Event Details
|
Event Type |
Multiple |
|---|---|
|
Event Description |
Catch all rule to handle Windows Security Events. |
|
Event ID |
Multiple |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Provider |
N/A |
N/A |
|
EventID |
<vmid> |
<vmid> |
|
Version |
N/A |
N/A |
|
Level |
<severity> |
<severity> |
|
Task |
N/A |
<vendorinfo> |
|
Opcode |
N/A |
N/A |
|
Keywords |
N/A |
<result>, <tag2> |
|
TimeCreated |
N/A |
N/A |
|
EventRecordID |
N/A |
N/A |
|
Correlation |
N/A |
N/A |
|
Execution |
N/A |
N/A |
|
Channel |
N/A |
N/A |
|
Computer |
<dname> |
<dname> |
|
ErrorCode |
N/A |
<responsecode> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1004634 |
Catch All : Level 1 |
Base Rule |
General Information |
Information |
|
Informational Message |
Sub Rule |
General Information |
Information |
|
|
Warning Message |
Sub Rule |
General Warning |
Warning |
|
|
Error Message |
Sub Rule |
General Error |
Error |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1011079 |
V 2.0 : Catch All |
Base Rule |
Other Audit |
General Audit Message |
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Attack |
Replay Activity |
|
|
V 2.0 : EVID 4675 : SIDs Were Filtered |
Sub Rule |
Other Audit |
SIDs Filtered |
|
|
V 2.0 : EVID 4765 : SID History Added To Account |
Sub Rule |
Account Modified |
User Account Attribute Modified |
|
|
V 2.0 : EVID 4766 : SID History Add Failed |
Sub Rule |
Access Failure |
Modify Object Attribute Failure |
|
|
V 2.0 : EVID 5378 : Credential Delegation Disallowed |
Sub Rule |
Access Failure |
Access Object Failure |
|
|
V 2.0 : EVID 4709 : IPSEC - Service Started |
Sub Rule |
Startup and Shutdown |
Process/Service Started |
|
|
V 2.0 : EVID 4710 : IPSEC - Service Disabled |
Sub Rule |
Startup and Shutdown |
Process/Service Stopped |
|
|
V 2.0 : EVID 4711 : PAStore - General Event |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 4712 : IPSEC - Fatal Error Encounter |
Sub Rule |
Critical |
General IPSec Critical |
|
|
V 2.0 : EVID 5040 : IPSEC - Auth. Set Added |
Sub Rule |
Configuration |
Configuration Loaded : Security |
|
|
V 2.0 : EVID 5041 : IPSEC - Auth. Set Modified |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 5042 : IPSEC - Auth. Set Deleted |
Sub Rule |
Configuration |
Configuration Deleted : Security |
|
|
V 2.0 : EVID 5043 : IPSEC - Conn. Sec. Rule Added |
Sub Rule |
Configuration |
Configuration Loaded : Security |
|
|
V 2.0 : EVID 5044 : IPSEC - Conn Sec Rule Modified |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 5045 : IPSEC - Conn Sec Rule Deleted |
Sub Rule |
Configuration |
Configuration Deleted : Security |
|
|
V 2.0 : EVID 5046 : IPSEC - Crypto Set Added |
Sub Rule |
Configuration |
Configuration Loaded : Security |
|
|
V 2.0 : EVID 5047 : IPSEC - Crypto Set Modified |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 5048 : IPSEC - Crypto Set Deleted |
Sub Rule |
Configuration |
Configuration Deleted : Security |
|
|
V 2.0 : EVID 5440 : WFP - Callout Present At Start |
Sub Rule |
Information |
Filtering Platform Startup State |
|
|
V 2.0 : EVID 5441 : WFP - Filter Present At Start |
Sub Rule |
Information |
Filtering Platform Startup State |
|
|
V 2.0 : EVID 5442 : WFP - Prov. Present At Start |
Sub Rule |
Information |
Filtering Platform Startup State |
|
|
V 2.0 : EVID 5443 : WFP - Prov. Cont Pres At Start |
Sub Rule |
Information |
Filtering Platform Startup State |
|
|
V 2.0 : EVID 5444 : WFP - Sub-Layer Pres At Start |
Sub Rule |
Information |
Filtering Platform Startup State |
|
|
