EVID 4690 : Object Access (Part 2) (Français - Security)

Event Details

Event Type	Audit Handle Manipulation
Event Description	4690(S) : An attempt was made to duplicate a handle to an object.
Event ID	4690

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Provider	N/A	N/A
EventID	<vmid>	<vmid>
Version	N/A	N/A
Level	<severity>	<severity>
Task	N/A	<vendorinfo>
Opcode	N/A	N/A
Keywords	<tag1>	<result>, <tag2>
TimeCreated	N/A	N/A
EventRecordID	N/A	N/A
Correlation	N/A	N/A
Execution	N/A	N/A
Channel	N/A	N/A
Computer	<dname>	<dname>
SubjectUserName	<login>	N/A
SubjectDomainName	<domain>	N/A
SubjectLogonId	<session>	N/A
ObjectType	<subject>	N/A
ObjectName	<objectname>	N/A
HandleId	N/A	N/A
ProcessId	<processid>	N/A
ProcessName	<process>	N/A
operationtype	N/A	N/A
AccessList	N/A	N/A
Accessmask	N/A	N/A
EventData	<vendorinfo>	N/A
Account Name	N/A	N/A
Account Domain	N/A	N/A
LogonId	N/A	N/A
Accesses	<command>	N/A
properties	N/A	N/A
Default Property Set	N/A	N/A
ErrorCode	N/A	<responsecode>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1005092	Object Accessed	Base Rule	Object Accessed	Access Success
	EVID 4662 : Operation Performed On Object Failed	Sub Rule	Access Object Failure	Access Failure
	EVID 4658 : Handle To An Object Closed	Sub Rule	Object Handle Closed	Other Audit Success
	EVID 4691 : Indirect Access To An Object Requested	Sub Rule	Object Accessed	Access Success
	EVID 4690 : Attempt Made To Duplicate Object Handle	Sub Rule	Handle Duplicated	Information
	EVID 4661 : Handle To An Object Was Requested	Sub Rule	Object Handle Requested	Other Audit Success
	EVID 4985 : State Of Transaction Changed	Sub Rule	Transaction State Change	Network Traffic
	EVID 4685 : State Of Transaction Changed	Sub Rule	Transaction State Change	Network Traffic
	EVID 4670 : Permissions On Object Changed	Sub Rule	Policy Modified : Object	Policy
	EVID 4663 : Attempt Made To Access Object	Sub Rule	Object Accessed	Access Success
	EVID 4662 : Operation Performed On Object	Sub Rule	Command Executed	Access Success
	EVID 4660 : Object Deleted	Sub Rule	Object Deleted/Removed	Access Success
	EVID 4658 : Handle To An Object Closed	Sub Rule	Object Handle Closed	Other Audit Success
	EVID 4657 : Registry Value Modified	Sub Rule	Object Modified	Access Success
	EVID 4656 : Object Open Failed	Sub Rule	Access Object Failure	Access Failure
	EVID 4656 : Object Opened	Sub Rule	Object Read	Access Success

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1011079	V 2.0 : Catch All	Base Rule	Other Audit	General Audit Message
	V 2.0 : EVID 4649 : Replay Attack Detected	Sub Rule	Attack	Replay Activity
	V 2.0 : EVID 4675 : SIDs Were Filtered	Sub Rule	Other Audit	SIDs Filtered
	V 2.0 : EVID 4765 : SID History Added To Account	Sub Rule	Account Modified	User Account Attribute Modified
	V 2.0 : EVID 4766 : SID History Add Failed	Sub Rule	Access Failure	Modify Object Attribute Failure
	V 2.0 : EVID 5378 : Credential Delegation Disallowed	Sub Rule	Access Failure	Access Object Failure
	V 2.0 : EVID 4709 : IPSEC - Service Started	Sub Rule	Startup and Shutdown	Process/Service Started
	V 2.0 : EVID 4710 : IPSEC - Service Disabled	Sub Rule	Startup and Shutdown	Process/Service Stopped
	V 2.0 : EVID 4711 : PAStore - General Event	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter	Sub Rule	Critical	General IPSec Critical
	V 2.0 : EVID 5040 : IPSEC - Auth. Set Added	Sub Rule	Configuration	Configuration Loaded : Security
	V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified	Sub Rule	Configuration	Configuration Modified : Security
	V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted	Sub Rule	Configuration	Configuration Deleted : Security
	V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added	Sub Rule	Configuration	Configuration Loaded : Security
	V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified	Sub Rule	Configuration	Configuration Modified : Security
	V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted	Sub Rule	Configuration	Configuration Deleted : Security
	V 2.0 : EVID 5046 : IPSEC - Crypto Set Added	Sub Rule	Configuration	Configuration Loaded : Security
