Skip to main content
Skip table of contents

EVID 5440-5444 : Windows Filter (Security)

Event Details

Event Type

Audit Filtering Platform Policy Change

Event Description
  • 5440(S) : The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
  • 5441(S) : The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
  • 5442(S) : The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
  • 5443(S) : The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
  • 5444(S) : The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
Event IDs5440, 5441, 5442, 5443, 5444

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
KeywordsN/A<result>, <tag2>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ProcessID<processid>N/A
ChannelN/AN/A
Computer<dname><dname>
EventData<vendorinfo>N/A
ErrorCodeN/A<responsecode>
SubjectUserSidN/AN/A
SubjectUserNameN/AN/A
SubjectDomainNameN/AN/A
SubjectLogonIdN/AN/A
ObjectTypeN/AN/A
IpAddressN/AN/A
IpPortN/AN/A
ShareNameN/AN/A
ShareLocationN/AN/A
AccessMaskN/AN/A
AccessListN/AN/A
RelativeTargetNameN/AN/A
ShareLocationPathN/AN/A
RelativeTargetNameN/AN/A
AccessesN/AN/A
FileNameN/AN/A
Provider Name<objectname>N/A
Sub-layer Name<object>N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1000643
























EVID 5440 : 5444 : Windows FilterBase RuleWindows Filtering EventsInformation
EVID 5440 : Filtering Platform Stup State : BlockSub RuleFiltering Platform Startup StateInformation
EVID 5441 : Filtering Platform Stup State : BlockSub RuleFiltering Platform Startup StateInformation
EVID 5442 : Filtering Platform Stup State : BlockSub RuleFiltering Platform Startup StateInformation
EVID 5443 : Filtering Platform Stup State : PermitSub RuleFiltering Platform Startup StateInformation
EVID 5444 : Filtering Platform Stup State : PermitSub RuleFiltering Platform Startup StateInformation
EVID 5446 : Filtering Platform Callout ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5447 : Filtering Platform Filter ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5448 : Filtering Platform Provider ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5449 : Filtering Platform Prov Context ChangeSub RuleConfiguration Modified : SecurityConfiguration
EVID 5450 : Filtering Platform Sub-Layer ChangedSub RuleConfiguration Modified : ApplicationConfiguration
EVID 5440 : Filter Platform Stup State : CalloutSub RuleFiltering Platform Startup StateInformation
EVID 5440 : Filtering Platform Stup State : PermitSub RuleFiltering Platform Startup StateInformation
EVID 5441 : Filtering Platform Stup State : PermitSub RuleFiltering Platform Startup StateInformation
EVID 5441 : Filter Platform Stup State : CalloutSub RuleFiltering Platform Startup StateInformation
EVID 5442 : Filtering Platform Stup State : PermitSub RuleFiltering Platform Startup StateInformation
EVID 5442 : Filter Platform Stup State : CalloutSub RuleFiltering Platform Startup StateInformation
EVID 5443 : Filtering Platform Stup State : BlockSub RuleFiltering Platform Startup StateInformation
EVID 5443 : Filter Platform Stup State : CalloutSub RuleFiltering Platform Startup StateInformation
EVID 5444 : Filtering Platform Stup State : BlockSub RuleFiltering Platform Startup StateInformation
EVID 5444 : Filter Platform Stup State : CalloutSub RuleFiltering Platform Startup StateInformation
EVID 5444 : Sublayer PresentSub RuleWindows Filtering EventsInformation
EVID 5442 : Provider PresentSub RuleWindows Filtering EventsInformation
EVID 5440 : Callout PresentSub RuleWindows Filtering EventsInformation
EVID 5443 : Provider Context PresentSub RuleWindows Filtering EventsInformation
EVID 5441 : Filter PresentSub RuleWindows Filtering EventsInformation

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011079V 2.0 : Catch AllBase RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4649 : Replay Attack DetectedSub RuleReplay ActivityAttack
V 2.0 : EVID 4675 : SIDs Were FilteredSub RuleSIDs FilteredOther Audit
