Provider Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5450 : WFP - Sub-layer Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 5458 : PAStore-Cached AD IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5459 : PAStore-Cached AD IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5460 : PAStore -Registry IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5461 : PAStore -Registry IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5463 : PAStore- Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5464 : PAStore-Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5465 : PAStore-IPSEC Policy Forcibly |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5466 : PAStore-Unabled To Reach AD |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5467 : PAStore -Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5468 : PAStore-Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5471 : PAStore-Local IPSEC Policy Loa |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4772 : Kerberos TGT Request Failed |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
|
V 2.0 : EVID 4773 : Kerberos TGS Request Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4774 : Account Successfully Mapped |
Sub Rule |
Account Mapped For Logon |
Other Audit Success |
|
|
V 2.0 : EVID 4774 : Account Failed To Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 4775 : Account Could Not Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 4777 : Domain Contrler Faild To Valid |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
|
V 2.0 : EVID 4646 : IPSEC -DoS Prevention Mode Str |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4650 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4651 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4655 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
V 2.0 : EVID 4960 : IPSEC - Inbound Pck Intrgty Fl |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clr |
Sub Rule |
General IPSec Warning |
Warning |
|
|
V 2.0 : EVID 4965 : IPSEC Packet Received Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4976 : IPSEC - Main Mode Invld Negt |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld Negot |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5024 : Firewall - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5025 : Firewall - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5027 : Firewall-ServiceUnableToRetrie |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
V 2.0 : EVID 5028 : Firewall-Service FailedToParse |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
V 2.0 : EVID 5029 : Firewall-ServiceFailedToLoadDr |
Sub Rule |
Driver Failed To Load |
Warning |
|
|
V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5030 : Firewall-Service FailedToStart |
Sub Rule |
Firewall Service Failed To Start |
Critical |
|
|
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotion |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser |
Sub Rule |
Firewall Notification Failed |
Warning |
|
|
V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFai |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5033 : Firewall - Driver StartedSucs |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security As |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5034 : Firewall - Driver Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security As |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
V 2.0 : EVID 5035 : Firewall - DriverFailedToStart |
Sub Rule |
Firewall Driver Startup Failed |
Critical |
|
|
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5478 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5037 : Firewall-DriverCriticalRuntime |
Sub Rule |
Firewall Driver Critical Condition |
Critical |
|
|
V 2.0 : EVID 5479 : IPSEC - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw |
Sub Rule |
IPSEC Network Interface List Failed |
Warning |
|
|
V 2.0 : EVID 5483 : IPSEC - Failed To Intlize RPC |
Sub Rule |
IPSEC Service Failed To Start |
Error |
|
|
V 2.0 : EVID 5484 : IPSEC - Critical Service Failu |
Sub Rule |
IPSEC Service Error Caused Shutdown |
Critical |
|
|
V 2.0 : EVID 5485 : IPSEC - Failed To Prcss Filter |
Sub Rule |
IPSEC Filter Processing Failed |
Error |
|
|
V 2.0 : EVID 6400 : BranchCache-IncorrectlyFrmated |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6401 : BranchCache-InvalidPeerDataRec |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6402 : BranchCache - IncorectlyFrmatd |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6403 : BranchCache - IncorectlyFrmatd |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6404 : BranchCache - UnablToAuth |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6405 : BranchCache - Mult EventsRecv |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6406 : BranchCache - Registration |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6407 : BranchCache - General Event |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6408 : BranchCache - Regt Wind Firewa |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6409 : BranchCache - Service Conn |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply |
Sub Rule |
Policy Failed |
Error |
|
|
V 2.0 : EVID 6144 : Security Policy GPOs Applied |
Sub Rule |
Policy Enabled : System |
Policy |
|
|
V 2.0 : EVID 5447 : WFP - Filter Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
V 2.0 : EVID 4908 : Special Groups Logon Table Mod |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