V 2.0 : EVID 5446 : WFP - Callout Changed |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 5449 : WFP - Prov. Context Changed |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 5448 : WFP - Provider Changed |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 5450 : WFP - Sub-layer Changed |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 5456 : PAStore - AD IPSEC Policy Appl |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5457 : PAStore - AD IPSEC Policy Fail |
Sub Rule |
Other Audit Failure |
IPSEC Policy Application Failed |
|
|
V 2.0 : EVID 5458 : PAStore - Cached AD IPSEC Policy |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5459 : PAStore - Cached AD IPSEC Policy |
Sub Rule |
Error |
General IPSec Error |
|
|
V 2.0 : EVID 5460 : PAStore - Registry IPSEC Policy |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5461 : PAStore - Registry IPSEC Policy |
Sub Rule |
Error |
General IPSec Error |
|
|
V 2.0 : EVID 5462 : PAStore - Fail To Apply IPSEC |
Sub Rule |
Error |
General IPSec Error |
|
|
V 2.0 : EVID 5463 : PAStore - Poll For IPSEC Policy |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5464 : PAStore - Poll For IPSEC Policy |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5465 : PAStore - IPSEC Policy Forcibly |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5466 : PAStore - Unable To Reach AD |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5467 : PAStore - Poll For IPSEC Policy |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5468 : PAStore - Poll For IPSEC Policy |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5471 : PAStore - Local IPSEC Policy Loa |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 4772 : Kerberos TGT Request Failed |
Sub Rule |
Other Audit Failure |
Windows Audit Failure Event |
|
|
V 2.0 : EVID 4773 : Kerberos TGS Request Failed |
Sub Rule |
Access Failure |
Access Object Failure |
|
|
V 2.0 : EVID 4774 : Account Successfully Mapped |
Sub Rule |
Other Audit Success |
Account Mapped For Logon |
|
|
V 2.0 : EVID 4774 : Account Failed To Be Mapped |
Sub Rule |
Other Audit Failure |
Account Logon Mapping Failed |
|
|
V 2.0 : EVID 4775 : Account Could Not Be Mapped |
Sub Rule |
Other Audit Failure |
Account Logon Mapping Failed |
|
|
V 2.0 : EVID 4777 : Domain Controller Failed To Valid |
Sub Rule |
Other Audit Failure |
Windows Audit Failure Event |
|
|
V 2.0 : EVID 4646 : IPSEC - DoS Prevention Mode Strt |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 4650 : IPSEC - Main Mode Security |
Sub Rule |
Network Traffic |
IPSEC Security Association Established |
|
|
V 2.0 : EVID 4651 : IPSEC - Main Mode Security |
Sub Rule |
Network Traffic |
IPSEC Security Association Established |
|
|
V 2.0 : EVID 4652 : IPSEC - Main Mode Negotiation |
Sub Rule |
Error |
IPSEC Negotiation Failed |
|
|
V 2.0 : EVID 4653 : IPSEC - Main Mode Negotiation |
Sub Rule |
Error |
IPSEC Negotiation Failed |
|
|
V 2.0 : EVID 4655 : IPSEC - Main Mode Security |
Sub Rule |
Network Traffic |
IPSEC Security Association Ended |
|
|
V 2.0 : EVID 4960 : IPSEC - Inbound Pck Integrity Flr |
Sub Rule |
Error |
Integrity Check Failed |
|
|
V 2.0 : EVID 4961 : IPSEC - Inbound Packet Replay |
Sub Rule |
Error |
Integrity Check Failed |
|
|
V 2.0 : EVID 4962 : IPSEC - Inbound Packet Replay |
Sub Rule |
Error |
Integrity Check Failed |
|
|
V 2.0 : EVID 4963 : IPSEC - Inbound Packet In Clear |
Sub Rule |
Warning |
General IPSec Warning |
|
|
V 2.0 : EVID 4965 : IPSEC - Packet Received Invalid |
Sub Rule |
Error |
IPSEC Received Bad Packet |
|
|
