Event Details
|
Event Type |
Audit Filtering Platform Policy Change |
|---|---|
|
Event Description |
|
|
vent IDs |
5446, 5447, 5448, 5449, 5450 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default 2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default 2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
N/A |
<severity> |
|
|
Task |
N/A |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<tag1> |
<result>, <tag2> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
ProcessID |
<processid> |
N/A |
|
|
EventData |
N/A |
N/A |
|
|
ErrorCode |
N/A |
<responsecode> |
|
|
SubjectUserSid |
N/A |
N/A |
|
|
SubjectUserName |
N/A |
N/A |
|
|
SubjectDomainName |
N/A |
N/A |
|
|
SubjectLogonId |
N/A |
N/A |
|
|
ObjectType |
N/A |
N/A |
|
|
IpAddress |
N/A |
N/A |
|
|
IpPort |
N/A |
N/A |
|
|
ShareName |
N/A |
N/A |
|
|
ShareLocation |
N/A |
N/A |
|
|
AccessMask |
N/A |
N/A |
|
|
AccessList |
N/A |
N/A |
|
|
RelativeTargetName |
N/A |
N/A |
|
|
ShareLocationPath |
N/A |
N/A |
|
|
RelativeTargetName |
N/A |
N/A |
|
|
Accesses |
N/A |
N/A |
|
|
Change Type |
<tag3> |
N/A |
|
|
Provider Name |
<tag2> |
N/A |
|
|
Process ID |
<processid> |
N/A |
|
|
Provider ID |
<session> |
N/A |
|
|
Provider Name |
<process> |
N/A |
|
|
Change Type |
<tag3> |
N/A |
|
|
Filter Name |
<object> |
N/A |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default 2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1000643
|
EVID 5446 : 5450 : Windows Filter Platform Change |
Base Rule |
Configuration Modified : Security |
Configuration |
|
EVID 5446 : Filtering Platform Callout Change : Add |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5447 : Filtering Platform Filter Change : Add |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5448 : Filtering Platform Provider Change: Add |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5449 : Filtering Platform Context Change : Add |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5450 : Filtering Platform SubLayer Change : Add |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
EVID 5446 : Filtering Platform Callout Change : Del |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5447 : Filtering Platform Filter Change : Del |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5448 : Filtering Platform Provider Change : Del |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5449 : Filtering Platform Context Change : Del |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
EVID 5450 : Filtering Platform SubLayer Change : Del |
Sub Rule |
Configuration Deleted : Security |
Configuration |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1011079 |
V 2.0 : Catch All |
Base Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
|
V 2.0 : EVID 4675 : SIDs Were Filtered |
Sub Rule |
SIDs Filtered |
Other Audit |
|
|
V 2.0 : EVID 4765 : SID History Added To Account |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4766 : SID History Add Failed |
Sub Rule |
Modify Object Attribute Failure |
Access Failure |
|
|
V 2.0 : EVID 5378 : Credential Delegation Disallow |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4709 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4710 : IPSEC - Service Disabled |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 4711 : PAStore - General Event |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter |
Sub Rule |
General IPSec Critical |
Critical |
|
|
V 2.0 : EVID 5040 : IPSEC - Auth. Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5046 : IPSEC - Crypto Set Added |
Sub Rule |
Configuration Loaded : Security |
Configuration |
|
|
V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5440 : WFP - Callout Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5441 : WFP - Filter Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5442 : WFP - Prov. Present At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start |
Sub Rule |
Filtering Platform Startup State |
Information |
|
|
V 2.0 : EVID 5446 : WFP - Callout Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5449 : WFP - Prov. Context Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5448 : WFP - Provider Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5450 : WFP - Sub-layer Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail |
Sub Rule |