V 2.0 : EVID 4765 : SID History Added To AccountSub RuleUser Account Attribute ModifiedAccount Modified
V 2.0 : EVID 4766 : SID History Add FailedSub RuleModify Object Attribute FailureAccess Failure
V 2.0 : EVID 5378 : Credential Delegation DisallowSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4709 : IPSEC - Service StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 4710 : IPSEC - Service DisabledSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 4711 : PAStore - General EventSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 4712 : IPSEC - Fatal Error EncounterSub RuleGeneral IPSec CriticalCritical
V 2.0 : EVID 5040 : IPSEC - Auth. Set AddedSub RuleConfiguration Loaded : SecurityConfiguration
V 2.0 : EVID 5041 : IPSEC - Auth. Set ModifiedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5042 : IPSEC - Auth. Set DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule AddedSub RuleConfiguration Loaded : SecurityConfiguration
V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule ModifiedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5046 : IPSEC - Crypto Set AddedSub RuleConfiguration Loaded : SecurityConfiguration
V 2.0 : EVID 5047 : IPSEC - Crypto Set ModifiedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5048 : IPSEC - Crypto Set DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5440 : WFP - Callout Present At StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5441 : WFP - Filter Present At StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5442 : WFP - Prov. Present At StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At StartSub RuleFiltering Platform Startup StateInformation
V 2.0 : EVID 5446 : WFP - Callout ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5449 : WFP - Prov. Context ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5448 : WFP - Provider ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5450 : WFP - Sub-layer ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy ApplSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy FailSub RuleIPSEC Policy Application FailedOther Audit Failure
V 2.0 : EVID 5458 : PAStore-Cached AD IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5459 : PAStore-Cached AD IPSEC PolicySub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5460 : PAStore -Registry IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5461 : PAStore -Registry IPSEC PolicySub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSECSub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5463 : PAStore- Poll For IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5464 : PAStore-Poll For IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5465 : PAStore-IPSEC Policy ForciblySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5466 : PAStore-Unabled To Reach ADSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5467 : PAStore -Poll For IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5468 : PAStore-Poll For IPSEC PolicySub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5471 : PAStore-Local IPSEC Policy LoaSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 4772 : Kerberos TGT Request FailedSub RuleWindows Audit Failure EventOther Audit Failure
V 2.0 : EVID 4773 : Kerberos TGS Request FailedSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4774 : Account Successfully MappedSub RuleAccount Mapped For LogonOther Audit Success
V 2.0 : EVID 4774 : Account Failed To Be MappedSub RuleAccount Logon Mapping FailedOther Audit Failure
V 2.0 : EVID 4775 : Account Could Not Be MappedSub RuleAccount Logon Mapping FailedOther Audit Failure
V 2.0 : EVID 4777 : Domain Contrler Faild To ValidSub RuleWindows Audit Failure EventOther Audit Failure