V 2.0 : EVID 4976 : IPSEC - Main Mode Invld Negot |
Sub Rule |
Error |
IPSEC Received Bad Packet |
|
|
V 2.0 : EVID 4977 : IPSEC - Quick Mode Invld Negot |
Sub Rule |
Error |
IPSEC Received Bad Packet |
|
|
V 2.0 : EVID 4978 : IPSEC - Extended Mode Invalid |
Sub Rule |
Error |
IPSEC Received Bad Packet |
|
|
V 2.0 : EVID 4979 : IPSEC - Main And Extended Mode |
Sub Rule |
Network Traffic |
IPSEC Security Association Established |
|
|
V 2.0 : EVID 4980 : IPSEC - Main And Extended Mode |
Sub Rule |
Network Traffic |
IPSEC Security Association Established |
|
|
V 2.0 : EVID 4981 : IPSEC - Main And Extended Mode |
Sub Rule |
Network Traffic |
IPSEC Security Association Established |
|
|
V 2.0 : EVID 5024 : Firewall - Service Started |
Sub Rule |
Startup and Shutdown |
Process/Service Started |
|
|
V 2.0 : EVID 5025 : Firewall - Service Stopped |
Sub Rule |
Startup and Shutdown |
Process/Service Stopped |
|
|
V 2.0 : EVID 5027 : Firewall - ServiceUnableToRetrie |
Sub Rule |
Warning |
Firewall Service Failed To Load Local Policy |
|
|
V 2.0 : EVID 5028 : Firewall - Service FailedToParse |
Sub Rule |
Warning |
Firewall Service Failed To Load Local Policy |
|
|
V 2.0 : EVID 5029 : Firewall - ServiceFailedToLoadDr |
Sub Rule |
Warning |
Driver Failed To Load |
|
|
V 2.0 : EVID 4982 : IPSEC - Main And Extended Mode |
Sub Rule |
Network Traffic |
IPSEC Security Association Established |
|
|
V 2.0 : EVID 5030 : Firewall - Service FailedToStart |
Sub Rule |
Critical |
Firewall Service Failed To Start |
|
|
V 2.0 : EVID 4983 : IPSEC - Extended Mode Negotiation Fail |
Sub Rule |
Error |
IPSEC Negotiation Failed |
|
|
V 2.0 : EVID 5032 : Firewall - Unable ToNotifyUser |
Sub Rule |
Warning |
Firewall Notification Failed |
|
|
V 2.0 : EVID 4984 : IPSEC - Extended Mode NegotFail |
Sub Rule |
Error |
IPSEC Negotiation Failed |
|
|
V 2.0 : EVID 5049 : IPSEC - Security Assoc Deleted |
Sub Rule |
Configuration |
Configuration Deleted : Security |
|
|
V 2.0 : EVID 5033 : Firewall - Driver StartedSucs |
Sub Rule |
Startup and Shutdown |
Process/Service Started |
|
|
V 2.0 : EVID 5451 : IPSEC - Quick Mode Security Ass |
Sub Rule |
Network Traffic |
IPSEC Security Association Established |
|
|
V 2.0 : EVID 5034 : Firewall - Driver Stopped |
Sub Rule |
Startup and Shutdown |
Process/Service Stopped |
|
|
V 2.0 : EVID 5452 : IPSEC - Quick Mode Security Ass |
Sub Rule |
Network Traffic |
IPSEC Security Association Ended |
|
|
V 2.0 : EVID 5035 : Firewall - DriverFailedToStart |
Sub Rule |
Critical |
Firewall Driver Startup Failed |
|
|
V 2.0 : EVID 5453 : IPSEC - Negotiation Failed Due |
Sub Rule |
Error |
IPSEC Negotiation Failed |
|
|
V 2.0 : EVID 5478 : IPSEC - Service Started |
Sub Rule |
Startup and Shutdown |
Process/Service Started |
|
|
V 2.0 : EVID 5037 : Firewall - DriverCriticalRuntime |
Sub Rule |
Critical |
Firewall Driver Critical Condition |
|
|
V 2.0 : EVID 5479 : IPSEC - Service Stopped |
Sub Rule |
Startup and Shutdown |
Process/Service Stopped |
|
|
V 2.0 : EVID 5480 : IPSEC - Failed To Obtain Netw |
Sub Rule |
Warning |
IPSEC Network Interface List Failed |
|
|
V 2.0 : EVID 5483 : IPSEC - Failed To Initialize RPC |
Sub Rule |
Error |
IPSEC Service Failed To Start |
|
|
V 2.0 : EVID 5484 : IPSEC - Critical Service Failure |
Sub Rule |
Critical |
IPSEC Service Error Caused Shutdown |
|
|
V 2.0 : EVID 5485 : IPSEC - Failed To Process Filter |
Sub Rule |
Error |
IPSEC Filter Processing Failed |
|
|