	V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified	Sub Rule	Configuration	Configuration Modified : Security
	V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted	Sub Rule	Configuration	Configuration Deleted : Security
	V 2.0 : EVID 5440 : WFP - Callout Present At Start	Sub Rule	Information	Filtering Platform Startup State
	V 2.0 : EVID 5441 : WFP - Filter Present At Start	Sub Rule	Information	Filtering Platform Startup State
	V 2.0 : EVID 5442 : WFP - Prov. Present At Start	Sub Rule	Information	Filtering Platform Startup State
	V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start	Sub Rule	Information	Filtering Platform Startup State
	V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start	Sub Rule	Information	Filtering Platform Startup State
	V 2.0 : EVID 5446 : WFP - Callout Changed	Sub Rule	Configuration	Configuration Modified : Security
	V 2.0 : EVID 5449 : WFP - Prov. Context Changed	Sub Rule	Configuration	Configuration Modified : Security
	V 2.0 : EVID 5448 : WFP - Provider Changed	Sub Rule	Configuration	Configuration Modified : Security
	V 2.0 : EVID 5450 : WFP - Sub-layer Changed	Sub Rule	Configuration	Configuration Modified : Security
	V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail	Sub Rule	Other Audit Failure	IPSEC Policy Application Failed
	V 2.0 : EVID 5458 : PAStore - Cached AD IPSEC Policy	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5459 : PAStore - Cached AD IPSEC Policy	Sub Rule	Error	General IPSec Error
	V 2.0 : EVID 5460 : PAStore - Registry IPSEC Policy	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5461 : PAStore - Registry IPSEC Policy	Sub Rule	Error	General IPSec Error
	V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC	Sub Rule	Error	General IPSec Error
	V 2.0 : EVID 5463 : PAStore - Poll For IPSEC Policy	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5464 : PAStore - Poll For IPSEC Policy	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5465 : PAStore - IPSEC Policy Forcibly	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5466 : PAStore - Unable To Reach AD	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5467 : PAStore - Poll For IPSEC Policy	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5468 : PAStore - Poll For IPSEC Policy	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 5471 : PAStore - Local IPSEC Policy Loa	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 4772 : Kerberos TGT Request Failed	Sub Rule	Other Audit Failure	Windows Audit Failure Event
	V 2.0 : EVID 4773 : Kerberos TGS Request Failed	Sub Rule	Access Failure	Access Object Failure
	V 2.0 : EVID 4774 : Account Successfully Mapped	Sub Rule	Other Audit Success	Account Mapped For Logon
	V 2.0 : EVID 4774 : Account Failed To Be Mapped	Sub Rule	Other Audit Failure	Account Logon Mapping Failed
	V 2.0 : EVID 4775 : Account Could Not Be Mapped	Sub Rule	Other Audit Failure	Account Logon Mapping Failed
	V 2.0 : EVID 4777 : Domain Controller Failed To Valid	Sub Rule	Other Audit Failure	Windows Audit Failure Event
	V 2.0 : EVID 4646 : IPSEC - DoS Prevention Mode Strt	Sub Rule	Information	General IPSEC Message
	V 2.0 : EVID 4650 : IPSEC - Main Mode Security	Sub Rule	Network Traffic	IPSEC Security Association Established
	V 2.0 : EVID 4651 : IPSEC - Main Mode Security	Sub Rule	Network Traffic	IPSEC Security Association Established
	V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation	Sub Rule	Error	IPSEC Negotiation Failed
	V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation	Sub Rule	Error	IPSEC Negotiation Failed
	V 2.0 : EVID 4655 : IPSEC - Main Mode Security	Sub Rule	Network Traffic	IPSEC Security Association Ended
	V 2.0 : EVID 4960 : IPSEC - Inbound Pck Integrity Flr	Sub Rule	Error	Integrity Check Failed
	V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay	Sub Rule	Error	Integrity Check Failed
	V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay	Sub Rule	Error	Integrity Check Failed
	V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clear	Sub Rule	Warning	General IPSec Warning