V 2.0 : EVID 4646 : IPSEC -DoS Prevention Mode StrSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 4650 : IPSEC - Main Mode SecuritySub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4651 : IPSEC - Main Mode SecuritySub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4652 : IPSEC - Main Mode NegotiationSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 4653 : IPSEC - Main Mode NegotiationSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 4655 : IPSEC - Main Mode SecuritySub RuleIPSEC Security Association EndedNetwork Traffic
V 2.0 : EVID 4960 : IPSEC - Inbound Pck Intrgty FlSub RuleIntegrity Check FailedError
V 2.0 : EVID 4961 : IPSEC - Inbound Packet ReplaySub RuleIntegrity Check FailedError
V 2.0 : EVID 4962 : IPSEC - Inbound Packet ReplaySub RuleIntegrity Check FailedError
V 2.0 : EVID 4963 : IPSEC - Inbound Packet In ClrSub RuleGeneral IPSec WarningWarning
V 2.0 : EVID 4965 : IPSEC  Packet Received InvalidSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4976 : IPSEC - Main Mode Invld NegtSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld NegotSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4978 : IPSEC - Extended Mode InvalidSub RuleIPSEC Received Bad PacketError
V 2.0 : EVID 4979 : IPSEC - Main And Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4980 : IPSEC - Main And Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 4981 : IPSEC - Main And Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 5024 : Firewall - Service StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5025 : Firewall - Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5027 : Firewall-ServiceUnableToRetrieSub RuleFirewall Service Failed To Load Local PolicyWarning
V 2.0 : EVID 5028 : Firewall-Service FailedToParseSub RuleFirewall Service Failed To Load Local PolicyWarning
V 2.0 : EVID 5029 : Firewall-ServiceFailedToLoadDrSub RuleDriver Failed To LoadWarning
V 2.0 : EVID 4982 : IPSEC - Main And Extended ModeSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 5030 : Firewall-Service FailedToStartSub RuleFirewall Service Failed To StartCritical
V 2.0 : EVID 4983 : IPSEC - Extended Mode NegotionSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUserSub RuleFirewall Notification FailedWarning
V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFaiSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 5049 : IPSEC - Security Assoc DeletedSub RuleConfiguration Deleted : SecurityConfiguration
V 2.0 : EVID 5033 : Firewall - Driver StartedSucsSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security AsSub RuleIPSEC Security Association EstablishedNetwork Traffic
V 2.0 : EVID 5034 : Firewall - Driver StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security AsSub RuleIPSEC Security Association EndedNetwork Traffic
V 2.0 : EVID 5035 : Firewall - DriverFailedToStartSub RuleFirewall Driver Startup FailedCritical
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed DueSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 5478 : IPSEC - Service StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5037 : Firewall-DriverCriticalRuntimeSub RuleFirewall Driver Critical ConditionCritical
V 2.0 : EVID 5479 : IPSEC - Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5480 : IPSEC - Failed To Obtain NetwSub RuleIPSEC Network Interface List FailedWarning
V 2.0 : EVID 5483 : IPSEC - Failed To Intlize RPCSub RuleIPSEC Service Failed To StartError
V 2.0 : EVID 5484 : IPSEC - Critical Service FailuSub RuleIPSEC Service Error Caused ShutdownCritical
V 2.0 : EVID 5485 : IPSEC - Failed To Prcss FilterSub RuleIPSEC Filter Processing FailedError
V 2.0 : EVID 6400 : BranchCache-IncorrectlyFrmatedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6401 : BranchCache-InvalidPeerDataRecSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6402 : BranchCache - IncorectlyFrmatdSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6403 : BranchCache - IncorectlyFrmatdSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6404 : BranchCache - UnablToAuthSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6405 : BranchCache - Mult EventsRecvSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6406 : BranchCache - RegistrationSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6407 : BranchCache - General EventSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6408 : BranchCache - Regt Wind FirewaSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6409 : BranchCache - Service ConnSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 6145 : Sec Policy GPOs Fail To ApplySub RulePolicy FailedError