V 2.0 : EVID 6400 : Branch Cache - IncorrectlyFrmated |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6401 : Branch Cache - InvalidPeerDataRec |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6402 : Branch Cache - IncorectlyFrmatd |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6403 : Branch Cache - IncorectlyFrmatd |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6404 : Branch Cache - UnablToAuth |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6405 : Branch Cache - Mult EventsRecv |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6406 : Branch Cache - Registration |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6407 : Branch Cache - General Event |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6408: Branch Cache - Regt Wind Firewall |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6409 : Branch Cache - Service Conn |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 6145 : Sec Policy GPOs Fail To Apply |
Sub Rule |
Error |
Policy Failed |
|
|
V 2.0 : EVID 6144 : Security Policy GPOs Applied |
Sub Rule |
Policy |
Policy Enabled : System |
|
|
V 2.0 : EVID 5447 : WFP - Filter Changed |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 4906 : CrashOnAuditFail Value Changed |
Sub Rule |
Configuration |
Configuration Modified : System |
|
|
V 2.0 : EVID 4908 : Special Groups Logon Table Mod |
Sub Rule |
Configuration |
Configuration Modified : System |
|
|
V 2.0 : EVID 4909 : Local TBS Policy Settings Mod. |
Sub Rule |
Policy |
Policy Modified : System |
|
|
V 2.0 : EVID 4910 : Group TBS Policy Settings Modi |
Sub Rule |
Policy |
Policy Modified : System |
|
|
V 2.0 : EVID 4902 : Per-User Policy Table Created |
Sub Rule |
Policy |
Policy Created : System |
|
|
V 2.0 : EVID 4826 : Boot Configuration Data Loaded |
Sub Rule |
Configuration |
Configuration Loaded : System |
|
|
V 2.0 : EVID 4864 : Namespace Collision Detected |
Sub Rule |
Error |
Namespace Collision |
|
|
V 2.0 : EVID 4714 : Encrypted Data Rec Policy Mod |
Sub Rule |
Policy |
Policy Modified : System |
|
|
V 2.0 : EVID 4671 : Application Attempted Access |
Sub Rule |
Access Failure |
Access Object Failure |
|
|
V 2.0 : EVID 5148 : WFP - DoS Attack Detected |
Sub Rule |
Failed Denial of Service |
Failed Network Denial Of Service |
|
|
V 2.0 : EVID 5149 : WFP - DoS Attack Ended |
Sub Rule |
Other Security |
General Security |
|
|
V 2.0 : EVID 4608 : Windows Starting Up |
Sub Rule |
Startup and Shutdown |
System Started |
|
|
V 2.0 : EVID 4612 : Audit Queuing Resources Exhaus |
Sub Rule |
Warning |
Audit Queuing Resources Exhausted |
|
|
V 2.0 : EVID 4615 : Invalid LPC Port Use |
Sub Rule |
Misuse |
Unauthorized Activity |
|
|
V 2.0 : EVID 4618 : User-Defined Security Event |
Sub Rule |
Information |
General Event Log Information |
|
|
V 2.0 : EVID 4621 : Admin Recovered Frm CrashOnAudi |
Sub Rule |
Information |
Crash On Audit Fail Recovered |
|
|
V 2.0 : EVID 4816 : RPC Message Integrity Violation |
Sub Rule |
Error |
RPC Integrity Violation |
|
|
V 2.0 : EVID 5038 : Invalid Image Hash |
Sub Rule |
Error |
Integrity Check Failed |
|
|
V 2.0 : EVID 5056 : CNG - Crypto Self-Check Perf |
Sub Rule |
Information |
Cryptographic Self Test Performed |
|
|
V 2.0 : EVID 5062 : CNG - Kernel Crypto Self-Check |
Sub Rule |
Information |
Cryptographic Self Test Performed |
|
|
V 2.0 : EVID 5057 : CNG - Primitive Crypto Op Fail |
Sub Rule |
Error |
Cryptographic Failure |
|
|
V 2.0 : EVID 5060 : CNG - Crypto Verification Fail |
Sub Rule |
Error |
Cryptographic Failure |
|
|
V 2.0 : EVID 6281 : Invalid Page Hash In Image Fil |
Sub Rule |
Error |
Integrity Check Failed |
|
|
V 2.0 : EVID 6410 : File Failed Security Check |
