EVID 6144 : Security Policy In GPO Applied (XML - Security)
Event Details
| Event Type | Audit Other Policy Change Events |
|---|---|
| Event Description | 6144(S) : Generates an event every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. |
| vent IDs | 6144 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 | |
|---|---|---|---|
| Provider | N/A | N/A | |
| EventID | <vmid> | <vmid> | |
| Version | N/A | N/A | |
| Level | <severity> | <severity> | |
| Task | N/A | <vendorinfo> | |
| Opcode | N/A | N/A | |
| Keywords | N/A | <command> | |
| TimeCreated | N/A | N/A | |
| EventRecordID | N/A | N/A | |
| Correlation | N/A | N/A | |
| Execution | N/A | N/A | |
| ProcessID | N/A | N/A | |
| Channel | N/A | N/A | |
| Computer | <dname> | <dname> | |
| EventData | N/A | N/A | |
| ErrorCode | N/A | <command> | |
| SubjectUserSid | N/A | N/A | |
| SubjectUserName | N/A | N/A | |
| SubjectDomainName | N/A | N/A | |
| SubjectLogonId | N/A | N/A | |
| ObjectType | N/A | N/A | |
| IpAddress | N/A | N/A | |
| IpPort | N/A | N/A | |
| gpolist | N/A | <object>, <objectname> | |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1007338 | General Error Messages | Sub Rule | General Error Message | Error |
| General Warning Messages | Sub Rule | General Warning | Warning | |
| General Informational Messages | Sub Rule | General Information | Information | |
| Catch All : Level 2 | Base Rule | General Operations | Other Operations | |
| Account Locked | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
| Logon Failure | Sub Rule | User Logon Failure : Account Locked Out | Authentication Failure | |
| Logon Failure | Sub Rule | User Logon Failure : Bad Password | Authentication Failure |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
| 1011079 | V 2.0 : Catch All | Base Rule | General Audit Message | Other Audit |
| V 2.0 : EVID 4649 : Replay Attack Detected | Sub Rule | Replay Activity | Attack | |
| V 2.0 : EVID 4675 : SIDs Were Filtered | Sub Rule | SIDs Filtered | Other Audit | |
| V 2.0 : EVID 4765 : SID History Added To Account | Sub Rule | User Account Attribute Modified | Account Modified | |
| V 2.0 : EVID 4766 : SID History Add Failed | Sub Rule | Modify Object Attribute Failure | Access Failure | |
| V 2.0 EVID 4780 : ACL Set On Admin Account | Sub Rule | User Account Attribute Modified | Account Modified | |
| V 2.0 : EVID 5378 : Credential Delegation Disallow | Sub Rule | Access Object Failure | Access Failure | |
| V 2.0 : EVID 4709 : IPSEC - Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| V 2.0 : EVID 4710 : IPSEC - Service Disabled | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 : EVID 4711 : PAStore - General Event | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter | Sub Rule | General IPSec Critical | Critical | |
| V 2.0 : EVID 5040 : IPSEC - Auth. Set Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0 : EVID 5046 : IPSEC - Crypto Set Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0 : EVID 5440 : WFP - Callout Present At Start | Sub Rule | Filtering Platform Startup State | Information | |
| V 2.0 : EVID 5441 : WFP - Filter Present At Start | Sub Rule | Filtering Platform Startup State | Information | |
| V 2.0 : EVID 5442 : WFP - Prov. Present At Start | Sub Rule | Filtering Platform Startup State | Information | |
| V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start | Sub Rule | Filtering Platform Startup State | Information | |
| V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start | Sub Rule | Filtering Platform Startup State | Information | |
| V 2.0 : EVID 5446 : WFP - Callout Changed | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5449 : WFP - Prov. Context Changed | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5448 : WFP - Provider Changed | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5450 : WFP - Sub-layer Changed | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail | Sub Rule | IPSEC Policy Application Failed | Other Audit Failure | |
| V 2.0 : EVID 5458 : PAStore-Cached AD IPSEC Policy | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5459 : PAStore-Cached AD IPSEC Policy | Sub Rule | General IPSec Error | Error | |