V 2.0 : EVID 6144 : Security Policy GPOs AppliedSub RulePolicy Enabled : SystemPolicy
V 2.0 : EVID 5447 : WFP - Filter ChangedSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 4906 : CrashOnAuditFail Value ChangedSub RuleConfiguration Modified : SystemConfiguration
V 2.0 : EVID 4908 : Special Groups Logon Table ModSub RuleConfiguration Modified : SystemConfiguration
V 2.0 : EVID 4909 : Local TBS Policy Settings Mod.Sub RulePolicy Modified : SystemPolicy
V 2.0 : EVID 4910 : Group TBS Policy Settings ModiSub RulePolicy Modified : SystemPolicy
V 2.0 : EVID 4902 : Per-User Policy Table CreatedSub RulePolicy Created : SystemPolicy
V 2.0 : EVID 4826 : Boot Configuration Data LoadedSub RuleConfiguration Loaded : SystemConfiguration
V 2.0 : EVID 4864 : Namespace Collision DetectedSub RuleNamespace CollisionError
V 2.0 : EVID 4714 : Encrypted Data Rec Policy ModSub RulePolicy Modified : SystemPolicy
V 2.0 : EVID 4671 : Application Attempted AccessSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 5148 : WFP - DoS Attack DetectedSub RuleFailed Network Denial Of ServiceFailed Denial of Service
V 2.0 : EVID 5149 : WFP - DoS Attack EndedSub RuleGeneral SecurityOther Security
V 2.0 : EVID 4608 : Windows Starting UpSub RuleSystem StartedStartup and Shutdown
V 2.0 : EVID 4612 : Audit Queuing Resources ExhausSub RuleAudit Queuing Resources ExhaustedWarning
V 2.0 : EVID 4615 : Invalid LPC Port UseSub RuleUnauthorized ActivityMisuse
V 2.0 : EVID 4618 : User-Defined Security EventSub RuleGeneral Event Log InformationInformation
V 2.0 : EVID 4621 : Admin Recovrd Frm CrashOnAudiSub RuleCrash On Audit Fail RecoveredInformation
V 2.0 : EVID 4816 : RPC Message Integrity ViolatioSub RuleRPC Integrity ViolationError
V 2.0 : EVID 5038 : Invalid Image HashSub RuleIntegrity Check FailedError
V 2.0 : EVID 5056 : CNG - Crypto Self-Check PerfSub RuleCryptographic Self Test PerformedInformation
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-CheckSub RuleCryptographic Self Test PerformedInformation
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op FailSub RuleCryptographic FailureError
V 2.0 : EVID 5060 : CNG - Crypto Verification FailSub RuleCryptographic FailureError
V 2.0 : EVID 6281 : Invalid Page Hash In Image FilSub RuleIntegrity Check FailedError
V 2.0 : EVID 6410 : File Failed Security CheckSub RuleFailed Suspicious ActivityFailed Suspicious
V 2.0 : EVID 5712 : RPC AttemptedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4944 : WFP - Policy Active And WindowSub RuleActive Firewall Policy On StartInformation
V 2.0 : EVID 4949 : WFP Settings Restored DefaultSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 4954 : WFP - Group Policy SettingsSub RuleConfiguration Modified : SecurityConfiguration
V 2.0 : EVID 4783 : Basic Application Group CreateSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4784 : Basic Application Group ChangeSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4785 : Member Add To Basic App GroupSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4786 : Member Remove From Basic AppSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4787 : Non-Member Add To Basic AppSub RuleAccount Added To GroupAccess Granted
V 2.0 : EVID 4788 : Non-Memb Remove From Basic AppSub RuleAccount Removed From GroupAccess Revoked
V 2.0 : EVID 4789 : Basic Application Group DeleteSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4790 : LDAP Query Group CreatedSub RuleGroup CreatedAccount Created
V 2.0 : EVID 4791 : LDAP Query Group ChangedSub RuleGroup Attribute ModifiedAccount Modified