V 2.0 : EVID 4909 : Local TBS Policy Settings Mod. |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4910 : Group TBS Policy Settings Modi |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4902 : Per-User Policy Table Created |
Sub Rule |
Policy Created : System |
Policy |
|
|
V 2.0 : EVID 4826 : Boot Configuration Data Loaded |
Sub Rule |
Configuration Loaded : System |
Configuration |
|
|
V 2.0 : EVID 4864 : Namespace Collision Detected |
Sub Rule |
Namespace Collision |
Error |
|
|
V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4671 : Application Attempted Access |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 5148 : WFP - DoS Attack Detected |
Sub Rule |
Failed Network Denial Of Service |
Failed Denial of Service |
|
|
V 2.0 : EVID 5149 : WFP - DoS Attack Ended |
Sub Rule |
General Security |
Other Security |
|
|
V 2.0 : EVID 4608 : Windows Starting Up |
Sub Rule |
System Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus |
Sub Rule |
Audit Queuing Resources Exhausted |
Warning |
|
|
V 2.0 : EVID 4615 : Invalid LPC Port Use |
Sub Rule |
Unauthorized Activity |
Misuse |
|
|
V 2.0 : EVID 4618 : User-Defined Security Event |
Sub Rule |
General Event Log Information |
Information |
|
|
V 2.0 : EVID 4621 : Admin Recovrd Frm CrashOnAudi |
Sub Rule |
Crash On Audit Fail Recovered |
Information |
|
|
V 2.0 : EVID 4816 : RPC Message Integrity Violatio |
Sub Rule |
RPC Integrity Violation |
Error |
|
|
V 2.0 : EVID 5038 : Invalid Image Hash |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 5060 : CNG - Crypto Verification Fail |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 6410 : File Failed Security Check |
Sub Rule |
Failed Suspicious Activity |
Failed Suspicious |
|
|
V 2.0 : EVID 5712 : RPC Attempted |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 4944 : WFP - Policy Active And Window |
Sub Rule |
Active Firewall Policy On Start |
Information |
|
|
V 2.0 : EVID 4949 : WFP Settings Restored Default |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4954 : WFP - Group Policy Settings |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4783 : Basic Application Group Create |
Sub Rule |
Group Created |
Account Created |
|
|
V 2.0 : EVID 4784 : Basic Application Group Change |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4785 : Member Add To Basic App Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
V 2.0 : EVID 4786 : Member Remove From Basic App |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
V 2.0 : EVID 4787 : Non-Member Add To Basic App |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
V 2.0 : EVID 4788 : Non-Memb Remove From Basic App |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
V 2.0 : EVID 4789 : Basic Application Group Delete |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
V 2.0 : EVID 4790 : LDAP Query Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
V 2.0 : EVID 4791 : LDAP Query Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4934 : AD Object Attributes Replicate |
Sub Rule |
AD Object Attributes Replicated |
Information |
|
|
V 2.0 : EVID 4935 : Replication Failure Begins |
Sub Rule |
AD Replication Failure Begins |
Error |
|
|
V 2.0 : EVID 4936 : Replication Failure Ends |
Sub Rule |
AD Replication Failure Ends |
Error |
|
|
V 2.0 : EVID 4937 : Lingering Obj Removed Frm ADRe |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
V 2.0 : EVID 4792 : LDAP Query Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
V 2.0 : EVID 4664 : File Hard Link Created |
Sub Rule |
Object Created |
Access Success |
|
|
V 2.0 : EVID 4690 : Object Handle Duplicated |
Sub Rule |
Object Created |
Access Success |
|
|
V 2.0 : EVID 5039 : Registry Key Virtualized |
Sub Rule |
Registry Key Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5051 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5168 : SPN Check For SMB Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 6275 : NPS - Accounting Request Disca |
Sub Rule |
Bad Request |
Warning |
|
|
V 2.0 : EVID 6276 : NPS - User Quarantined |
Sub Rule |
Network Policy Server Quarantined User |
Other Audit |
|
|
V 2.0 : EVID 6277 : NPS - Access Granted User |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
V 2.0 : EVID 6279 : NPS - User Account Locked |
Sub Rule |
Account Locked |
Access Revoked |
|
|
V 2.0 : EVID 6280 : NPS - User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
|
V 2.0 : EVID 4626 : User/Device Claims Information |
Sub Rule |
User Information |
Information |
|
|
V 2.0 : EVID 4666 : AM - App Attempted Operation |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4665 : AM - App Client Context Create |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4667 : AM - App Client Context Delete |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4668 : AM - Application Initialized |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4985 : Transaction State Change |
Sub Rule |
General Transaction Information |
Information |
|
|
V 2.0 : EVID 1101 : Audit Events Dropped |
Sub Rule |
Message Dropped |
Error |
|
|
V 2.0 : EVID 4609 : Windows Shutting Down |
Sub Rule |
System Shutting Down |
Startup and Shutdown |
|
|