| V 2.0 : EVID 5460 : PAStore -Registry IPSEC Policy | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5461 : PAStore -Registry IPSEC Policy | Sub Rule | General IPSec Error | Error | |
| V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC | Sub Rule | General IPSec Error | Error | |
| V 2.0 : EVID 5463 : PAStore- Poll For IPSEC Policy | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5464 : PAStore-Poll For IPSEC Policy | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5465 : PAStore-IPSEC Policy Forcibly | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5466 : PAStore-Unabled To Reach AD | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5467 : PAStore -Poll For IPSEC Policy | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5468 : PAStore-Poll For IPSEC Policy | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5471 : PAStore-Local IPSEC Policy Loa | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 4772 : Kerberos TGT Request Failed | Sub Rule | Windows Audit Failure Event | Other Audit Failure | |
| V 2.0 : EVID 4773 : Kerberos TGS Request Failed | Sub Rule | Access Object Failure | Access Failure | |
| V 2.0 : EVID 4774 : Account Successfully Mapped | Sub Rule | Account Mapped For Logon | Other Audit Success | |
| V 2.0 : EVID 4774 : Account Failed To Be Mapped | Sub Rule | Account Logon Mapping Failed | Other Audit Failure | |
| V 2.0 : EVID 4775 : Account Could Not Be Mapped | Sub Rule | Account Logon Mapping Failed | Other Audit Failure | |
| V 2.0 : EVID 4777 : Domain Contrler Faild To Valid | Sub Rule | Windows Audit Failure Event | Other Audit Failure | |
| V 2.0 : EVID 4646 : IPSEC -DoS Prevention Mode Str | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 4650 : IPSEC - Main Mode Security | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| V 2.0 : EVID 4651 : IPSEC - Main Mode Security | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation | Sub Rule | IPSEC Negotiation Failed | Error | |
| V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation | Sub Rule | IPSEC Negotiation Failed | Error | |
| V 2.0 : EVID 4655 : IPSEC - Main Mode Security | Sub Rule | IPSEC Security Association Ended | Network Traffic | |
| V 2.0 : EVID 4960 : IPSEC - Inbound Pck Intrgty Fl | Sub Rule | Integrity Check Failed | Error | |
| V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay | Sub Rule | Integrity Check Failed | Error | |
| V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay | Sub Rule | Integrity Check Failed | Error | |
| V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clr | Sub Rule | General IPSec Warning | Warning | |
| V 2.0 : EVID 4965 : IPSEC Packet Received Invalid | Sub Rule | IPSEC Received Bad Packet | Error | |
| V 2.0 : EVID 4976 : IPSEC - Main Mode Invld Negt | Sub Rule | IPSEC Received Bad Packet | Error | |
| V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld Negot | Sub Rule | IPSEC Received Bad Packet | Error | |
| V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid | Sub Rule | IPSEC Received Bad Packet | Error | |
| V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| V 2.0 : EVID 5024 : Firewall - Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| V 2.0 : EVID 5025 : Firewall - Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 : EVID 5027 : Firewall-ServiceUnableToRetrie | Sub Rule | Firewall Service Failed To Load Local Policy | Warning | |
| V 2.0 : EVID 5028 : Firewall-Service FailedToParse | Sub Rule | Firewall Service Failed To Load Local Policy | Warning | |
| V 2.0 : EVID 5029 : Firewall-ServiceFailedToLoadDr | Sub Rule | Driver Failed To Load | Warning | |
| V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| V 2.0 : EVID 5030 : Firewall-Service FailedToStart | Sub Rule | Firewall Service Failed To Start | Critical | |
| V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotion | Sub Rule | IPSEC Negotiation Failed | Error | |
| V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser | Sub Rule | Firewall Notification Failed | Warning | |
| V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFai | Sub Rule | IPSEC Negotiation Failed | Error | |