V 2.0 : EVID 4934 : AD Object Attributes ReplicateSub RuleAD Object Attributes ReplicatedInformation
V 2.0 : EVID 4935 : Replication Failure BeginsSub RuleAD Replication Failure BeginsError
V 2.0 : EVID 4936 : Replication Failure EndsSub RuleAD Replication Failure EndsError
V 2.0 : EVID 4937 : Lingering Obj Removed Frm ADReSub RuleObject Deleted/RemovedAccess Success
V 2.0 : EVID 4792 : LDAP Query Group DeletedSub RuleGroup DeletedAccount Deleted
V 2.0 : EVID 4664 : File Hard Link CreatedSub RuleObject CreatedAccess Success
V 2.0 : EVID 4690 : Object Handle DuplicatedSub RuleObject CreatedAccess Success
V 2.0 : EVID 5039 : Registry Key VirtualizedSub RuleRegistry Key VirtualizedOther Audit Success
V 2.0 : EVID 5051 : File VirtualizedSub RuleFile VirtualizedOther Audit Success
V 2.0 : EVID 5168 :  SPN Check For SMB FailedSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 6275 : NPS - Accounting Request DiscaSub RuleBad RequestWarning
V 2.0 : EVID 6276 : NPS - User QuarantinedSub RuleNetwork Policy Server Quarantined UserOther Audit
V 2.0 : EVID 6277 : NPS - Access Granted UserSub RuleAccess Granted ActivityAccess Granted
V 2.0 : EVID 6279 : NPS - User Account LockedSub RuleAccount LockedAccess Revoked
V 2.0 : EVID 6280 : NPS - User Account UnlockedSub RuleAccount UnlockedAccess Granted
V 2.0 : EVID 4626 : User/Device Claims InformationSub RuleUser InformationInformation
V 2.0 : EVID 4666 : AM - App Attempted OperationSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4665 : AM - App Client Context CreateSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4667 : AM - App Client Context DeleteSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4668 : AM - Application InitializedSub RuleGeneral Application InformationInformation
V 2.0 : EVID 4985 : Transaction State ChangeSub RuleGeneral Transaction InformationInformation
V 2.0 : EVID 1101 : Audit Events DroppedSub RuleMessage DroppedError
V 2.0 : EVID 4609 : Windows Shutting DownSub RuleSystem Shutting DownStartup and Shutdown
V 2.0 : EVID 4654 : Quick Mode Negotiation FailedSub RuleIPSEC Negotiation FailedError
V 2.0 : EVID 4797 : Blank Passwords QueriedSub RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4820 : TGT Denied - ACLSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4821 : TGS Denied - ACLSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4822 : NTLM Auth DeniedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4823 : NTLM Auth DeniedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4824 : Kerberos Pre-Auth FailedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4825 : RDP Access DeniedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4830 : SID History Removed From AccouSub RuleUser Account Attribute ModifiedAccount Modified
V 2.0 : EVID 4899 : Certificate Template UpdatedSub RuleObject ModifiedAccess Success
V 2.0 : EVID 4900 : Certificate Template Sec UpdatSub RuleObject Attribute ModifiedAccess Success
V 2.0 : EVID 5150 : Firewall - Disable AttemptSub RuleSuspicious ActivitySuspicious
V 2.0 : EVID 5071 : Key Access DeniedSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 5146 : WFP - Packed BlockedSub RuleTraffic Denied by Host FirewallNetwork Deny
V 2.0 : EVID 5147 : WFP - Packed BlockedSub RuleTraffic Denied by Host FirewallNetwork Deny
V 2.0 : EVID 5151 : File VirtualizedSub RuleFile VirtualizedOther Audit Success
V 2.0 : EVID 5170 : AD Object ModifiedSub RuleObject ModifiedAccess Success
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy FSub RuleGeneral IPSec ErrorError
V 2.0 : EVID 5473 : PAStore - Directory Storage IPSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 5477 : PAStore - Failed To Add QuickSub RuleGeneral IPSEC MessageInformation
V 2.0 : EVID 6278 : NPS - Full Access Granted To USub RuleAccess Granted ActivityAccess Granted
V 2.0 : EVID 6417 : FIPS Selftest PassedSub RuleCryptographic Self Test PerformedInformation
V 2.0 : EVID 6418 : FIPS Selftest FailedSub RuleCryptographic FailureError