IPSEC Policy Application Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 5458 : PAStore-Cached AD IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5459 : PAStore-Cached AD IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5460 : PAStore -Registry IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5461 : PAStore -Registry IPSEC Policy |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5463 : PAStore- Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5464 : PAStore-Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5465 : PAStore-IPSEC Policy Forcibly |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5466 : PAStore-Unabled To Reach AD |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5467 : PAStore -Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5468 : PAStore-Poll For IPSEC Policy |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5471 : PAStore-Local IPSEC Policy Loa |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4772 : Kerberos TGT Request Failed |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
|
V 2.0 : EVID 4773 : Kerberos TGS Request Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4774 : Account Successfully Mapped |
Sub Rule |
Account Mapped For Logon |
Other Audit Success |
|
|
V 2.0 : EVID 4774 : Account Failed To Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 4775 : Account Could Not Be Mapped |
Sub Rule |
Account Logon Mapping Failed |
Other Audit Failure |
|
|
V 2.0 : EVID 4777 : Domain Contrler Faild To Valid |
Sub Rule |
Windows Audit Failure Event |
Other Audit Failure |
|
|
V 2.0 : EVID 4646 : IPSEC -DoS Prevention Mode Str |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 4650 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4651 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4655 : IPSEC - Main Mode Security |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
V 2.0 : EVID 4960 : IPSEC - Inbound Pck Intrgty Fl |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clr |
Sub Rule |
General IPSec Warning |
Warning |
|
|
V 2.0 : EVID 4965 : IPSEC Packet Received Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4976 : IPSEC - Main Mode Invld Negt |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld Negot |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid |
Sub Rule |
IPSEC Received Bad Packet |
Error |
|
|
V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5024 : Firewall - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5025 : Firewall - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5027 : Firewall-ServiceUnableToRetrie |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
V 2.0 : EVID 5028 : Firewall-Service FailedToParse |
Sub Rule |
Firewall Service Failed To Load Local Policy |
Warning |
|
|
V 2.0 : EVID 5029 : Firewall-ServiceFailedToLoadDr |
Sub Rule |
Driver Failed To Load |
Warning |
|
|
V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5030 : Firewall-Service FailedToStart |
Sub Rule |
Firewall Service Failed To Start |
Critical |
|
|
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotion |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser |
Sub Rule |
Firewall Notification Failed |
Warning |
|
|
V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFai |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted |
Sub Rule |
Configuration Deleted : Security |
Configuration |
|
|
V 2.0 : EVID 5033 : Firewall - Driver StartedSucs |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security As |
Sub Rule |
IPSEC Security Association Established |
Network Traffic |
|
|
V 2.0 : EVID 5034 : Firewall - Driver Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security As |
Sub Rule |
IPSEC Security Association Ended |
Network Traffic |
|
|
V 2.0 : EVID 5035 : Firewall - DriverFailedToStart |
Sub Rule |
Firewall Driver Startup Failed |
Critical |
|
|
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 5478 : IPSEC - Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5037 : Firewall-DriverCriticalRuntime |
Sub Rule |
Firewall Driver Critical Condition |
Critical |
|
|
V 2.0 : EVID 5479 : IPSEC - Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw |
Sub Rule |
IPSEC Network Interface List Failed |
Warning |
|
|
V 2.0 : EVID 5483 : IPSEC - Failed To Intlize RPC |
Sub Rule |
IPSEC Service Failed To Start |
Error |
|
|
V 2.0 : EVID 5484 : IPSEC - Critical Service Failu |
Sub Rule |