| V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0 : EVID 5033 : Firewall - Driver StartedSucs | Sub Rule | Process/Service Started | Startup and Shutdown | |
| V 2.0 : EVID 5451 : IPSEC - Quick Mode Security As | Sub Rule | IPSEC Security Association Established | Network Traffic | |
| V 2.0 : EVID 5034 : Firewall - Driver Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 : EVID 5452 : IPSEC - Quick Mode Security As | Sub Rule | IPSEC Security Association Ended | Network Traffic | |
| V 2.0 : EVID 5035 : Firewall - DriverFailedToStart | Sub Rule | Firewall Driver Startup Failed | Critical | |
| V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due | Sub Rule | IPSEC Negotiation Failed | Error | |
| V 2.0 : EVID 5478 : IPSEC - Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| V 2.0 : EVID 5037 : Firewall-DriverCriticalRuntime | Sub Rule | Firewall Driver Critical Condition | Critical | |
| V 2.0 : EVID 5479 : IPSEC - Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 :EVID 5040 : IPSEC - Authentication Set Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| V2.0 :EVID 5041 : IPSEC - Authentication Set Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw | Sub Rule | IPSEC Network Interface List Failed | Warning | |
| V 2.0 : EVID 5483 : IPSEC - Failed To Intlize RPC | Sub Rule | IPSEC Service Failed To Start | Error | |
| V 2.0 :EVID 5042 : IPSEC - Authentication Set Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0 : EVID 5484 : IPSEC - Critical Service Failu | Sub Rule | IPSEC Service Error Caused Shutdown | Critical | |
| V2.0 :EVID 5043 : IPSEC - Connection Security Rule Ad | Sub Rule | Configuration Loaded : Security | Configuration | |
| V 2.0 : EVID 5485 : IPSEC - Failed To Prcss Filter | Sub Rule | IPSEC Filter Processing Failed | Error | |
| V 2.0 :EVID 5044 : IPSEC - Connection Security Rule Mo | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 :EVID 5045 : IPSEC - Connection Security Rule De | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0 :EVID 5046 : IPSEC - Crypto Set Added | Sub Rule | Configuration Loaded : Security | Configuration | |
| V 2.0 :EVID 5047 : IPSEC - Crypto Set Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 :EVID 5048 : IPSEC - Crypto Set Deleted | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0: EVID 5049 : IPSEC - Security Association Delete | Sub Rule | Configuration Deleted : Security | Configuration | |
| V 2.0 : EVID 6400 : BranchCache-IncorrectlyFrmated | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6401 : BranchCache-InvalidPeerDataRec | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6402 : BranchCache - IncorectlyFrmatd | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6403 : BranchCache - IncorectlyFrmatd | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6404 : BranchCache - UnablToAuth | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6405 : BranchCache - Mult EventsRecv | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6406 : BranchCache - Registration | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6407 : BranchCache - General Event | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6408 : BranchCache - Regt Wind Firewa | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6409 : BranchCache - Service Conn | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply | Sub Rule | Policy Failed | Error | |
| V 2.0 : EVID 6144 : Security Policy GPOs Applied | Sub Rule | Policy Enabled : System | Policy | |
| V 2.0 : EVID 5447 : WFP - Filter Changed | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed | Sub Rule | Configuration Modified : System | Configuration | |
| V 2.0 : EVID 4908 : Special Groups Logon Table Mod | Sub Rule | Configuration Modified : System | Configuration | |
| V 2.0 : EVID 4909 : Local TBS Policy Settings Mod. | Sub Rule | Policy Modified : System | Policy | |
| V 2.0 : EVID 4910 : Group TBS Policy Settings Modi | Sub Rule | Policy Modified : System | Policy | |
| V 2.0 : EVID 4902 : Per-User Policy Table Created | Sub Rule | Policy Created : System | Policy | |
| V 2.0 : EVID 4826 : Boot Configuration Data Loaded | Sub Rule | Configuration Loaded : System | Configuration | |