Sub Rule |
Failed Suspicious |
Failed Suspicious Activity |
|
|
V 2.0 : EVID 5712 : RPC Attempted |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 4944 : WFP - Policy Active And Windows |
Sub Rule |
Information |
Active Firewall Policy On Start |
|
|
V 2.0 : EVID 4949 : WFP Settings Restored To Default |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 4954 : WFP - Group Policy Settings |
Sub Rule |
Configuration |
Configuration Modified : Security |
|
|
V 2.0 : EVID 4783 : Basic Application Group Create |
Sub Rule |
Account Created |
Group Created |
|
|
V 2.0 : EVID 4784 : Basic Application Group Change |
Sub Rule |
Account Modified |
Group Attribute Modified |
|
|
V 2.0 : EVID 4785 : Member Add To Basic App Group |
Sub Rule |
Access Granted |
Account Added To Group |
|
|
V 2.0 : EVID 4786 : Member Remove From Basic App |
Sub Rule |
Access Revoked |
Account Removed From Group |
|
|
V 2.0 : EVID 4787 : Non-Member Add To Basic App |
Sub Rule |
Access Granted |
Account Added To Group |
|
|
V 2.0 : EVID 4788 : Non-Memb Remove From Basic App |
Sub Rule |
Access Revoked |
Account Removed From Group |
|
|
V 2.0 : EVID 4789 : Basic Application Group Delete |
Sub Rule |
Account Deleted |
Group Deleted |
|
|
V 2.0 : EVID 4790 : LDAP Query Group Created |
Sub Rule |
Account Created |
Group Created |
|
|
V 2.0 : EVID 4791 : LDAP Query Group Changed |
Sub Rule |
Account Modified |
Group Attribute Modified |
|
|
V 2.0 : EVID 4934 : AD Object Attributes Replicate |
Sub Rule |
Information |
AD Object Attributes Replicated |
|
|
V 2.0 : EVID 4935 : Replication Failure Begins |
Sub Rule |
Error |
AD Replication Failure Begins |
|
|
V 2.0 : EVID 4936 : Replication Failure Ends |
Sub Rule |
Error |
AD Replication Failure Ends |
|
|
V 2.0 : EVID 4937 : Lingering Object Removed From ADRe |
Sub Rule |
Access Success |
Object Deleted/Removed |
|
|
V 2.0 : EVID 4792 : LDAP Query Group Deleted |
Sub Rule |
Account Deleted |
Group Deleted |
|
|
V 2.0 : EVID 4664 : File Hard Link Created |
Sub Rule |
Access Success |
Object Created |
|
|
V 2.0 : EVID 4690 : Object Handle Duplicated |
Sub Rule |
Access Success |
Object Created |
|
|
V 2.0 : EVID 5039 : Registry Key Virtualized |
Sub Rule |
Other Audit Success |
Registry Key Virtualized |
|
|
V 2.0 : EVID 5051 : File Virtualized |
Sub Rule |
Other Audit Success |
File Virtualized |
|
|
V 2.0 : EVID 5168 : SPN Check For SMB Failed |
Sub Rule |
Access Failure |
Access Object Failure |
|
|
V 2.0 : EVID 6275 : NPS - Accounting Request Discard |
Sub Rule |
Warning |
Bad Request |
|
|
V 2.0 : EVID 6276 : NPS - User Quarantined |
Sub Rule |
Other Audit |
Network Policy Server Quarantined User |
|
|
V 2.0 : EVID 6277 : NPS - Access Granted User |
Sub Rule |
Access Granted |
Access Granted Activity |
|
|
V 2.0 : EVID 6279 : NPS - User Account Locked |
Sub Rule |
Access Revoked |
Account Locked |
|
|
V 2.0 : EVID 6280 : NPS - User Account Unlocked |
Sub Rule |
Access Granted |
Account Unlocked |
|
|
V 2.0 : EVID 4626 : User/Device Claims Information |
Sub Rule |
Information |
User Information |
|
|
V 2.0 : EVID 4666 : AM - App Attempted Operation |
Sub Rule |
Information |
General Application Information |
|
|
V 2.0 : EVID 4665 : AM - App Client Context Create |
Sub Rule |
Information |
General Application Information |
|
|
V 2.0 : EVID 4667 : AM - App Client Context Delete |
Sub Rule |
Information |
General Application Information |
|
|
V 2.0 : EVID 4668 : AM - Application Initialized |
Sub Rule |
Information |
General Application Information |