	V 2.0 : EVID 4965 : IPSEC - Packet Received Invalid	Sub Rule	Error	IPSEC Received Bad Packet
	V 2.0 : EVID 4976 : IPSEC - Main Mode Invalid Negot	Sub Rule	Error	IPSEC Received Bad Packet
	V 2.0 : EVID 4977 : IPSEC - Quick Mode Invalid Negot	Sub Rule	Error	IPSEC Received Bad Packet
	V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid	Sub Rule	Error	IPSEC Received Bad Packet
	V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode	Sub Rule	Network Traffic	IPSEC Security Association Established
	V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode	Sub Rule	Network Traffic	IPSEC Security Association Established
V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode	Sub Rule	Network Traffic	IPSEC Security Association Established
V 2.0 : EVID 5024 : Firewall - Service Started	Sub Rule	Startup and Shutdown	Process/Service Started
V 2.0 : EVID 5025 : Firewall - Service Stopped	Sub Rule	Startup and Shutdown	Process/Service Stopped
V 2.0 : EVID 5027 : Firewall - ServiceUnableToRetrie	Sub Rule	Warning	Firewall Service Failed To Load Local Policy
V 2.0 : EVID 5028 : Firewall - Service FailedToParse	Sub Rule	Warning	Firewall Service Failed To Load Local Policy
V 2.0 : EVID 5029 : Firewall - ServiceFailedToLoadDr	Sub Rule	Warning	Driver Failed To Load
V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode	Sub Rule	Network Traffic	IPSEC Security Association Established
V 2.0 : EVID 5030 : Firewall - Service FailedToStart	Sub Rule	Critical	Firewall Service Failed To Start
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotiation Fail	Sub Rule	Error	IPSEC Negotiation Failed
V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser	Sub Rule	Warning	Firewall Notification Failed
V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFail	Sub Rule	Error	IPSEC Negotiation Failed
V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted	Sub Rule	Configuration	Configuration Deleted : Security
V 2.0 : EVID 5033 : Firewall - Driver StartedSucs	Sub Rule	Startup and Shutdown	Process/Service Started
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security Ass	Sub Rule	Network Traffic	IPSEC Security Association Established
V 2.0 : EVID 5034 : Firewall - Driver Stopped	Sub Rule	Startup and Shutdown	Process/Service Stopped
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security Ass	Sub Rule	Network Traffic	IPSEC Security Association Ended
V 2.0 : EVID 5035 : Firewall - DriverFailedToStart	Sub Rule	Critical	Firewall Driver Startup Failed
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due	Sub Rule	Error	IPSEC Negotiation Failed
V 2.0 : EVID 5478 : IPSEC - Service Started	Sub Rule	Startup and Shutdown	Process/Service Started
V 2.0 : EVID 5037 : Firewall - DriverCriticalRuntime	Sub Rule	Critical	Firewall Driver Critical Condition
V 2.0 : EVID 5479 : IPSEC - Service Stopped	Sub Rule	Startup and Shutdown	Process/Service Stopped
V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw	Sub Rule	Warning	IPSEC Network Interface List Failed
V 2.0 : EVID 5483 : IPSEC - Failed To Initialize RPC	Sub Rule	Error	IPSEC Service Failed To Start
V 2.0 : EVID 5484 : IPSEC - Critical Service Failure	Sub Rule	Critical	IPSEC Service Error Caused Shutdown
V 2.0 : EVID 5485 : IPSEC - Failed To Process Filter	Sub Rule	Error	IPSEC Filter Processing Failed
V 2.0 : EVID 6400 : Branch Cache - IncorrectlyFrmated	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6401 : Branch Cache - InvalidPeerDataRec	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6402 : Branch Cache - IncorectlyFrmatd	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6403 : Branch Cache - IncorectlyFrmatd	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6404 : Branch Cache - UnablToAuth	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6405 : Branch Cache - Mult EventsRecv	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6406 : Branch Cache - Registration	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6407 : Branch Cache - General Event	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6408: Branch Cache - Regt Wind Firewall	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6409 : Branch Cache - Service Conn	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply	Sub Rule	Error	Policy Failed