IPSEC Service Error Caused Shutdown |
Critical |
|
|
V 2.0 : EVID 5485 : IPSEC - Failed To Prcss Filter |
Sub Rule |
IPSEC Filter Processing Failed |
Error |
|
|
V 2.0 : EVID 6400 : BranchCache-IncorrectlyFrmated |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6401 : BranchCache-InvalidPeerDataRec |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6402 : BranchCache - IncorectlyFrmatd |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6403 : BranchCache - IncorectlyFrmatd |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6404 : BranchCache - UnablToAuth |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6405 : BranchCache - Mult EventsRecv |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6406 : BranchCache - Registration |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6407 : BranchCache - General Event |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6408 : BranchCache - Regt Wind Firewa |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6409 : BranchCache - Service Conn |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply |
Sub Rule |
Policy Failed |
Error |
|
|
V 2.0 : EVID 6144 : Security Policy GPOs Applied |
Sub Rule |
Policy Enabled : System |
Policy |
|
|
V 2.0 : EVID 5447 : WFP - Filter Changed |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
V 2.0 : EVID 4908 : Special Groups Logon Table Mod |
Sub Rule |
Configuration Modified : System |
Configuration |
|
|
V 2.0 : EVID 4909 : Local TBS Policy Settings Mod. |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4910 : Group TBS Policy Settings Modi |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4902 : Per-User Policy Table Created |
Sub Rule |
Policy Created : System |
Policy |
|
|
V 2.0 : EVID 4826 : Boot Configuration Data Loaded |
Sub Rule |
Configuration Loaded : System |
Configuration |
|
|
V 2.0 : EVID 4864 : Namespace Collision Detected |
Sub Rule |
Namespace Collision |
Error |
|
|
V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod |
Sub Rule |
Policy Modified : System |
Policy |
|
|
V 2.0 : EVID 4671 : Application Attempted Access |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 5148 : WFP - DoS Attack Detected |
Sub Rule |
Failed Network Denial Of Service |
Failed Denial of Service |
|
|
V 2.0 : EVID 5149 : WFP - DoS Attack Ended |
Sub Rule |
General Security |
Other Security |
|
|
V 2.0 : EVID 4608 : Windows Starting Up |
Sub Rule |
System Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus |
Sub Rule |
Audit Queuing Resources Exhausted |
Warning |
|
|
V 2.0 : EVID 4615 : Invalid LPC Port Use |
Sub Rule |
Unauthorized Activity |
Misuse |
|
|
V 2.0 : EVID 4618 : User-Defined Security Event |
Sub Rule |
General Event Log Information |
Information |
|
|
V 2.0 : EVID 4621 : Admin Recovrd Frm CrashOnAudi |
Sub Rule |
Crash On Audit Fail Recovered |
Information |
|
|
V 2.0 : EVID 4816 : RPC Message Integrity Violatio |
Sub Rule |
RPC Integrity Violation |
Error |
|
|
V 2.0 : EVID 5038 : Invalid Image Hash |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 5060 : CNG - Crypto Verification Fail |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil |
Sub Rule |
Integrity Check Failed |
Error |
|
|
V 2.0 : EVID 6410 : File Failed Security Check |
Sub Rule |
Failed Suspicious Activity |
Failed Suspicious |
|
|
V 2.0 : EVID 5712 : RPC Attempted |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 4944 : WFP - Policy Active And Window |
Sub Rule |
Active Firewall Policy On Start |
Information |
|
|
V 2.0 : EVID 4949 : WFP Settings Restored Default |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4954 : WFP - Group Policy Settings |
Sub Rule |
Configuration Modified : Security |
Configuration |
|
|
V 2.0 : EVID 4783 : Basic Application Group Create |
Sub Rule |
Group Created |
Account Created |
|
|
V 2.0 : EVID 4784 : Basic Application Group Change |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4785 : Member Add To Basic App Group |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
V 2.0 : EVID 4786 : Member Remove From Basic App |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
V 2.0 : EVID 4787 : Non-Member Add To Basic App |
Sub Rule |
Account Added To Group |
Access Granted |
|
|
V 2.0 : EVID 4788 : Non-Memb Remove From Basic App |
Sub Rule |
Account Removed From Group |
Access Revoked |
|
|