| V 2.0 : EVID 4864 : Namespace Collision Detected | Sub Rule | Namespace Collision | Error | |
| V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod | Sub Rule | Policy Modified : System | Policy | |
| V 2.0 : EVID 4671 : Application Attempted Access | Sub Rule | Access Object Failure | Access Failure | |
| V 2.0 : EVID 5148 : WFP - DoS Attack Detected | Sub Rule | Failed Network Denial Of Service | Failed Denial of Service | |
| V 2.0 : EVID 5149 : WFP - DoS Attack Ended | Sub Rule | General Security | Other Security | |
| V 2.0 : EVID 4608 : Windows Starting Up | Sub Rule | System Started | Startup and Shutdown | |
| V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus | Sub Rule | Audit Queuing Resources Exhausted | Warning | |
| V 2.0 : EVID 4615 : Invalid LPC Port Use | Sub Rule | Unauthorized Activity | Misuse | |
| V 2.0 : EVID 4618 : User-Defined Security Event | Sub Rule | General Event Log Information | Information | |
| V 2.0 : EVID 4621 : Admin Recovrd Frm CrashOnAudi | Sub Rule | Crash On Audit Fail Recovered | Information | |
| V 2.0 : EVID 4816 : RPC Message Integrity Violatio | Sub Rule | RPC Integrity Violation | Error | |
| V 2.0 : EVID 5038 : Invalid Image Hash | Sub Rule | Integrity Check Failed | Error | |
| V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf | Sub Rule | Cryptographic Self Test Performed | Information | |
| V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check | Sub Rule | Cryptographic Self Test Performed | Information | |
| V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail | Sub Rule | Cryptographic Failure | Error | |
| V 2.0 : EVID 5060 : CNG - Crypto Verification Fail | Sub Rule | Cryptographic Failure | Error | |
| V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil | Sub Rule | Integrity Check Failed | Error | |
| V 2.0 : EVID 6410 : File Failed Security Check | Sub Rule | Failed Suspicious Activity | Failed Suspicious | |
| V 2.0 : EVID 5712 : RPC Attempted | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 4944 : WFP - Policy Active And Window | Sub Rule | Active Firewall Policy On Start | Information | |
| V 2.0 : EVID 4949 : WFP Settings Restored Default | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 4954 : WFP - Group Policy Settings | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : EVID 4783 : Basic Application Group Create | Sub Rule | Group Created | Account Created | |
| V 2.0 : EVID 4784 : Basic Application Group Change | Sub Rule | Group Attribute Modified | Account Modified | |
| V 2.0 : EVID 4785 : Member Add To Basic App Group | Sub Rule | Account Added To Group | Access Granted | |
| V 2.0 : EVID 4786 : Member Remove From Basic App | Sub Rule | Account Removed From Group | Access Revoked | |
| V 2.0 : EVID 4787 : Non-Member Add To Basic App | Sub Rule | Account Added To Group | Access Granted | |
| V 2.0 : EVID 4788 : Non-Memb Remove From Basic App | Sub Rule | Account Removed From Group | Access Revoked | |
| V 2.0 : EVID 4789 : Basic Application Group Delete | Sub Rule | Group Deleted | Account Deleted | |
| V 2.0 : EVID 4790 : LDAP Query Group Created | Sub Rule | Group Created | Account Created | |
| V 2.0 : EVID 4791 : LDAP Query Group Changed | Sub Rule | Group Attribute Modified | Account Modified | |
| V 2.0 : EVID 4934 : AD Object Attributes Replicate | Sub Rule | AD Object Attributes Replicated | Information | |
| V 2.0 : EVID 4935 : Replication Failure Begins | Sub Rule | AD Replication Failure Begins | Error | |
| V 2.0 : EVID 4936 : Replication Failure Ends | Sub Rule | AD Replication Failure Ends | Error | |
| V 2.0 : EVID 4937 : Lingering Obj Removed Frm ADRe | Sub Rule | Object Deleted/Removed | Access Success | |
| V 2.0 : EVID 4792 : LDAP Query Group Deleted | Sub Rule | Group Deleted | Account Deleted | |
| V 2.0 : EVID 4664 : File Hard Link Created | Sub Rule | Object Created | Access Success | |
| V 2.0 : EVID 4690 : Object Handle Duplicated | Sub Rule | Object Created | Access Success | |
| V 2.0 : EVID 5039 : Registry Key Virtualized | Sub Rule | Registry Key Virtualized | Other Audit Success | |
| V 2.0 : EVID 5051 : File Virtualized | Sub Rule | File Virtualized | Other Audit Success | |