V 2.0 : EVID 6144 : Security Policy GPOs Applied	Sub Rule	Policy	Policy Enabled : System
V 2.0 : EVID 5447 : WFP - Filter Changed	Sub Rule	Configuration	Configuration Modified : Security
V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed	Sub Rule	Configuration	Configuration Modified : System
V 2.0 : EVID 4908 : Special Groups Logon Table Mod	Sub Rule	Configuration	Configuration Modified : System
V 2.0 : EVID 4909 : Local TBS Policy Settings Mod.	Sub Rule	Policy	Policy Modified : System
V 2.0 : EVID 4910 : Group TBS Policy Settings Modi	Sub Rule	Policy	Policy Modified : System
V 2.0 : EVID 4902 : Per-User Policy Table Created	Sub Rule	Policy	Policy Created : System
V 2.0 : EVID 4826 : Boot Configuration Data Loaded	Sub Rule	Configuration	Configuration Loaded : System
V 2.0 : EVID 4864 : Namespace Collision Detected	Sub Rule	Error	Namespace Collision
V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod	Sub Rule	Policy	Policy Modified : System
V 2.0 : EVID 4671 : Application Attempted Access	Sub Rule	Access Failure	Access Object Failure
V 2.0 : EVID 5148 : WFP - DoS Attack Detected	Sub Rule	Failed Denial of Service	Failed Network Denial Of Service
V 2.0 : EVID 5149 : WFP - DoS Attack Ended	Sub Rule	Other Security	General Security
V 2.0 : EVID 4608 : Windows Starting Up	Sub Rule	Startup and Shutdown	System Started
V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus	Sub Rule	Warning	Audit Queuing Resources Exhausted
V 2.0 : EVID 4615 : Invalid LPC Port Use	Sub Rule	Misuse	Unauthorized Activity
V 2.0 : EVID 4618 : User-Defined Security Event	Sub Rule	Information	General Event Log Information
V 2.0 : EVID 4621 : Admin Recovered From CrashOnAudi	Sub Rule	Information	Crash On Audit Fail Recovered
V 2.0 : EVID 4816 : RPC Message Integrity Violation	Sub Rule	Error	RPC Integrity Violation
V 2.0 : EVID 5038 : Invalid Image Hash	Sub Rule	Error	Integrity Check Failed
V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf	Sub Rule	Information	Cryptographic Self Test Performed
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check	Sub Rule	Information	Cryptographic Self Test Performed
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail	Sub Rule	Error	Cryptographic Failure
V 2.0 : EVID 5060 : CNG - Crypto Verification Fail	Sub Rule	Error	Cryptographic Failure
V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil	Sub Rule	Error	Integrity Check Failed
V 2.0 : EVID 6410 : File Failed Security Check	Sub Rule	Failed Suspicious	Failed Suspicious Activity
V 2.0 : EVID 5712 : RPC Attempted	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 4944 : WFP - Policy Active And Windows	Sub Rule	Information	Active Firewall Policy On Start
V 2.0 : EVID 4949 : WFP Settings Restored To Default	Sub Rule	Configuration	Configuration Modified : Security
V 2.0 : EVID 4954 : WFP - Group Policy Settings	Sub Rule	Configuration	Configuration Modified : Security
V 2.0 : EVID 4783 : Basic Application Group Create	Sub Rule	Account Created	Group Created
V 2.0 : EVID 4784 : Basic Application Group Change	Sub Rule	Account Modified	Group Attribute Modified
V 2.0 : EVID 4785 : Member Add To Basic App Group	Sub Rule	Access Granted	Account Added To Group
V 2.0 : EVID 4786 : Member Remove From Basic App	Sub Rule	Access Revoked	Account Removed From Group
V 2.0 : EVID 4787 : Non-Member Add To Basic App	Sub Rule	Access Granted	Account Added To Group
V 2.0 : EVID 4788 : Non-Memb Remove From Basic App	Sub Rule	Access Revoked	Account Removed From Group
V 2.0 : EVID 4789 : Basic Application Group Delete	Sub Rule	Account Deleted	Group Deleted
V 2.0 : EVID 4790 : LDAP Query Group Created	Sub Rule	Account Created	Group Created
V 2.0 : EVID 4791 : LDAP Query Group Changed	Sub Rule	Account Modified	Group Attribute Modified
V 2.0 : EVID 4934 : AD Object Attributes Replicate	Sub Rule	Information	AD Object Attributes Replicated