|
|
V 2.0 : EVID 4985 : Transaction State Change |
Sub Rule |
Information |
General Transaction Information |
|
|
V 2.0 : EVID 1101 : Audit Events Dropped |
Sub Rule |
Error |
Message Dropped |
|
|
V 2.0 : EVID 4609 : Windows Shutting Down |
Sub Rule |
Startup and Shutdown |
System Shutting Down |
|
|
V 2.0 : EVID 4654 : Quick Mode Negotiation Failed |
Sub Rule |
Error |
IPSEC Negotiation Failed |
|
|
V 2.0 : EVIDI 4797 : Blank Passwords Queried |
Sub Rule |
Other Audit |
General Audit Message |
|
|
V 2.0 : EVID 4820 : TGT Denied - ACL |
Sub Rule |
Authentication Failure |
User Logon Failure |
|
|
V 2.0 : EVID 4821 : TGS Denied - ACL |
Sub Rule |
Access Failure |
Access Object Failure |
|
|
V 2.0 : EVID 4822 : NTLM Auth Denied |
Sub Rule |
Authentication Failure |
User Logon Failure |
|
|
V 2.0 : EVID 4823 : NTLM Auth Denied |
Sub Rule |
Authentication Failure |
User Logon Failure |
|
|
V 2.0 : EVID 4824 : Kerberos Pre-Auth Failed |
Sub Rule |
Authentication Failure |
User Logon Failure |
|
|
V 2.0 : EVID 4825 : RDP Access Denied |
Sub Rule |
Authentication Failure |
User Logon Failure |
|
|
V 2.0 : EVID 4830 : SID History Removed From Account |
Sub Rule |
Account Modified |
User Account Attribute Modified |
|
|
V 2.0 : EVID 4899 : Certificate Template Updated |
Sub Rule |
Access Success |
Object Modified |
|
|
V 2.0 : EVID 4900 : Certificate Template Sec Update |
Sub Rule |
Access Success |
Object Attribute Modified |
|
|
V 2.0 : EVID 5150 : Firewall - Disable Attempt |
Sub Rule |
Suspicious |
Suspicious Activity |
|
|
V 2.0 : EVID 5071 : Key Access Denied |
Sub Rule |
Access Failure |
Access Object Failure |
|
|
V 2.0 : EVID 5146 : WFP - Packed Blocked |
Sub Rule |
Network Deny |
Traffic Denied by Host Firewall |
|
|
V 2.0 : EVID 5147 : WFP - Packed Blocked |
Sub Rule |
Network Deny |
Traffic Denied by Host Firewall |
|
|
V 2.0 : EVID 5151 : File Virtualized |
Sub Rule |
Other Audit Success |
File Virtualized |
|
|
V 2.0 : EVID 5170 : AD Object Modified |
Sub Rule |
Access Success |
Object Modified |
|
|
V 2.0 : EVID 5472 : PAStore - Local IPSEC Policy Fail |
Sub Rule |
Error |
General IPSec Error |
|
|
V 2.0 : EVID 5473 : PAStore - Directory Storage IPSEC |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 5477 : PAStore - Failed To Add Quick Mod |
Sub Rule |
Information |
General IPSEC Message |
|
|
V 2.0 : EVID 6278 : NPS - Full Access Granted To User |
Sub Rule |
Access Granted |
Access Granted Activity |
|
|
V 2.0 : EVID 6417 : FIPS Selftest Passed |
Sub Rule |
Information |
Cryptographic Self Test Performed |
|
|
V 2.0 : EVID 6418 : FIPS Selftest Failed |
Sub Rule |
Error |
Cryptographic Failure |
|
|
V 2.0 : EVID 4868 : CS - Certificate Manager Denied |
Sub Rule |
Warning |
Certificate Manager Denied Pending Cert Request |
|
|
V 2.0 : EVID 4869 : CS - Received Resubmitted Cert |
Sub Rule |
Other Audit |
Certificate Services Rcvd Resubmitted Cert Request |
|
|
V 2.0 : EVID 4870 : CS - Certificate Revoked |
Sub Rule |
Other Audit |
Certificate Services Rcvd Resubmitted Cert Request |
|
|
V 2.0 : EVID 4871 : CS - CRL Publication Request Rcvd |
Sub Rule |
Information |
Certificate Svcs Received Request To Publish CRL |
|
|
V 2.0 : EVID 4872 : CS - CRL Published |
Sub Rule |
Information |
Certificate Services Published CRL |
|
|
V 2.0 : EVID 4873 : CS - Certificate Request Extn |
Sub Rule |
Information |
Certificate Request Extension Changed |
|
|
V 2.0 : EVID 4874 : CS - Certificate Request Change |
Sub Rule |
Information |
Certificate Request Attributes Changed |
|
|