| V 2.0 : EVID 5168 : SPN Check For SMB Failed | Sub Rule | Access Object Failure | Access Failure | |
| V 2.0 EVID 6272 : NPS - Access Granted To User | Sub Rule | User Logon | Authentication Success | |
| V 2.0 EVID 6273 : NPS - Access Denied To User | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 EVID 6274 : NPS - Access Request Discarded | Sub Rule | Bad Request | Warning | |
| V 2.0 : EVID 6275 : NPS - Accounting Request Disca | Sub Rule | Bad Request | Warning | |
| V 2.0 : EVID 6276 : NPS - User Quarantined | Sub Rule | Network Policy Server Quarantined User | Other Audit | |
| V 2.0 : EVID 6277 : NPS - Access Granted User | Sub Rule | Access Granted Activity | Access Granted | |
| V 2.0 EVID 6278 : NPS - Full Access Granted To Use | Sub Rule | Access Granted Activity | Access Granted | |
| V 2.0 : EVID 6279 : NPS - User Account Locked | Sub Rule | Account Locked | Access Revoked | |
| V 2.0 : EVID 6280 : NPS - User Account Unlocked | Sub Rule | Account Unlocked | Access Granted | |
| V 2.0 : EVID 4626 : User/Device Claims Information | Sub Rule | User Information | Information | |
| V 2.0 : EVID 4666 : AM - App Attempted Operation | Sub Rule | General Application Information | Information | |
| V 2.0 : EVID 4665 : AM - App Client Context Create | Sub Rule | General Application Information | Information | |
| V 2.0 : EVID 4667 : AM - App Client Context Delete | Sub Rule | General Application Information | Information | |
| V 2.0 : EVID 4668 : AM - Application Initialized | Sub Rule | General Application Information | Information | |
| V 2.0 : EVID 4985 : Transaction State Change | Sub Rule | General Transaction Information | Information | |
| V 2.0 : EVID 1101 : Audit Events Dropped | Sub Rule | Message Dropped | Error | |
| V 2.0 : EVID 4609 : Windows Shutting Down | Sub Rule | System Shutting Down | Startup and Shutdown | |
| V 2.0 : EVID 4654 : Quick Mode Negotiation Failed | Sub Rule | IPSEC Negotiation Failed | Error | |
| V 2.0 : EVID 4797 : Blank Passwords Queried | Sub Rule | General Audit Message | Other Audit | |
| V 2.0 : EVID 4820 : TGT Denied - ACL | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 : EVID 4821 : TGS Denied - ACL | Sub Rule | Access Object Failure | Access Failure | |
| V 2.0 : EVID 4822 : NTLM Auth Denied | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 : EVID 4823 : NTLM Auth Denied | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 : EVID 4825 : RDP Access Denied | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 : EVID 4830 : SID History Removed From Accou | Sub Rule | User Account Attribute Modified | Account Modified | |
| V 2.0 : EVID 4899 : Certificate Template Updated | Sub Rule | Object Modified | Access Success | |
| V 2.0 : EVID 4900 : Certificate Template Sec Updat | Sub Rule | Object Attribute Modified | Access Success | |
| V 2.0 : EVID 5150 : Firewall - Disable Attempt | Sub Rule | Suspicious Activity | Suspicious | |
| V 2.0 : EVID 5071 : Key Access Denied | Sub Rule | Access Object Failure | Access Failure | |
| V 2.0 : EVID 5146 : WFP - Packed Blocked | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| V 2.0 : EVID 5147 : WFP - Packed Blocked | Sub Rule | Traffic Denied by Host Firewall | Network Deny | |
| V 2.0 : EVID 5151 : File Virtualized | Sub Rule | File Virtualized | Other Audit Success | |
| V 2.0 : EVID 5170 : AD Object Modified | Sub Rule | Object Modified | Access Success | |
| V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy F | Sub Rule | General IPSec Error | Error | |
| V 2.0 : EVID 5473 : PAStore - Directory Storage IP | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 5477 : PAStore - Failed To Add Quick | Sub Rule | General IPSEC Message | Information | |
| V 2.0 : EVID 6278 : NPS - Full Access Granted To U | Sub Rule | Access Granted Activity | Access Granted | |
| V 2.0 : EVID 6417 : FIPS Selftest Passed | Sub Rule | Cryptographic Self Test Performed | Information | |
| V 2.0 : EVID 6418 : FIPS Selftest Failed | Sub Rule | Cryptographic Failure | Error | |
| V 2.0 : EVID 4868 : CS - Certificate Manager Denie | Sub Rule | Certificate Manager Denied Pending Cert Request | Warning | |