V 2.0 : EVID 4935 : Replication Failure Begins	Sub Rule	Error	AD Replication Failure Begins
V 2.0 : EVID 4936 : Replication Failure Ends	Sub Rule	Error	AD Replication Failure Ends
V 2.0 : EVID 4937 : Lingering Object Removed From ADRe	Sub Rule	Access Success	Object Deleted/Removed
V 2.0 : EVID 4792 : LDAP Query Group Deleted	Sub Rule	Account Deleted	Group Deleted
V 2.0 : EVID 4664 : File Hard Link Created	Sub Rule	Access Success	Object Created
V 2.0 : EVID 4690 : Object Handle Duplicated	Sub Rule	Access Success	Object Created
V 2.0 : EVID 5039 : Registry Key Virtualized	Sub Rule	Other Audit Success	Registry Key Virtualized
V 2.0 : EVID 5051 : File Virtualized	Sub Rule	Other Audit Success	File Virtualized
V 2.0 : EVID 5168 : SPN Check For SMB Failed	Sub Rule	Access Failure	Access Object Failure
V 2.0 : EVID 6275 : NPS - Accounting Request Discard	Sub Rule	Warning	Bad Request
V 2.0 : EVID 6276 : NPS - User Quarantined	Sub Rule	Other Audit	Network Policy Server Quarantined User
V 2.0 : EVID 6277 : NPS - Access Granted User	Sub Rule	Access Granted	Access Granted Activity
V 2.0 : EVID 6279 : NPS - User Account Locked	Sub Rule	Access Revoked	Account Locked
V 2.0 : EVID 6280 : NPS - User Account Unlocked	Sub Rule	Access Granted	Account Unlocked
V 2.0 : EVID 4626 : User/Device Claims Information	Sub Rule	Information	User Information
V 2.0 : EVID 4666 : AM - App Attempted Operation	Sub Rule	Information	General Application Information
V 2.0 : EVID 4665 : AM - App Client Context Create	Sub Rule	Information	General Application Information
V 2.0 : EVID 4667 : AM - App Client Context Delete	Sub Rule	Information	General Application Information
V 2.0 : EVID 4668 : AM - Application Initialized	Sub Rule	Information	General Application Information
V 2.0 : EVID 4985 : Transaction State Change	Sub Rule	Information	General Transaction Information
V 2.0 : EVID 1101 : Audit Events Dropped	Sub Rule	Error	Message Dropped
V 2.0 : EVID 4609 : Windows Shutting Down	Sub Rule	Startup and Shutdown	System Shutting Down
V 2.0 : EVID 4654 : Quick Mode Negotiation Failed	Sub Rule	Error	IPSEC Negotiation Failed
V 2.0 : EVID 4797 : Blank Passwords Queried	Sub Rule	Other Audit	General Audit Message
V 2.0 : EVID 4820 : TGT Denied - ACL	Sub Rule	Authentication Failure	User Logon Failure
V 2.0 : EVID 4821 : TGS Denied - ACL	Sub Rule	Access Failure	Access Object Failure
V 2.0 : EVID 4822 : NTLM Auth Denied	Sub Rule	Authentication Failure	User Logon Failure
V 2.0 : EVID 4823 : NTLM Auth Denied	Sub Rule	Authentication Failure	User Logon Failure
V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed	Sub Rule	Authentication Failure	User Logon Failure
V 2.0 : EVID 4825 : RDP Access Denied	Sub Rule	Authentication Failure	User Logon Failure
V 2.0 : EVID 4830 : SID History Removed From Account	Sub Rule	Account Modified	User Account Attribute Modified
V 2.0 : EVID 4899 : Certificate Template Updated	Sub Rule	Access Success	Object Modified
V 2.0 : EVID 4900 : Certificate Template Sec Update	Sub Rule	Access Success	Object Attribute Modified
V 2.0 : EVID 5150 : Firewall - Disable Attempt	Sub Rule	Suspicious	Suspicious Activity
V 2.0 : EVID 5071 : Key Access Denied	Sub Rule	Access Failure	Access Object Failure
V 2.0 : EVID 5146 : WFP - Packed Blocked	Sub Rule	Network Deny	Traffic Denied by Host Firewall
V 2.0 : EVID 5147 : WFP - Packed Blocked	Sub Rule	Network Deny	Traffic Denied by Host Firewall
V 2.0 : EVID 5151 : File Virtualized	Sub Rule	Other Audit Success	File Virtualized
V 2.0 : EVID 5170 : AD Object Modified	Sub Rule	Access Success	Object Modified
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy Fail	Sub Rule	Error	General IPSec Error
V 2.0 : EVID 5473 : PAStore - Directory Storage IPSEC	Sub Rule	Information	General IPSEC Message
V 2.0 : EVID 5477 : PAStore - Failed To Add Quick Mod	Sub Rule	Information	General IPSEC Message
V 2.0 : EVID 6278 : NPS - Full Access Granted To User	Sub Rule	Access Granted	Access Granted Activity
V 2.0 : EVID 6417 : FIPS Selftest Passed	Sub Rule	Information	Cryptographic Self Test Performed
V 2.0 : EVID 6418 : FIPS Selftest Failed	Sub Rule	Error	Cryptographic Failure