V 2.0 : EVID 4875 : CS - Shutdown Request Received |
Sub Rule |
Startup and Shutdown |
Process/Service Startup Or Shutdown Activity |
|
|
V 2.0 : EVID 4876 : CS - Backup Started |
Sub Rule |
Information |
Backup Active |
|
|
V 2.0 : EVID 4877 : CS - Backup Complete |
Sub Rule |
Information |
Backup Completed |
|
|
V 2.0 : EVID 4878 : CS - Restore Started |
Sub Rule |
Information |
Backup Restored |
|
|
V 2.0 : EVID 4879 : CS - Restore Completed |
Sub Rule |
Information |
Backup Restored |
|
|
V 2.0 : EVID 4880 : CS - Services Started |
Sub Rule |
Startup and Shutdown |
Process/Service Started |
|
|
V 2.0 : EVID 4881 : CS - Services Stopped |
Sub Rule |
Startup and Shutdown |
Process/Service Stopped |
|
|
V 2.0 : EVID 4882 : CS - Security Permissions Modified |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 4883 : CS - Archived Key Retrieved |
Sub Rule |
Information |
Certificate Services Retrieved Archived Key |
|
|
V 2.0 : EVID 4884 : CS - Certificate Imported |
Sub Rule |
Information |
Certificate Services Imported Certificate |
|
|
V 2.0 : EVID 4885 : CS - Audit Filter Modified |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 4886 : CS - Certificate Request Received |
Sub Rule |
Other Audit Success |
Certificate Services Received Certificate Request |
|
|
V 2.0 : EVID 4887 : CS - Certificate Issued |
Sub Rule |
Information |
Certificate Services Issued Certificate |
|
|
V 2.0 : EVID 4888 : CS - Certificate Request Denied |
Sub Rule |
Warning |
Certificate Services Denied Certificate Request |
|
|
V 2.0 : EVID 4889 : CS - Certificate Request Status |
Sub Rule |
Information |
Certificate Services Set Cert Status To Pending |
|
|
V 2.0 : EVID 4890 : CS - Certificate Manager Settings |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 4891 : CS - Configuration Entry Modified |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 4892 : CS - Property Modified |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 4893 : CS - Key Archived |
Sub Rule |
Information |
Certificate Services Archived A Key |
|
|
V 2.0 : EVID 4894 : CS - Key Imported And Archived |
Sub Rule |
Information |
Certificate Services Imported And Archived Key |
|
|
V 2.0 : EVID 4895 : CS - ADDS CA Certificate Published |
Sub Rule |
Information |
Certificate Services Published CA Certificate |
|
|
V 2.0 : EVID 4896 : CS - Rows Deleted From Database |
Sub Rule |
Information |
Certificate Services Database Rows Deleted |
|
|
V 2.0 : EVID 4897 : CS - Role Separation Enabled |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 4898 : CS - Template Loaded |
Sub Rule |
Information |
Certificate Services Loaded Template |
|
|
V 2.0 : EVID 5120 : CS - OCSP Responder Started |
Sub Rule |
Startup and Shutdown |
Process/Service Started |
|
|
V 2.0 : EVID 5121 : CS - OCSP Responder Stopped |
Sub Rule |
Startup and Shutdown |
Process/Service Stopped |
|
|
V 2.0 : EVID 5122 : CS - OCSP Config Changed |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 4649 : Replay Attack Detected |
Sub Rule |
Attack |
Replay Activity |
|
|
V 2.0 : EVID 5123 : CS - OCSP Config Changed |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 5124 : CS - OCSP Security Changed |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 5125 : CS - OCSP Request |
Sub Rule |
Other Audit Success |
Request Received |
|
|
V 2.0 : EVID 5126 : CS - OCSP Signer Updated |
Sub Rule |
Configuration |
Configuration Modified : Application |
|
|
V 2.0 : EVID 5127 : CS - OCSP Provider Updated |
Sub Rule |
Configuration |
Configuration Modified : Application |