| V 2.0 : EVID 4869 : CS - Received Resubmitted Cert | Sub Rule | Certificate Services Rcvd Resubmitted Cert Request | Other Audit | |
| V 2.0 : EVID 4870 : CS - Certificate Revoked | Sub Rule | Certificate Services Rcvd Resubmitted Cert Request | Other Audit | |
| V 2.0 : EVID 4871 : CS - CRL Publication Request R | Sub Rule | Certificate Svcs Received Request To Publish CRL | Information | |
| V 2.0 : EVID 4872 : CS - CRL Published | Sub Rule | Certificate Services Published CRL | Information | |
| V 2.0 : EVID 4873 : CS - Certificate Request Extn | Sub Rule | Certificate Request Extension Changed | Information | |
| V 2.0 : EVID 4874 : CS - Certificate Request Chang | Sub Rule | Certificate Request Attributes Changed | Information | |
| V 2.0 : EVID 4875 : CS - Shutdown Request Received | Sub Rule | Process/Service Startup Or Shutdown Activity | Startup and Shutdown | |
| V 2.0 : EVID 4876 : CS - Backup Started | Sub Rule | Backup Active | Information | |
| V 2.0 : EVID 4877 : CS - Backup Complete | Sub Rule | Backup Completed | Information | |
| V 2.0 : EVID 4878 : CS - Restore Started | Sub Rule | Backup Restored | Information | |
| V 2.0 : EVID 4879 : CS - Restore Completed | Sub Rule | Backup Restored | Information | |
| V 2.0 : EVID 4880 : CS - Services Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| V 2.0 : EVID 4881 : CS - Services Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 : EVID 4882 : CS -Security Permissions Modif | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 4883 : CS - Archived Key Retrieved | Sub Rule | Certificate Services Retrieved Archived Key | Information | |
| V 2.0 : EVID 4884 : CS - Certificate Imported | Sub Rule | Certificate Services Imported Certificate | Information | |
| V 2.0 : EVID 4885 : CS - Audit Filter Modified | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 4886 : CS - Certificate Request Rcvd | Sub Rule | Certificate Services Received Certificate Request | Other Audit Success | |
| V 2.0 : EVID 4887 : CS - Certificate Issued | Sub Rule | Certificate Services Issued Certificate | Information | |
| V 2.0 : EVID 4888 : CS - Certificate Request Denie | Sub Rule | Certificate Services Denied Certificate Request | Warning | |
| V 2.0 : EVID 4889 : CS - Certificate Request Statu | Sub Rule | Certificate Services Set Cert Status To Pending | Information | |
| V 2.0 : EVID 4890 : CS - Certificate Manager Setti | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 4891 : CS - Configuration Entry Modif | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 4892 : CS - Property Modified | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 4893 : CS - Key Archived | Sub Rule | Certificate Services Archived A Key | Information | |
| V 2.0 : EVID 4894 : CS - Key Imported And Archived | Sub Rule | Certificate Services Imported And Archived Key | Information | |
| V 2.0 : EVID 4895 : CS -ADDS CA Certificate Publis | Sub Rule | Certificate Services Published CA Certificate | Information | |
| V 2.0 : EVID 4896 : CS - Rows Deleted From Databas | Sub Rule | Certificate Services Database Rows Deleted | Information | |
| V 2.0 : EVID 4897 : CS - Role Separation Enabled | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 4898 : CS - Template Loaded | Sub Rule | Certificate Services Loaded Template | Information | |
| V 2.0 : EVID 5120 : CS - OCSP Responder Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| V 2.0 : EVID 5121 : CS - OCSP Responder Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 : EVID 5122 : CS - OCSP Config Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 4649 : Replay Attack Detected | Sub Rule | Replay Activity | Attack | |
| V 2.0 : EVID 5123 : CS - OCSP Config Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 5124 : CS - OCSP Security Changed | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 5125 : CS - OCSP Request | Sub Rule | Request Received | Other Audit Success | |
| V 2.0 : EVID 5126 : CS - OCSP Signer Updated | Sub Rule | Configuration Modified : Application | Configuration | |
| V 2.0 : EVID 5127 : CS - OCSP Provider Updated | Sub Rule | Configuration Modified : Application | Configuration |