V 2.0 : EVID 4868 : CS - Certificate Manager Denied	Sub Rule	Warning	Certificate Manager Denied Pending Cert Request
V 2.0 : EVID 4869 : CS - Received Resubmitted Cert	Sub Rule	Other Audit	Certificate Services Rcvd Resubmitted Cert Request
V 2.0 : EVID 4870 : CS - Certificate Revoked	Sub Rule	Other Audit	Certificate Services Rcvd Resubmitted Cert Request
V 2.0 : EVID 4871 : CS - CRL Publication Request Rcvd	Sub Rule	Information	Certificate Svcs Received Request To Publish CRL
V 2.0 : EVID 4872 : CS - CRL Published	Sub Rule	Information	Certificate Services Published CRL
V 2.0 : EVID 4873 : CS - Certificate Request Extn	Sub Rule	Information	Certificate Request Extension Changed
V 2.0 : EVID 4874 : CS - Certificate Request Change	Sub Rule	Information	Certificate Request Attributes Changed
V 2.0 : EVID 4875 : CS - Shutdown Request Received	Sub Rule	Startup and Shutdown	Process/Service Startup Or Shutdown Activity
V 2.0 : EVID 4876 : CS - Backup Started	Sub Rule	Information	Backup Active
V 2.0 : EVID 4877 : CS - Backup Complete	Sub Rule	Information	Backup Completed
V 2.0 : EVID 4878 : CS - Restore Started	Sub Rule	Information	Backup Restored
V 2.0 : EVID 4879 : CS - Restore Completed	Sub Rule	Information	Backup Restored
V 2.0 : EVID 4880 : CS - Services Started	Sub Rule	Startup and Shutdown	Process/Service Started
V 2.0 : EVID 4881 : CS - Services Stopped	Sub Rule	Startup and Shutdown	Process/Service Stopped
V 2.0 : EVID 4882 : CS -Security Permissions Modified	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 4883 : CS - Archived Key Retrieved	Sub Rule	Information	Certificate Services Retrieved Archived Key
V 2.0 : EVID 4884 : CS - Certificate Imported	Sub Rule	Information	Certificate Services Imported Certificate
V 2.0 : EVID 4885 : CS - Audit Filter Modified	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 4886 : CS - Certificate Request Received	Sub Rule	Other Audit Success	Certificate Services Received Certificate Request
V 2.0 : EVID 4887 : CS - Certificate Issued	Sub Rule	Information	Certificate Services Issued Certificate
V 2.0 : EVID 4888 : CS - Certificate Request Denied	Sub Rule	Warning	Certificate Services Denied Certificate Request
V 2.0 : EVID 4889 : CS - Certificate Request Status	Sub Rule	Information	Certificate Services Set Cert Status To Pending
V 2.0 : EVID 4890 : CS - Certificate Manager Settings	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 4891 : CS - Configuration Entry Modified	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 4892 : CS - Property Modified	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 4893 : CS - Key Archived	Sub Rule	Information	Certificate Services Archived A Key
V 2.0 : EVID 4894 : CS - Key Imported And Archived	Sub Rule	Information	Certificate Services Imported And Archived Key
V 2.0 : EVID 4895 : CS -ADDS CA Certificate Published	Sub Rule	Information	Certificate Services Published CA Certificate
V 2.0 : EVID 4896 : CS - Rows Deleted From Database	Sub Rule	Information	Certificate Services Database Rows Deleted
V 2.0 : EVID 4897 : CS - Role Separation Enabled	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 4898 : CS - Template Loaded	Sub Rule	Information	Certificate Services Loaded Template
V 2.0 : EVID 5120 : CS - OCSP Responder Started	Sub Rule	Startup and Shutdown	Process/Service Started
V 2.0 : EVID 5121 : CS - OCSP Responder Stopped	Sub Rule	Startup and Shutdown	Process/Service Stopped
V 2.0 : EVID 5122 : CS - OCSP Config Changed	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 4649 : Replay Attack Detected	Sub Rule	Attack	Replay Activity
V 2.0 : EVID 5123 : CS - OCSP Config Changed	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 5124 : CS - OCSP Security Changed	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 5125 : CS - OCSP Request	Sub Rule	Other Audit Success	Request Received
V 2.0 : EVID 5126 : CS - OCSP Signer Updated	Sub Rule	Configuration	Configuration Modified : Application
V 2.0 : EVID 5127 : CS - OCSP Provider Updated	Sub Rule	Configuration	Configuration Modified : Application