V 2.0 : EVID 4789 : Basic Application Group Delete |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
V 2.0 : EVID 4790 : LDAP Query Group Created |
Sub Rule |
Group Created |
Account Created |
|
|
V 2.0 : EVID 4791 : LDAP Query Group Changed |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4934 : AD Object Attributes Replicate |
Sub Rule |
AD Object Attributes Replicated |
Information |
|
|
V 2.0 : EVID 4935 : Replication Failure Begins |
Sub Rule |
AD Replication Failure Begins |
Error |
|
|
V 2.0 : EVID 4936 : Replication Failure Ends |
Sub Rule |
AD Replication Failure Ends |
Error |
|
|
V 2.0 : EVID 4937 : Lingering Obj Removed Frm ADRe |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
V 2.0 : EVID 4792 : LDAP Query Group Deleted |
Sub Rule |
Group Deleted |
Account Deleted |
|
|
V 2.0 : EVID 4664 : File Hard Link Created |
Sub Rule |
Object Created |
Access Success |
|
|
V 2.0 : EVID 4690 : Object Handle Duplicated |
Sub Rule |
Object Created |
Access Success |
|
|
V 2.0 : EVID 5039 : Registry Key Virtualized |
Sub Rule |
Registry Key Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5051 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5168 : SPN Check For SMB Failed |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 6275 : NPS - Accounting Request Disca |
Sub Rule |
Bad Request |
Warning |
|
|
V 2.0 : EVID 6276 : NPS - User Quarantined |
Sub Rule |
Network Policy Server Quarantined User |
Other Audit |
|
|
V 2.0 : EVID 6277 : NPS - Access Granted User |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
V 2.0 : EVID 6279 : NPS - User Account Locked |
Sub Rule |
Account Locked |
Access Revoked |
|
|
V 2.0 : EVID 6280 : NPS - User Account Unlocked |
Sub Rule |
Account Unlocked |
Access Granted |
|
|
V 2.0 : EVID 4626 : User/Device Claims Information |
Sub Rule |
User Information |
Information |
|
|
V 2.0 : EVID 4666 : AM - App Attempted Operation |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4665 : AM - App Client Context Create |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4667 : AM - App Client Context Delete |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4668 : AM - Application Initialized |
Sub Rule |
General Application Information |
Information |
|
|
V 2.0 : EVID 4985 : Transaction State Change |
Sub Rule |
General Transaction Information |
Information |
|
|
V 2.0 : EVID 1101 : Audit Events Dropped |
Sub Rule |
Message Dropped |
Error |
|
|
V 2.0 : EVID 4609 : Windows Shutting Down |
Sub Rule |
System Shutting Down |
Startup and Shutdown |
|
|
V 2.0 : EVID 4654 : Quick Mode Negotiation Failed |
Sub Rule |
IPSEC Negotiation Failed |
Error |
|
|
V 2.0 : EVID 4797 : Blank Passwords Queried |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 : EVID 4820 : TGT Denied - ACL |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4821 : TGS Denied - ACL |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4822 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4823 : NTLM Auth Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4825 : RDP Access Denied |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4830 : SID History Removed From Accou |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
V 2.0 : EVID 4899 : Certificate Template Updated |
Sub Rule |
Object Modified |
Access Success |
|
|
V 2.0 : EVID 4900 : Certificate Template Sec Updat |
Sub Rule |
Object Attribute Modified |
Access Success |
|
|
V 2.0 : EVID 5150 : Firewall - Disable Attempt |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
V 2.0 : EVID 5071 : Key Access Denied |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 5146 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
V 2.0 : EVID 5147 : WFP - Packed Blocked |
Sub Rule |
Traffic Denied by Host Firewall |
Network Deny |
|
|
V 2.0 : EVID 5151 : File Virtualized |
Sub Rule |
File Virtualized |
Other Audit Success |
|
|
V 2.0 : EVID 5170 : AD Object Modified |
Sub Rule |
Object Modified |
Access Success |
|
|
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy F |
Sub Rule |
General IPSec Error |
Error |
|
|
V 2.0 : EVID 5473 : PAStore - Directory Storage IP |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 5477 : PAStore - Failed To Add Quick |
Sub Rule |
General IPSEC Message |
Information |
|
|
V 2.0 : EVID 6278 : NPS - Full Access Granted To U |
Sub Rule |
Access Granted Activity |
Access Granted |
|
|
V 2.0 : EVID 6417 : FIPS Selftest Passed |
Sub Rule |
Cryptographic Self Test Performed |
Information |
|
|
V 2.0 : EVID 6418 : FIPS Selftest Failed |
Sub Rule |
Cryptographic Failure |
Error |
|
|
V 2.0 : EVID 4868 : CS - Certificate Manager Denie |
Sub Rule |
Certificate Manager Denied Pending Cert Request |
Warning |
|
|
V 2.0 : EVID 4869 : CS - Received Resubmitted Cert |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
V 2.0 : EVID 4870 : CS - Certificate Revoked |
Sub Rule |
Certificate Services Rcvd Resubmitted Cert Request |
Other Audit |
|
|
V 2.0 : EVID 4871 : CS - CRL Publication Request R |
Sub Rule |
Certificate Svcs Received Request To Publish CRL |
Information |
|
|
V 2.0 : EVID 4872 : CS - CRL Published |
Sub Rule |
Certificate Services Published CRL |
Information |
|
|
V 2.0 : EVID 4873 : CS - Certificate Request Extn |
Sub Rule |
Certificate Request Extension Changed |
Information |
|
|
V 2.0 : EVID 4874 : CS - Certificate Request Chang |
Sub Rule |
Certificate Request Attributes Changed |
Information |
|
|
V 2.0 : EVID 4875 : CS - Shutdown Request Received |
Sub Rule |
Process/Service Startup Or Shutdown Activity |
Startup and Shutdown |
|
|
V 2.0 : EVID 4876 : CS - Backup Started |
Sub Rule |
Backup Active |
Information |
|
|
V 2.0 : EVID 4877 : CS - Backup Complete |
Sub Rule |
Backup Completed |
Information |
|
|
V 2.0 : EVID 4878 : CS - Restore Started |
Sub Rule |
Backup Restored |
Information |
|
|
V 2.0 : EVID 4879 : CS - Restore Completed |
Sub Rule |
Backup Restored |
Information |
|
|
V 2.0 : EVID 4880 : CS - Services Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 4881 : CS - Services Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 4882 : CS -Security Permissions Modif |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4883 : CS - Archived Key Retrieved |
Sub Rule |
Certificate Services Retrieved Archived Key |
Information |
|
|
V 2.0 : EVID 4884 : CS - Certificate Imported |
Sub Rule |
Certificate Services Imported Certificate |
Information |
|
|
V 2.0 : EVID 4885 : CS - Audit Filter Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4886 : CS - Certificate Request Rcvd |
Sub Rule |
Certificate Services Received Certificate Request |
Other Audit Success |
|
|
V 2.0 : EVID 4887 : CS - Certificate Issued |
Sub Rule |
Certificate Services Issued Certificate |
Information |
|
|
V 2.0 : EVID 4888 : CS - Certificate Request Denie |
Sub Rule |
Certificate Services Denied Certificate Request |
Warning |
|
|
V 2.0 : EVID 4889 : CS - Certificate Request Statu |
Sub Rule |
Certificate Services Set Cert Status To Pending |
Information |
|
|
V 2.0 : EVID 4890 : CS - Certificate Manager Setti |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4891 : CS - Configuration Entry Modif |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4892 : CS - Property Modified |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4893 : CS - Key Archived |
Sub Rule |
Certificate Services Archived A Key |
Information |
|
|
V 2.0 : EVID 4894 : CS - Key Imported And Archived |
Sub Rule |
Certificate Services Imported And Archived Key |
Information |
|
|
V 2.0 : EVID 4895 : CS -ADDS CA Certificate Publis |
Sub Rule |
Certificate Services Published CA Certificate |
Information |
|
|
V 2.0 : EVID 4896 : CS - Rows Deleted From Databas |
Sub Rule |
Certificate Services Database Rows Deleted |
Information |
|
|
V 2.0 : EVID 4897 : CS - Role Separation Enabled |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4898 : CS - Template Loaded |
Sub Rule |
Certificate Services Loaded Template |
Information |
|
|
V 2.0 : EVID 5120 : CS - OCSP Responder Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 : EVID 5121 : CS - OCSP Responder Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 : EVID 5122 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Replay Activity |
Attack |
|
|
V 2.0 : EVID 5123 : CS - OCSP Config Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5124 : CS - OCSP Security Changed |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5125 : CS - OCSP Request |
Sub Rule |
Request Received |
Other Audit Success |
|
|
V 2.0 : EVID 5126 : CS - OCSP Signer Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |
|
|
V 2.0 : EVID 5127 : CS - OCSP Provider Updated |
Sub Rule |
Configuration Modified : Application |
Configuration |