V 2.0 : EVID 4868 : CS - Certificate Manager DenieSub RuleCertificate Manager Denied Pending Cert RequestWarning
V 2.0 : EVID 4869 : CS - Received Resubmitted CertSub RuleCertificate Services Rcvd Resubmitted Cert RequestOther Audit
V 2.0 : EVID 4870 : CS - Certificate RevokedSub RuleCertificate Services Rcvd Resubmitted Cert RequestOther Audit
V 2.0 : EVID 4871 : CS - CRL Publication Request RSub RuleCertificate Svcs Received Request To Publish CRLInformation
V 2.0 : EVID 4872 : CS - CRL PublishedSub RuleCertificate Services Published CRLInformation
V 2.0 : EVID 4873 : CS - Certificate Request ExtnSub RuleCertificate Request Extension ChangedInformation
V 2.0 : EVID 4874 : CS - Certificate Request ChangSub RuleCertificate Request Attributes ChangedInformation
V 2.0 : EVID 4875 : CS - Shutdown Request ReceivedSub RuleProcess/Service Startup Or Shutdown ActivityStartup and Shutdown
V 2.0 : EVID 4876 : CS - Backup StartedSub RuleBackup ActiveInformation
V 2.0 : EVID 4877 : CS - Backup CompleteSub RuleBackup CompletedInformation
V 2.0 : EVID 4878 : CS - Restore StartedSub RuleBackup RestoredInformation
V 2.0 : EVID 4879 : CS - Restore CompletedSub RuleBackup RestoredInformation
V 2.0 : EVID 4880 : CS - Services StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 4881 : CS - Services StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 4882 : CS -Security Permissions ModifSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4883 : CS - Archived Key RetrievedSub RuleCertificate Services Retrieved Archived KeyInformation
V 2.0 : EVID 4884 : CS - Certificate ImportedSub RuleCertificate Services Imported CertificateInformation
V 2.0 : EVID 4885 : CS - Audit Filter ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4886 : CS - Certificate Request RcvdSub RuleCertificate Services Received Certificate RequestOther Audit Success
V 2.0 : EVID 4887 : CS - Certificate IssuedSub RuleCertificate Services Issued CertificateInformation
V 2.0 : EVID 4888 : CS - Certificate Request DenieSub RuleCertificate Services Denied Certificate RequestWarning
V 2.0 : EVID 4889 : CS - Certificate Request StatuSub RuleCertificate Services Set Cert Status To PendingInformation
V 2.0 : EVID 4890 : CS - Certificate Manager SettiSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4891 : CS - Configuration Entry ModifSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4892 : CS - Property ModifiedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4893 : CS - Key ArchivedSub RuleCertificate Services Archived A KeyInformation
V 2.0 : EVID 4894 : CS - Key Imported And ArchivedSub RuleCertificate Services Imported And Archived KeyInformation
V 2.0 : EVID 4895 : CS -ADDS CA Certificate PublisSub RuleCertificate Services Published CA CertificateInformation
V 2.0 : EVID 4896 : CS - Rows Deleted From DatabasSub RuleCertificate Services Database Rows DeletedInformation
V 2.0 : EVID 4897 : CS - Role Separation EnabledSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4898 : CS - Template LoadedSub RuleCertificate Services Loaded TemplateInformation
V 2.0 : EVID 5120 : CS - OCSP Responder StartedSub RuleProcess/Service StartedStartup and Shutdown
V 2.0 : EVID 5121 : CS - OCSP Responder StoppedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 : EVID 5122 : CS - OCSP Config ChangedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 4649 : Replay Attack DetectedSub RuleReplay ActivityAttack
V 2.0 : EVID 5123 : CS - OCSP Config ChangedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 5124 : CS - OCSP Security ChangedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 5125 : CS - OCSP RequestSub RuleRequest ReceivedOther Audit Success
V 2.0 : EVID 5126 : CS - OCSP Signer UpdatedSub RuleConfiguration Modified : ApplicationConfiguration
V 2.0 : EVID 5127 : CS - OCSP Provider UpdatedSub RuleConfiguration Modified : ApplicationConfiguration


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close