V 2.0 : EVID 4654 : Quick Mode Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4797 : Blank Passwords Queried |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 4820 : TGT Denied - ACL |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4821 : TGS Denied - ACL |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4822 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4823 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4825 : RDP Access Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4830 : SID History Removed From Accou |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4899 : Certificate Template Updated |
Sub Rule |
Object Modified |
Access Success |
|
|
V 2.0 : EVID 4900 : Certificate Template Sec Updat |
Sub Rule |
Object Attribute Modified |
Access Success |
|
|
V 2.0 : EVID 5150 : Firewall - Disable Attempt |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
V 2.0 : EVID 5071 : Key Access Denied |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 5146 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
V 2.0 : EVID 5147 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
V 2.0 : EVID 5151 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5170 : AD Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy F |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5473 : PAStore - Directory Storage IP |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5477 : PAStore - Failed To Add Quick |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 6278 : NPS - Full Access Granted To U |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
V 2.0 : EVID 6417 : FIPS Selftest Passed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 6418 : FIPS Selftest Failed |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 4868 : CS - Certificate Manager Denie |
Sub Rule |
Certificate Manager Denied Pending Cert Request |
Warning |
|
|
V 2.0 : EVID 4869 : CS - Received Resubmitted Cert |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
V 2.0 : EVID 4870 : CS - Certificate Revoked |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
V 2.0 : EVID 4871 : CS - CRL Publication Request R |
Sub Rule |
Certificate Svcs Received Request To Publish CRL |
Information |
|
|
V 2.0 : EVID 4872 : CS - CRL Published |
Sub Rule |
Certificate Services Published CRL |
Information |
|
|
V 2.0 : EVID 4873 : CS - Certificate Request Extn |
Sub Rule |
Certificate Request Extension Changed |
Information |
|
|
V 2.0 : EVID 4874 : CS - Certificate Request Chang |
Sub Rule |
Certificate Request Attributes Changed |
Information |
|
|
V 2.0 : EVID 4875 : CS - Shutdown Request Received |
Sub Rule |
Process/Service Startup Or Shutdown Activity |
Startup and Shutdown |
|
|
V 2.0 : EVID 4876 : CS - Backup Started |
Sub Rule |
Backup Active |
Information |
|
|
V 2.0 : EVID 4877 : CS - Backup Complete |
Sub Rule |
Backup Completed |
Information |
|
|
V 2.0 : EVID 4878 : CS - Restore Started |
Sub Rule |
Backup Restored |
Information |
|
|
V 2.0 : EVID 4879 : CS - Restore Completed |
Sub Rule |
Backup Restored |
Information |
|
|
V 2.0 : EVID 4880 : CS - Services Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4881 : CS - Services Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 4882 : CS -Security Permissions Modif |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4883 : CS - Archived Key Retrieved |
Sub Rule |
Certificate Services Retrieved Archived Key |
Information |
|
|
V 2.0 : EVID 4884 : CS - Certificate Imported |
Sub Rule |
Certificate Services Imported Certificate |
Information |
|
|
V 2.0 : EVID 4885 : CS - Audit Filter Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4886 : CS - Certificate Request Rcvd |
Sub Rule |
Certificate Services Received Certificate Request |
Other Audit Success |
|
|
V 2.0 : EVID 4887 : CS - Certificate Issued |
Sub Rule |
Certificate Services Issued Certificate |
Information |
|
|
V 2.0 : EVID 4888 : CS - Certificate Request Denie |
Sub Rule |
Certificate Services Denied Certificate Request |
Warning |
|
|
V 2.0 : EVID 4889 : CS - Certificate Request Statu |
Sub Rule |
Certificate Services Set Cert Status To Pending |
Information |
|
|
V 2.0 : EVID 4890 : CS - Certificate Manager Setti |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4891 : CS - Configuration Entry Modif |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4892 : CS - Property Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4893 : CS - Key Archived |
Sub Rule |
Certificate Services Archived A Key |
Information |
|
|
V 2.0 : EVID 4894 : CS - Key Imported And Archived |
Sub Rule |
Certificate Services Imported And Archived Key |
Information |
|
|
V 2.0 : EVID 4895 : CS -ADDS CA Certificate Publis |
Sub Rule |
Certificate Services Published CA Certificate |
Information |
|
|
V 2.0 : EVID 4896 : CS - Rows Deleted From Databas |
Sub Rule |
Certificate Services Database Rows Deleted |
Information |
|
|
V 2.0 : EVID 4897 : CS - Role Separation Enabled |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4898 : CS - Template Loaded |
Sub Rule |
Certificate Services Loaded Template |
Information |
|
|
V 2.0 : EVID 5120 : CS - OCSP Responder Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5121 : CS - OCSP Responder Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5122 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
|
V 2.0 : EVID 5123 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5124 : CS - OCSP Security Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5125 : CS - OCSP Request |
Sub Rule |
Request Received |
Other Audit Success |
|
|
V 2.0 : EVID 5126 : CS - OCSP Signer Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5127 : CS - OCSP Provider Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |